飞天使-k8s知识点6-kubernetes证书更新

文章目录

        • 查看证书有效期
        • [注释haproxy 的,然后进行重启haproxy](#注释haproxy 的,然后进行重启haproxy)
查看证书有效期
复制代码
kubeadm alpha certs check-expiration 查看证书信息


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 07:37 UTC   364d                                    no
apiserver                  Dec 20, 2024 07:37 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 07:37 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 07:37 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 07:37 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 07:37 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no




执行这个进行更新证书
 kubeadm alpha certs renew all




[root@kubeadm-master1 m43]#  kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.


然后证书会更新了
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 14:56 UTC   364d                                    no
apiserver                  Dec 20, 2024 14:56 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 14:56 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 14:56 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 14:56 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 14:56 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no
注释haproxy 的,然后进行重启haproxy
复制代码
[root@ha1 ~]# systemctl restart haproxy
[root@ha1 ~]# cat /etc/haproxy/haproxy.cfg
listen stats
    mode http
    bind 0.0.0.0:9999
    stats enable
    log global
    stats uri /haproxy-status
    stats auth haadmin:faeefa123ef

listen k8s-6443
    bind 192.168.1.240:6443
    mode tcp
    balance roundrobin
    server 192.168.1.209 192.168.1.209:6443 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:6443 check inter 2s fall 3 rise 5
    #server 192.168.1.212 192.168.1.212:6443 check inter 2s fall 3 rise 5

listen k8s-nginx-80
    bind 192.168.1.240:80
    mode tcp
    server 192.168.1.209 192.168.1.209:30004 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:30004 check inter 2s fall 3 rise 5
    server 192.168.1.212 192.168.1.212:30004 check inter 2s fall 3 rise 5
相关推荐
hweiyu006 小时前
docker简介
运维·docker·容器
甘露寺10 小时前
云原生核心技术解析:Docker vs Kubernetes vs Docker Compose
docker·云原生·kubernetes
如果'\'真能转义说10 小时前
Docker Desktop 挂载本地Win系统配置指南:Redis/MySQL/RabbitMQ持久化与自启设置
docker·容器·bootstrap·docker desktop
Fᴏʀ ʏ꯭ᴏ꯭ᴜ꯭.13 小时前
LVS集群技术
云原生·lvs
5283014 小时前
Kubernetes 高级调度 01
云原生·容器·kubernetes
xujiangyan_14 小时前
Kubernetes的微服务
微服务·容器·kubernetes
ocean'17 小时前
网络安全初级第一次作业
云原生·eureka
AKAMAI17 小时前
为何说分布式 AI 推理已成为下一代计算方式
人工智能·云原生·云计算
ikun·18 小时前
Kubernetes 高级调度01
云原生·容器·kubernetes