k8s的kubelet证书过期重生成 - Fri, Dec 4, 2020
k8s的kubelet证书过期重生成
k8s证书默认一年有效期,所以到期之后需要重新生成证书。 重生成证书的指令
kubeadm alpha certs renew all
查看证书有效期
kubeadm alpha certs check-expiration
output
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Nov 30, 2021 20:10 UTC 361d no
apiserver Nov 30, 2021 20:09 UTC 361d no
apiserver-etcd-client Nov 30, 2021 20:09 UTC 361d no
apiserver-kubelet-client Nov 30, 2021 20:09 UTC 361d no
controller-manager.conf Nov 30, 2021 20:09 UTC 361d no
etcd-healthcheck-client Nov 30, 2021 05:42 UTC 361d no
etcd-peer Nov 30, 2021 05:42 UTC 361d no
etcd-server Nov 30, 2021 05:42 UTC 361d no
front-proxy-client Nov 30, 2021 20:09 UTC 361d no
scheduler.conf Nov 30, 2021 20:09 UTC 361d no
但是这些证书生成之后,kubelet证书没有生成。 通过systemctl查看,发现kubelet没有启动
systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: activating (auto-restart) (Result: exit-code) since Mon 2020-06-01 08:51:47 +0530; 3s ago
Docs: https://kubernetes.io/docs/
Process: 14027 ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS (code=exited, status=255)
Main PID: 14027 (code=exited, status=255)
查看更详细的信息
journalctl -xefu kubelet
bootstrap.go:264] Part of the existing bootstrap client certificate is expired: 2020-04-11 02:01:22 +0000 UTC
kubelet证书重生成
cd /etc/kubenetes/
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf