#1、查看证书到期时间:
kubeadm certs check-expiration
root@k8s-master $ kubeadm certs check-expiration
check-expiration Reading configuration from the cluster...
check-expiration FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 28, 2027 08:00 UTC 364d ca no
apiserver Apr 28, 2027 08:00 UTC 364d ca no
apiserver-etcd-client Apr 28, 2027 08:00 UTC 364d etcd-ca no
apiserver-kubelet-client Apr 28, 2027 08:00 UTC 364d ca no
controller-manager.conf Apr 28, 2027 08:00 UTC 364d ca no
etcd-healthcheck-client Apr 28, 2027 08:00 UTC 364d etcd-ca no
etcd-peer Apr 28, 2027 08:00 UTC 364d etcd-ca no
etcd-server Apr 28, 2027 08:00 UTC 364d etcd-ca no
front-proxy-client Apr 28, 2027 08:00 UTC 364d front-proxy-ca no
scheduler.conf Apr 28, 2027 08:00 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 22, 2034 07:26 UTC 7y no
etcd-ca Apr 22, 2034 07:26 UTC 7y no
front-proxy-ca Apr 22, 2034 07:26 UTC 7y no
#2、更新所有证书有效期
kubeadm certs renew all
#3、重启控制平面组件
方法一:临时移动静态Pod的清单文件(适用于所有环境)
将这些Pod的YAML文件(通常位于 /etc/kubernetes/manifests/)移出该目录,稍后移回即可触发重启。
例如,重启 kube-apiserver:
sudo mv /etc/kubernetes/manifests/kube-apiserver.yaml /tmp/
sleep 30
sudo mv /tmp/kube-apiserver.yaml /etc/kubernetes/manifests/
方法二:直接删除Pod(前提是Pod由kubelet管理,kubelet会自动重建)
执行以下命令,删除后,kubelet会自动重启它们:
sudo kubectl delete pod -n kube-system -l 'component in (kube-apiserver, etcd, kube-scheduler, kube-controller-manager)'
#4、更新本地kubeconfig
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
确保当前用户对该文件有读取权限
sudo chown (id -u):(id -g) $HOME/.kube/config