飞天使-k8s知识点6-kubernetes证书更新

文章目录

        • 查看证书有效期
        • [注释haproxy 的,然后进行重启haproxy](#注释haproxy 的,然后进行重启haproxy)
查看证书有效期
复制代码
kubeadm alpha certs check-expiration 查看证书信息


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 07:37 UTC   364d                                    no
apiserver                  Dec 20, 2024 07:37 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 07:37 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 07:37 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 07:37 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 07:37 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no




执行这个进行更新证书
 kubeadm alpha certs renew all




[root@kubeadm-master1 m43]#  kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.


然后证书会更新了
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 14:56 UTC   364d                                    no
apiserver                  Dec 20, 2024 14:56 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 14:56 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 14:56 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 14:56 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 14:56 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no
注释haproxy 的,然后进行重启haproxy
复制代码
[root@ha1 ~]# systemctl restart haproxy
[root@ha1 ~]# cat /etc/haproxy/haproxy.cfg
listen stats
    mode http
    bind 0.0.0.0:9999
    stats enable
    log global
    stats uri /haproxy-status
    stats auth haadmin:faeefa123ef

listen k8s-6443
    bind 192.168.1.240:6443
    mode tcp
    balance roundrobin
    server 192.168.1.209 192.168.1.209:6443 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:6443 check inter 2s fall 3 rise 5
    #server 192.168.1.212 192.168.1.212:6443 check inter 2s fall 3 rise 5

listen k8s-nginx-80
    bind 192.168.1.240:80
    mode tcp
    server 192.168.1.209 192.168.1.209:30004 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:30004 check inter 2s fall 3 rise 5
    server 192.168.1.212 192.168.1.212:30004 check inter 2s fall 3 rise 5
相关推荐
落日漫游10 小时前
dockercompose和k8s区别
docker·kubernetes
user48402325423912 小时前
使用自定义snapshotter修改容器的rootfs路径
云原生
资源开发与学习12 小时前
kubernetes核心概念 Service
kubernetes
lllsure12 小时前
【Docker】存储卷
运维·docker·容器
有谁看见我的剑了?13 小时前
k8s-容器探针和生命周期回调学习
学习·容器·kubernetes
骆驼102413 小时前
40分钟的Docker实战攻略
云原生·eureka
纤瘦的鲸鱼13 小时前
Docker 从入门到实践:容器化技术核心指南
java·docker·容器
Rancher社区14 小时前
Rancher 社区双周报|聚焦 Harvester 新特性:网络、存储与虚拟化全面升级
kubernetes
阿里云云原生15 小时前
阿里 Qoder 新升级,Repo Wiki 支持共享、编辑和导出
云原生