自建K8S集群认证过期
今天使用kubectl命令查看pod信息时,一直正常运行的k8s集群突然不能访问了,输入任何命令都提示以下报错:
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-01-25T1145+08:00 is after 2024-11-22T2348Z
解决方案:
参考官方文档:kubeadm证书管理使用命令kubeadm alpha certs来管理证书:
使用命令kubeadm alpha certs renew all更新证书,返回
| [renew] Reading configuration from the cluster... | |
| [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' | |
| certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed | |
| certificate for serving the Kubernetes API renewed | |
| certificate the apiserver uses to access etcd renewed | |
| certificate for the API server to connect to kubelet renewed | |
| certificate embedded in the kubeconfig file for the controller manager to use renewed | |
| certificate for liveness probes to healthcheck etcd renewed | |
| certificate for etcd nodes to communicate with each other renewed | |
| certificate for serving etcd renewed | |
| certificate for the front proxy client renewed | |
| certificate embedded in the kubeconfig file for the scheduler manager to use renewed |
使用如下命令拷贝新生成的配置文件
| sudo kubeadm alpha kubeconfig user --client-name=admin --org=system:masters > /tmp/admin.conf | |
| sudo cp /tmp/admin.conf $HOME/.kube/config | |
| sudo chown $(id -u):$(id -g) $HOME/.kube/config |
重启kubeletsystemctl restart kubelet即可正常使用K8S集群
| [root@k8smaster k8s]# kubectl get po | |
| NAME READY STATUS RESTARTS AGE | |
| cron-job-test-1732318920-k2g76 0/1 Completed 0 63d | |
| cron-job-test-1732318980-kcr4x 0/1 Completed 0 63d | |
| cron-job-test-1732319040-b88rf 0/1 Completed 0 63d | |
再次查看证书到期情况
| [root@k8smaster k8s]# kubeadm alpha certs check-expiration | |
| [check-expiration] Reading configuration from the cluster... | |
| [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' | |
| CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED | |
| admin.conf Jan 25, 2026 05:55 UTC 364d no | |
| apiserver Jan 25, 2026 05:55 UTC 364d ca no | |
| apiserver-etcd-client Jan 25, 2026 05:55 UTC 364d etcd-ca no | |
| apiserver-kubelet-client Jan 25, 2026 05:55 UTC 364d ca no | |
| controller-manager.conf Jan 25, 2026 05:55 UTC 364d no | |
| etcd-healthcheck-client Jan 25, 2026 05:55 UTC 364d etcd-ca no | |
| etcd-peer Jan 25, 2026 05:55 UTC 364d etcd-ca no | |
| etcd-server Jan 25, 2026 05:55 UTC 364d etcd-ca no | |
| front-proxy-client Jan 25, 2026 05:55 UTC 364d front-proxy-ca no | |
| scheduler.conf Jan 25, 2026 05:55 UTC 364d no | |
| CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED | |
| ca Nov 20, 2033 23:44 UTC 8y no | |
| etcd-ca Nov 20, 2033 23:44 UTC 8y no | |
| front-proxy-ca Nov 20, 2033 23:44 UTC 8y no | |
注意事项:
官网上给的命令是kubeadm certs check-expiration,标识的k8s版本是V1.15,直接在本地执行该命令报错:
| [root@k8smaster k8s]# kubeadm certs check-expiration | |
| unknown command "certs" for "kubeadm" | |
| To see the stack trace of this error execute with --v=5 or higher |
查了下,我本地的k8s版本是1.19,certs命令放在了kubeadm alpha下,需要将kubeadm certs替换为kubeadm aplha certs执行即可
