一佳互联
虚拟化容器,大数据,DBA,中间件,监控。

Kubernetes apiserver更换证书

16 11月
作者:admin|分类:容器虚拟化

Kubernetes apiserver更换证书

文章目录

  • Kubernetes apiserver更换证书
    • 1.更换证书适用场景
    • 2.以新增master节点为例更换kube-apiserver证书文件
      • 2.1.重新生成kube-apiserver证书
      • 2.2.将证书文件拷贝至各个master节点对应路径
      • 2.3.重启master和node上面的组件
      • 2.4.部署新的master节点观察能否成功加入集群

1.更换证书适用场景

kubernetes更换证书的场景:

  • 当集群要增加新的master/node节点,此时apiserver证书中的hosts字段就需要进行修改,修改为还需要重新生成证书文件。

  • 证书过期。

更换证书的步骤:

  • 1、使用cfssl重新生成apiserver的证书;
  • 2、将新的证书拷贝至各个master节点的对应目录;
  • 3、master节点重启kube-apiserver组件,node节点重启kubelet、kube-porxy组件。

2.以新增master节点为例更换kube-apiserver证书文件

2.1.重新生成kube-apiserver证书

1.在证书配置文件里新增新的master节点地址
[root@binary-k8s-master1 ~/TLS/k8s]# vim kube-apiserver-csr.json 
{
     
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.20.10",
      "192.168.20.11",
      "192.168.20.12",
      "192.168.20.13",
      "192.168.20.9",
      "192.168.20.8",				#新master节点地址
      "192.168.20.7",				#新master节点地址
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
     
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
     
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

2.生成新证书
[root@binary-k8s-master1 ~/TLS/k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
2021/09/13 16:17:09 [INFO] generate received request
2021/09/13 16:17:09 [INFO] received CSR
2021/09/13 16:17:09 [INFO] generating key: rsa-2048
2021/09/13 16:17:10 [INFO] encoded CSR
2021/09/13 16:17:10 [INFO] signed certificate with serial number 98899679234064675999296405651246055984236858287
2021/09/13 16:17:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

2.2.将证书文件拷贝至各个master节点对应路径

1.拷贝至本机
[root@binary-k8s-master1 ~]# \cp TLS/k8s/kube-apiserver*pem /data/kubernetes/ssl/

2.拷贝至其他master以及新的master节点
#其他master
[root@binary-k8s-master1 ~]# scp TLS/k8s/kube-apiserver*pem binary-k8s-master2:/data/kubernetes/ssl/
#新master
[root@binary-k8s-master1 ~]# scp TLS/k8s/kube-apiserver*pem binary-k8s-master3:/data/kubernetes/ssl/

2.3.重启master和node上面的组件

#master节点
systemctl restart kube-apiserver kube-scheduler kube-controller-manager kubelet kube-proxy

#node节点
systemctl restart kubelet kube-proxy

2.4.部署新的master节点观察能否成功加入集群

1.部署master节点相关组件
kube-apiserver kube-scheduler kube-controller-manage kubelet kube-proxy docker
#部署过程略过

2.当kubectl certificate approve授权通过后calico组件启动成功,新master成功加入集群
[root@binary-k8s-matser3 ~]# kubectl get node
NAME                 STATUS   ROLES    AGE     VERSION
binary-k8s-master1   Ready    <none>   9d      v1.20.4
binary-k8s-master2   Ready    <none>   5d1h    v1.20.4
binary-k8s-master3   Ready    <none>   42s     v1.20.4
binary-k8s-node1     Ready    <none>   7d4h    v1.20.4
binary-k8s-node2     Ready    <none>   6d23h   v1.20.4

更多文章推荐

历史上的今天
11月
16
浏览693 评论0
返回
目录 返回
首页
⭐一文汇总Etcd数据库几种常见故障及排查思路⭐ 解决serviceaccount用户认证挂载密文token文件失败导致pod使用anonymous用户问题