k8s证书续期及版本升级

于 2024-07-28 00:02:30 发布
阅读量1k 收藏 6
点赞数 5
CC 4.0 BY-SA版权
分类专栏: 云计算 文章标签: kubernetes 容器 云原生
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/mageriletu2012/article/details/140743396

k8s证书续期及版本升级

ETCD 备份

查看 ETCD 数据

默认情况下 k8setcd 部署资源清单文件在 Master 节点的 /etc/kubernetes/manifests/etcd.yaml 中。

[root@zxmaster1 manifests]# pwd
/etc/kubernetes/manifests
[root@zxmaster1 manifests]# ls
etcd.yaml  kube-apiserver.yaml  kube-controller-manager.yaml  kube-scheduler.yaml

可以通过 cat etcd.yaml 查看详细参数。

spec:
  containers:
  - command:
    - etcd
    - --advertise-client-urls=https://192.168.34.10:2379
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --client-cert-auth=true
    - --data-dir=/var/lib/etcd
    - --initial-advertise-peer-urls=https://192.168.34.10:2380
    - --initial-cluster=zxmaster1=https://192.168.34.10:2380
    - --key-file=/etc/kubernetes/pki/etcd/server.key
    - --listen-client-urls=https://127.0.0.1:2379,https://192.168.34.10:2379
    - --listen-metrics-urls=http://127.0.0.1:2381
    - --listen-peer-urls=https://192.168.34.10:2380
    - --name=zxmaster1
    - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
    - --peer-client-cert-auth=true
    - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
    - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    - --snapshot-count=10000
    - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    image: k8s.gcr.io/etcd:3.4.3-0
    imagePullPolicy: IfNotPresent

可以看到 etcd 的数据存储位置为 /var/lib/etcd

备份 ETCD 数据

备份到 /var/lib/etcd_backup 目录下。

mkdir -p /var/lib/etcd_backup/
export ETCDCTL_API=3 
etcdctl snapshot save /var/lib/etcd_backup/etcd_$(date "+%Y%m%d%H%M%S").db --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt

运行效果如下:

[root@zxmaster1 manifests]# etcdctl snapshot save /var/lib/etcd_backup/etcd_$(date "+%Y%m%d%H%M%S").db --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt
Snapshot saved at /var/lib/etcd_backup/etcd_20220124143326.db

依次备份所有Master节点上的Etcd!

如果其他Master节点没有安装 etcdctl 工具,可以通过 scp 从主 Master节点拷贝过去。

[root@zxmaster1 etcd_backup]# scp /usr/bin/etcdctl 192.168.34.11:/usr/bin/
[email protected]'s password:
etcdctl                                                                                                                                                        100%   20MB 106.7MB/s   00:00
[root@zxmaster1 etcd_backup]# scp /usr/bin/etcdctl 192.168.34.12:/usr/bin/
[email protected]'s password:
etcdctl                                                                                                                                                        100%   20MB 106.3MB/s   00:00
[root@zxmaster1 etcd_backup]#

[root@zxmaster2 ~]# export ETCDCTL_API=3
[root@zxmaster2 ~]# etcdctl snapshot save /var/lib/etcd_backup/etcd_$(date "+%Y%m%d%H%M%S").db --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt
Snapshot saved at /var/lib/etcd_backup/etcd_20220124143749.db

[root@zxmaster3 ~]# export ETCDCTL_API=3
[root@zxmaster3 ~]# etcdctl snapshot save /var/lib/etcd_backup/etcd_$(date "+%Y%m%d%H%M%S").db --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt
Snapshot saved at /var/lib/etcd_backup/etcd_20220124143811.db

kubeadm 证书续期

kubeadm 默认证书为一年,一年过期后,会导致api service不可用,使用过程中会出现:x509: certificate has expired or is not yet valid.

证书默认存放目录:/etc/kubernetes/pki

查看 k8s 证书有效期

查看k8s中所有证书的到期时间

kubeadm alpha certs check-expiration

[root@zxmaster1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 27, 2022 03:26 UTC   5d                                      no
apiserver                  Jan 27, 2022 03:26 UTC   5d              ca                      no
apiserver-etcd-client      Jan 27, 2022 03:26 UTC   5d              etcd-ca                 no
apiserver-kubelet-client   Jan 27, 2022 03:26 UTC   5d              ca                      no
controller-manager.conf    Jan 27, 2022 03:26 UTC   5d                                      no
etcd-healthcheck-client    Jan 27, 2022 03:26 UTC   5d              etcd-ca                 no
etcd-peer                  Jan 27, 2022 03:26 UTC   5d              etcd-ca                 no
etcd-server                Jan 27, 2022 03:26 UTC   5d              etcd-ca                 no
front-proxy-client         Jan 27, 2022 03:26 UTC   5d              front-proxy-ca          no
scheduler.conf             Jan 27, 2022 03:26 UTC   5d                                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 25, 2031 03:26 UTC   9y              no
etcd-ca                 Jan 25, 2031 03:26 UTC   9y              no
front-proxy-ca          Jan 25, 2031 03:26 UTC   9y              no
[root@zxmaster1 ~]#

当然,也可以用 openssl 查看证书有效期:

查看CA证书过期时间:

openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep Not

[root@zxmaster1 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep Not
            Not Before: Jan 27 03:26:45 2021 GMT
            Not After : Jan 25 03:26:45 2031 GMT
[root@zxmaster1 ~]#

查看集群证书过期时间:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not 

[root@zxmaster1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not
            Not Before: Jan 27 03:26:45 2021 GMT
            Not After : Jan 27 03:26:45 2022 GMT
[root@zxmaster1 ~]#

备份证书文件

/etc/kubernetes/pki 目录下的相关证书文件备份。

cp -R /etc/kubernetes/pki /etc/kubernetes/pki_backup

获取当前集群配置文件

如果集群证书还没有过期,则先获取当前集群的配置文件。

kubeadm config view > kubeadm.yaml

[root@zxmaster1]# kubeadm config view > kubeadm.yaml
[root@zxmaster1]# ls
kubeadm-config.yaml  kubeadm.yaml  kubernetes-svc.yaml  nginx-pod.yaml  traefik
[root@zxmaster1 test]# cat kubeadm.yaml
apiServer:
  certSANs:
  - 192.168.34.10
  - 192.168.34.11
  - 192.168.34.12
  - 192.168.34.20
  - 192.168.34.21
  - 192.168.34.22
  - 192.168.34.9
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 192.168.34.9:6443
controllerManager: {
   
   }
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.18.2
networking:
  dnsDomain: cluster.local
  podSubnet: 192.168.0.0/18
  serviceSubnet: 10.96.0.0/12
scheduler: {
   
   }

证书续期

全部证书文件更新

kubeadm alpha certs renew all --config kubeadm.yaml

实际效果:

[root@zxmaster1 ~]# kubeadm alpha certs renew all --config kubeadm.yaml
W0124 14:47:59.970337     865 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@zxmaster1 ~]#

再次查看证书有效期:

[root@zxmaster1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 24, 2023 06:48 UTC   364d                                    no
apiserver                  Jan 24, 2023 06:48 UTC   364d            ca                      no
apiserver-etcd-client      Jan 24, 2023 06:48 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Jan 24, 2023 06:48 UTC   364d            ca                      no
controller-manager.conf    Jan 24
最低0.47元/天 解锁文章

200万优质内容无限畅学
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值