| [root@k8smaster k8sh]# kubeadm version | |
| kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.5", GitCommit:"e338cf2c6d297aa603b50ad3a301f761b4173aa6", GitTreeState:"clean", BuildDate:"2020-12-09T1140Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"} |
| [root@k8smaster k8s]# kubeadm --help | |
| ┌──────────────────────────────────────────────────────────┐ | |
| │ KUBEADM │ | |
| │ Easily bootstrap a secure Kubernetes cluster │ | |
| │ │ | |
| │ Please give us feedback at: │ | |
| │ https://github.com/kubernetes/kubeadm/issues │ | |
| └──────────────────────────────────────────────────────────┘ | |
| Example usage: | |
| Create a two-machine cluster with one control-plane node | |
| (which controls the cluster), and one worker node | |
| (where your workloads, like Pods and Deployments run). | |
| ┌──────────────────────────────────────────────────────────┐ | |
| │ On the first machine: │ | |
| ├──────────────────────────────────────────────────────────┤ | |
| │ control-plane# kubeadm init │ | |
| └──────────────────────────────────────────────────────────┘ | |
| ┌──────────────────────────────────────────────────────────┐ | |
| │ On the second machine: │ | |
| ├──────────────────────────────────────────────────────────┤ | |
|
│ worker# kubeadm join |
|
| └──────────────────────────────────────────────────────────┘ | |
| You can then repeat the second step on as many other machines as you like. | |
| Usage: | |
| kubeadm [command] | |
| Available Commands: | |
| alpha Kubeadm experimental sub-commands | |
| completion Output shell completion code for the specified shell (bash or zsh) | |
| config Manage configuration for a kubeadm cluster persisted in a ConfigMap in the cluster | |
| help Help about any command | |
| init Run this command in order to set up the Kubernetes control plane | |
| join Run this on any machine you wish to join an existing cluster | |
| reset Performs a best effort revert of changes made to this host by 'kubeadm init ' or 'kubeadm join' | |
| token Manage bootstrap tokens | |
| upgrade Upgrade your cluster smoothly to a newer version with this command | |
| version Print the version of kubeadm | |
| Flags: | |
| --add-dir-header If true, adds the file directory to the header of the lo g messages | |
| -h, --help help for kubeadm | |
| --log-file string If non-empty, use this log file | |
| --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) | |
| --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesyst em. | |
| --skip-headers If true, avoid header prefixes in the log messages | |
| --skip-log-headers If true, avoid headers when opening log files | |
| -v, --v Level number for the log level verbosity | |
| Use "kubeadm [command] --help" for more information about a command. | |
| [root@k8smaster k8s]# kubectl alpha --help | |
| These commands correspond to alpha features that are not enabled in Kubernetes | |
| clusters by default. | |
| Available Commands: | |
