飞天使-k8s知识点6-kubernetes证书更新

文章目录

        • 查看证书有效期
        • [注释haproxy 的,然后进行重启haproxy](#注释haproxy 的,然后进行重启haproxy)
查看证书有效期
复制代码
kubeadm alpha certs check-expiration 查看证书信息


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 07:37 UTC   364d                                    no
apiserver                  Dec 20, 2024 07:37 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 07:37 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 07:37 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 07:37 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 07:37 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no




执行这个进行更新证书
 kubeadm alpha certs renew all




[root@kubeadm-master1 m43]#  kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.


然后证书会更新了
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 14:56 UTC   364d                                    no
apiserver                  Dec 20, 2024 14:56 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 14:56 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 14:56 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 14:56 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 14:56 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no
注释haproxy 的,然后进行重启haproxy
复制代码
[root@ha1 ~]# systemctl restart haproxy
[root@ha1 ~]# cat /etc/haproxy/haproxy.cfg
listen stats
    mode http
    bind 0.0.0.0:9999
    stats enable
    log global
    stats uri /haproxy-status
    stats auth haadmin:faeefa123ef

listen k8s-6443
    bind 192.168.1.240:6443
    mode tcp
    balance roundrobin
    server 192.168.1.209 192.168.1.209:6443 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:6443 check inter 2s fall 3 rise 5
    #server 192.168.1.212 192.168.1.212:6443 check inter 2s fall 3 rise 5

listen k8s-nginx-80
    bind 192.168.1.240:80
    mode tcp
    server 192.168.1.209 192.168.1.209:30004 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:30004 check inter 2s fall 3 rise 5
    server 192.168.1.212 192.168.1.212:30004 check inter 2s fall 3 rise 5
相关推荐
要开心吖ZSH3 分钟前
微服务架构的演进:迈向云原生
java·微服务·云原生
dyj0956 分钟前
Rancher Server + Kubernets搭建云原生集群平台
云原生·rancher
weixin_399380691 小时前
k8s一键部署tongweb企业版7049m6(by why+lqw)
java·linux·运维·服务器·云原生·容器·kubernetes
IT成长日记2 小时前
【Docker基础】Docker数据卷管理:docker volume ls及其参数详解
运维·docker·容器·volume ls
偷萧逸苦茶2 小时前
docker常见命令
docker·容器·eureka
慌糖10 小时前
微服务介绍
微服务·云原生·架构
高山莫衣15 小时前
Docker Desktop导致存储空间不足时的解决方案
docker·容器·eureka
鹏大师运维16 小时前
在银河麒麟V10 SP1上手动安装与配置高版本Docker的完整指南
linux·运维·docker·容器·麒麟·统信uos·中科方德
Ahlson16 小时前
【fnNAS】docker的nginx配置html
nginx·docker·容器·fnnas
LuckyLay16 小时前
Compose 常用命令详解——AI教你学Docker
docker·容器·eureka