#1、查看证书到期时间:
kubeadm certs check-expiration
root@k8s-master\] $ kubeadm certs check-expiration \[check-expiration\] Reading configuration from the cluster... \[check-expiration\] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Apr 28, 2027 08:00 UTC 364d ca no apiserver Apr 28, 2027 08:00 UTC 364d ca no apiserver-etcd-client Apr 28, 2027 08:00 UTC 364d etcd-ca no apiserver-kubelet-client Apr 28, 2027 08:00 UTC 364d ca no controller-manager.conf Apr 28, 2027 08:00 UTC 364d ca no etcd-healthcheck-client Apr 28, 2027 08:00 UTC 364d etcd-ca no etcd-peer Apr 28, 2027 08:00 UTC 364d etcd-ca no etcd-server Apr 28, 2027 08:00 UTC 364d etcd-ca no front-proxy-client Apr 28, 2027 08:00 UTC 364d front-proxy-ca no scheduler.conf Apr 28, 2027 08:00 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Apr 22, 2034 07:26 UTC 7y no etcd-ca Apr 22, 2034 07:26 UTC 7y no front-proxy-ca Apr 22, 2034 07:26 UTC 7y no #2、更新所有证书有效期 kubeadm certs renew all #3、重启控制平面组件 # 方法一:临时移动静态Pod的清单文件(适用于所有环境) # 将这些Pod的YAML文件(通常位于 /etc/kubernetes/manifests/)移出该目录,稍后移回即可触发重启。 # 例如,重启 kube-apiserver: sudo mv /etc/kubernetes/manifests/kube-apiserver.yaml /tmp/ sleep 30 sudo mv /tmp/kube-apiserver.yaml /etc/kubernetes/manifests/ # 方法二:直接删除Pod(前提是Pod由kubelet管理,kubelet会自动重建) # 执行以下命令,删除后,kubelet会自动重启它们: sudo kubectl delete pod -n kube-system -l 'component in (kube-apiserver, etcd, kube-scheduler, kube-controller-manager)' #4、更新本地kubeconfig sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config # 确保当前用户对该文件有读取权限 sudo chown $(id -u):$(id -g) $HOME/.kube/config