| debug Attach a debug container to a running pod | |
|
Use "kubectl |
|
| [root@k8smaster k8s]# kubeadm alpha --help | |
| Kubeadm experimental sub-commands | |
| Usage: | |
| kubeadm alpha [command] | |
| Available Commands: | |
| certs Commands related to handling kubernetes certificates | |
| kubeconfig Kubeconfig file utilities | |
| selfhosting Make a kubeadm cluster self-hosted | |
| Flags: | |
| -h, --help help for alpha | |
| Global Flags: | |
| --add-dir-header If true, adds the file directory to the header of the log messages | |
| --log-file string If non-empty, use this log file | |
| --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) | |
| --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
| --skip-headers If true, avoid header prefixes in the log messages | |
| --skip-log-headers If true, avoid headers when opening log files | |
| -v, --v Level number for the log level verbosity | |
| Additional help topics: | |
| kubeadm alpha phase Invoke subsets of kubeadm functions separately for a manual install | |
| Use "kubeadm alpha [command] --help" for more information about a command. |
链接:https://www.cnblogs.com/wenha/p/18690938
声明:本文内容及配图由入驻作者撰写或者入驻合作网站授权转载。文章观点仅代表作者本人,不代表电子发烧友网立场。文章及其配图仅供工程师学习之用,如有内容侵权或者其他违规问题,请联系本站处理。
举报投诉
-
集群
+关注
关注
0文章
130浏览量
17600 -
命令
+关注
关注
5文章
746浏览量
23447
原文标题:自建K8S集群认证过期
文章出处:【微信号:magedu-Linux,微信公众号:马哥Linux运维】欢迎添加关注!文章转载请注明出处。
发布评论请先 登录
相关推荐
热点推荐
什么是 K8S,如何使用 K8S
连续性。
适用场景:
大规模容器集群管理。
微服务架构的部署与运维。
需要弹性伸缩的在线服务。
多租户环境(如开发测试、生产环境隔离)。
总的来说,K8S 通过标准化容器管理,极大降低了分布式系统的运维复杂度,是云原生时代的核心基础设施。
发表于 06-25 06:45
K8s 从懵圈到熟练 – 集群网络详解
导读:阿里云 K8S 集群网络目前有两种方案:一种是 flannel 方案;另外一种是基于 calico 和弹性网卡 eni 的 terway 方案。Terway 和 flannel 类似
发表于 10-14 15:06
Docker不香吗为什么还要用K8s
Docker 虽好用,但面对强大的集群,成千上万的容器,突然感觉不香了。 这时候就需要我们的主角 Kubernetes 上场了,先来了解一下 K8s 的基本概念,后面再介绍实践,由浅入深步步为营
简单说明k8s和Docker之间的关系
这篇文章主要介绍了k8s和Docker关系简单说明,本文利用图文讲解的很透彻,有需要的同学可以研究下 最近项目用到kubernetes(以下简称k8s,k和s之间有
K8S集群服务访问失败怎么办 K8S故障处理集锦
问题1:K8S集群服务访问失败? 原因分析:证书不能被识别,其原因为:自定义证书,过期等。 解决方法:更新证书即可。 问题2:K8S集群
多k8s集群环境中工作有多快
命令就会很低效。 今天介绍3个工具会让你在多k8s集群环境中工作的很轻松。我将从以下几个方面来评估工具实用性: 速度 如果你有多个k8s集群可选择,你切换
切换k8s上下文有多快
use-context 命令就会很低效。 今天介绍3个工具会让你在多k8s集群环境中工作的很轻松。我将从以下几个方面来评估工具实用性: 速度 如果你有多个k8s集群可选择,你切换
k8s是什么意思?kubeadm部署k8s集群(k8s部署)|PetaExpres
k8s是什么意思? kubernetes简称K8s,是一个开源的,用于管理云平台中多个主机上的容器化的应用,Kubernetes的目标是让部署容器化的应用简单并且高效(powerful
发表于 07-19 13:14
•1555次阅读
K8s多集群管理:为什么需要多集群、多集群的优势是什么
随着K8s和云原生技术的快速发展,以及各大厂商在自己的数据中心使用K8s的API进行容器化应用编排和管理,让应用交付本身变得越来越标准化和统一化,并且实现了与底层基础设施的完全解耦,为多集群和混合云提供了一个坚实技术基础。
发表于 09-14 10:48
•2456次阅读
纳尼?自建K8s集群日志收集还能通过JMQ保存到JES
作者:京东科技 刘恩浩 一、背景 基于K8s集群的私有化交付方案中,日志收集采用了ilogtail+logstash+kafka+es方案,其中ilogtail负责日志收集,logstash负责对数
混合云部署k8s集群方法有哪些?
混合云部署k8s集群方法是首先需在本地与公有云分别建立K8s集群,并确保网络连接。接着,配置kubeconfig文件连接两集群,并安装云服务
解析K8S实用命令
前言: 作为运维工程师,掌握 Kubernetes 命令行工具是日常工作的核心技能。本文将深入解析 K8S 最实用的命令,从基础操作到高级技巧,助你成为容器化集群管理专家。
K8s集群性能调优实战技巧
大多数团队在遇到K8s性能问题时,第一反应是"加机器"。但根据我对超过50个生产集群的分析,80%的性能问题源于配置不当,而非资源不足。
工商网监
评论