kubeadm alpha certs check-expiration 查看证书信息
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 20, 2024 07:37 UTC 364d no
apiserver Dec 20, 2024 07:37 UTC 364d ca no
apiserver-etcd-client Dec 20, 2024 07:37 UTC 364d etcd-ca no
apiserver-kubelet-client Dec 20, 2024 07:37 UTC 364d ca no
controller-manager.conf Dec 20, 2024 07:37 UTC 364d no
etcd-healthcheck-client Dec 20, 2024 07:37 UTC 364d etcd-ca no
etcd-peer Dec 20, 2024 07:37 UTC 364d etcd-ca no
etcd-server Dec 20, 2024 07:37 UTC 364d etcd-ca no
front-proxy-client Dec 20, 2024 07:37 UTC 364d front-proxy-ca no
scheduler.conf Dec 20, 2024 07:37 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 17, 2033 13:41 UTC 9y no
etcd-ca Dec 17, 2033 13:41 UTC 9y no
front-proxy-ca Dec 17, 2033 13:41 UTC 9y no
执行这个进行更新证书
kubeadm alpha certs renew all
[root@kubeadm-master1 m43]# kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
然后证书会更新了
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 20, 2024 14:56 UTC 364d no
apiserver Dec 20, 2024 14:56 UTC 364d ca no
apiserver-etcd-client Dec 20, 2024 14:56 UTC 364d etcd-ca no
apiserver-kubelet-client Dec 20, 2024 14:56 UTC 364d ca no
controller-manager.conf Dec 20, 2024 14:56 UTC 364d no
etcd-healthcheck-client Dec 20, 2024 14:56 UTC 364d etcd-ca no
etcd-peer Dec 20, 2024 14:56 UTC 364d etcd-ca no
etcd-server Dec 20, 2024 14:56 UTC 364d etcd-ca no
front-proxy-client Dec 20, 2024 14:56 UTC 364d front-proxy-ca no
scheduler.conf Dec 20, 2024 14:56 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 17, 2033 13:41 UTC 9y no
etcd-ca Dec 17, 2033 13:41 UTC 9y no
front-proxy-ca Dec 17, 2033 13:41 UTC 9y no
注释haproxy 的,然后进行重启haproxy
复制代码
[root@ha1 ~]# systemctl restart haproxy
[root@ha1 ~]# cat /etc/haproxy/haproxy.cfg
listen stats
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth haadmin:faeefa123ef
listen k8s-6443
bind 192.168.1.240:6443
mode tcp
balance roundrobin
server 192.168.1.209 192.168.1.209:6443 check inter 2s fall 3 rise 5
server 192.168.1.210 192.168.1.210:6443 check inter 2s fall 3 rise 5
#server 192.168.1.212 192.168.1.212:6443 check inter 2s fall 3 rise 5
listen k8s-nginx-80
bind 192.168.1.240:80
mode tcp
server 192.168.1.209 192.168.1.209:30004 check inter 2s fall 3 rise 5
server 192.168.1.210 192.168.1.210:30004 check inter 2s fall 3 rise 5
server 192.168.1.212 192.168.1.212:30004 check inter 2s fall 3 rise 5
