众所周知,使用 kubeadm 安装 kubernetes 集群非常方便,但是也有一个比较烦人的问题就是默认的证书有效期只有一年时间,所以需要考虑证书升级的问题。使用kubeadm安装的树莓派k8s集群同样也需要考虑。

手动更新证书

检查证书是否过期

由 kubeadm 生成的客户端证书默认只有一年有效期,我们可以通过 check-expiration 命令来检查证书是否过期:

# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 14, 2022 00:18 UTC   165d                                    no      
apiserver                  Apr 14, 2022 00:18 UTC   165d            ca                      no      
apiserver-etcd-client      Apr 14, 2022 00:18 UTC   165d            etcd-ca                 no      
apiserver-kubelet-client   Apr 14, 2022 00:18 UTC   165d            ca                      no      
controller-manager.conf    Apr 14, 2022 00:18 UTC   165d                                    no      
etcd-healthcheck-client    Apr 14, 2022 00:18 UTC   165d            etcd-ca                 no      
etcd-peer                  Apr 14, 2022 00:18 UTC   165d            etcd-ca                 no      
etcd-server                Apr 14, 2022 00:18 UTC   165d            etcd-ca                 no      
front-proxy-client         Apr 14, 2022 00:18 UTC   165d            front-proxy-ca          no      
scheduler.conf             Apr 14, 2022 00:18 UTC   165d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 12, 2031 00:18 UTC   9y              no      
etcd-ca                 Apr 12, 2031 00:18 UTC   9y              no      
front-proxy-ca          Apr 12, 2031 00:18 UTC   9y              no

该命令显示 /etc/kubernetes/pki 文件夹中的客户端证书以及 kubeadm 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。

手动更新证书

要手动更新证书也非常方便,我们只需要通过 kubeadm alpha certs renew 命令即可更新你的证书,这个命令用 CA(或者 front-proxy-CA )证书和存储在 /etc/kubernetes/pki 中的密钥执行更新。

接下来执行更新证书的命令:

# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

检查证书是否续期

通过上面的命令证书就一键更新完成了,这个时候查看上面的证书可以看到过期时间已经是一年后的时间了:

$ kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 30, 2022 07:12 UTC   364d                                    no      
apiserver                  Oct 30, 2022 07:12 UTC   364d            ca                      no      
apiserver-etcd-client      Oct 30, 2022 07:12 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Oct 30, 2022 07:12 UTC   364d            ca                      no      
controller-manager.conf    Oct 30, 2022 07:12 UTC   364d                                    no      
etcd-healthcheck-client    Oct 30, 2022 07:12 UTC   364d            etcd-ca                 no      
etcd-peer                  Oct 30, 2022 07:12 UTC   364d            etcd-ca                 no      
etcd-server                Oct 30, 2022 07:12 UTC   364d            etcd-ca                 no      
front-proxy-client         Oct 30, 2022 07:12 UTC   364d            front-proxy-ca          no      
scheduler.conf             Oct 30, 2022 07:12 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 12, 2031 00:18 UTC   9y              no      
etcd-ca                 Apr 12, 2031 00:18 UTC   9y              no      
front-proxy-ca          Apr 12, 2031 00:18 UTC   9y              no 

确认证书有效期

完成后重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器即可,我们可以查看 apiserver 的证书的有效期来验证是否更新成功:

# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
notAfter=Oct 30 07:12:29 2022 GMT

可以看到现在的有效期是一年过后的,证明已经更新成功了。