背景
kubeadm设计原因,证书每年需要更新一次。执行kubeadm phase certs all命令以后导致整个集群证书全部更新,etcd无法使用。注意:etcd的证书是20年的有效期不需要更新,如果出现证书过期,直接更新ApiService相关的证书即可。
修复etcd证书
- 删除etcd文件夹除了ca.crt和ca.key的所有证书文件
- 执行重新生成etcd证书的命令
1
2
3
4
5
| kubeadm init phase certs etcd-server
kubeadm init phase certs etcd-healthcheck-client
kubeadm init phase certs etcd-peer
systemctl restart docker
systemctl restart kubelet
|
修复api server证书
- 删除如下证书
1
2
3
4
| front-proxy-client.*
apiserver-kubelet-client.*
apiserver.*
apiserver-etcd-client.*
|
- 保留如下文件
1
2
3
| ca.*
sa.*
front-proxy-ca.*
|
- 执行重新生成证书的命令
1
2
3
4
5
6
| kubeadm init phase certs apiserver-etcd-client
kubeadm init phase certs apiserver-kubelet-client
kubeadm init phase certs apiserver --apiserver-advertise-address HA地址
kubeadm init phase certs front-proxy-client
systemctl restart docker
systemctl restart kubelet
|
kubeadm init phase certs apiserver 需要配置HA地址才能连通集群
重置kubectl的admin配置
1
2
3
4
5
6
7
| kubeadm alpha kubeconfig user --client-name=admin
kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin --apiserver-advertise-address=HA地址 > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager --apiserver-advertise-address=HA地址 > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) --apiserver-advertise-address=HA地址 > /etc/kubernetes/kubelet.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler --apiserver-advertise-address=HA地址> /etc/kubernetes/scheduler.conf
cat admin.conf > ~/.kube/config
|
HA地址参数可以不用配置,直接去修改conf文件也行
查询状态
