飞天使-k8s知识点6-kubernetes证书更新

飞天使star2023-12-23 4:50

文章目录

        • 查看证书有效期
        • [注释haproxy 的,然后进行重启haproxy](#注释haproxy 的,然后进行重启haproxy)
查看证书有效期
复制代码 
kubeadm alpha certs check-expiration 查看证书信息


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 07:37 UTC   364d                                    no
apiserver                  Dec 20, 2024 07:37 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 07:37 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 07:37 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 07:37 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 07:37 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no




执行这个进行更新证书
 kubeadm alpha certs renew all




[root@kubeadm-master1 m43]#  kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.


然后证书会更新了
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 14:56 UTC   364d                                    no
apiserver                  Dec 20, 2024 14:56 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 14:56 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 14:56 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 14:56 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 14:56 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no
注释haproxy 的,然后进行重启haproxy
复制代码 
[root@ha1 ~]# systemctl restart haproxy
[root@ha1 ~]# cat /etc/haproxy/haproxy.cfg
listen stats
    mode http
    bind 0.0.0.0:9999
    stats enable
    log global
    stats uri /haproxy-status
    stats auth haadmin:faeefa123ef

listen k8s-6443
    bind 192.168.1.240:6443
    mode tcp
    balance roundrobin
    server 192.168.1.209 192.168.1.209:6443 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:6443 check inter 2s fall 3 rise 5
    #server 192.168.1.212 192.168.1.212:6443 check inter 2s fall 3 rise 5

listen k8s-nginx-80
    bind 192.168.1.240:80
    mode tcp
    server 192.168.1.209 192.168.1.209:30004 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:30004 check inter 2s fall 3 rise 5
    server 192.168.1.212 192.168.1.212:30004 check inter 2s fall 3 rise 5
相关推荐
炸炸鱼.9 小时前
Kubernetes高级调度02:Taint/Toleration、Cordon/Drain、亲和性与反亲和性完全指南
云原生·容器·kubernetes
海兰13 小时前
Kibana Dashboard as Code:Elastic 9.4 如何用 Terraform 和类型化 API 终结“JSON 垃圾袋“
云原生·json·terraform
geshifei15 小时前
K8s 容器运行 UnixBench — 代理机器执行记录
云原生·容器·kubernetes
Albert Edison17 小时前
【Docker】Ubuntu22.04 安装 Docker 教程
运维·docker·容器
codefan※18 小时前
一键部署私人 LLM:Ollama + Docker 极简指南
运维·docker·容器·大模型·llm·本地部署·ollama
阿里云云原生18 小时前
可观测性的终局?从“面向数据”到“面向对象”,UModel 如何为 AI Agent 注入认知地图
云原生·agent
李南想做条咸鱼19 小时前
k8s集群容器访问域名第一次不通,第二次必通如何解决
云原生·容器·kubernetes
FelixBitSoul19 小时前
K8s 调度器黑盒全拆解:拓扑约束数学陷阱 + Go 插件二开实战(避坑全记录)
容器·kubernetes
叶~小兮19 小时前
K8s常用组件学习笔记
笔记·学习·kubernetes
ん贤20 小时前
Volcano 详细笔记
云原生·volcano
热门推荐
01GitHub 镜像站点02DeepSeek V4 + Claude Code thinking mode 400 错误修复方案03【AI】2026 年具身智能模型和世界模型总结04Codex 接入 DeepSeek API 完整配置文档05【踩坑记录 | 第一篇】微软商店无法使用时,如何手动安装 OpenAI Codex?附`.msix`文件系统错误解决方法06裂开!ChatGPT 居然开始要手机号验证,附详细解决方法07CC-Switch & Claude 基于 Linux 服务器安装使用指南08CC-Switch 全平台下载、安装与使用全指南(Windows/macOS/Linux)09几个好用的ip纯净度检测网站10API Key 登录 Codex 也能用插件了,还支持会话删除和导出