您现在的位置是:首页 > 云原生 > Kubernetes > 正文
Kubernetes
kubernetes集群证书过期的解决方法
问题现象
kubeadm安装的kubernetes集群证书的证书有限期是一年,过期后kubectl命令就无法正常执行了,集群里的pod运行也会有问题的。kubelet的日志大致如下:
Jul 13 13:16:12 k8s-master-01 systemd[1]: kubelet.service holdoff time over, scheduling restart. Jul 13 13:16:12 k8s-master-01 systemd[1]: Stopped kubelet: The Kubernetes Node Agent. -- Subject: Unit kubelet.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit kubelet.service has finished shutting down. Jul 13 13:16:12 k8s-master-01 systemd[1]: Started kubelet: The Kubernetes Node Agent. -- Subject: Unit kubelet.service has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit kubelet.service has finished starting up. -- -- The start-up result is done. Jul 13 13:16:12 k8s-master-01 kubelet[15161]: Flag --cgroup-driver has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information. Jul 13 13:16:12 k8s-master-01 kubelet[15161]: Flag --cgroup-driver has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information. Jul 13 13:16:12 k8s-master-01 kubelet[15161]: I0713 13:16:12.885182 15161 server.go:425] Version: v1.15.0 Jul 13 13:16:12 k8s-master-01 kubelet[15161]: I0713 13:16:12.885529 15161 plugins.go:103] No cloud provider specified. Jul 13 13:16:12 k8s-master-01 kubelet[15161]: I0713 13:16:12.885566 15161 server.go:791] Client rotation is on, will bootstrap in background Jul 13 13:16:12 k8s-master-01 kubelet[15161]: E0713 13:16:12.887681 15161 bootstrap.go:263] Part of the existing bootstrap client certificate is expired: 2020-07-11 11:53:41 +0000 UTC Jul 13 13:16:12 k8s-master-01 systemd[1]: kubelet.service: main process exited, code=exited, status=255/n/a Jul 13 13:16:12 k8s-master-01 kubelet[15161]: F0713 13:16:12.887729 15161 server.go:273] failed to run Kubelet: unable to load bootstrap kubeconfig: stat /etc/kubernetes/bootstrap-kubelet.conf: no such file or directory Jul 13 13:16:12 k8s-master-01 systemd[1]: Unit kubelet.service entered failed state. Jul 13 13:16:12 k8s-master-01 systemd[1]: kubelet.service failed.
解决方法
第一步、修改系统时间到证书有效期时间内
修改系统时间可以使用date -s 命令,例如把系统时间修改为昨天或者确保证书在有效期内的时间即可,如果要修改时间为"2020-07-11 22:30:00",可以使用如下命令:
date -s "2020-07-11 22:30:00"
时间修改完成后,证书就是在有效期内了,修改后集群就会恢复正常了,如果不正常可以重启下kubelet服务。可以通过如下命令查看证书有效期:
kubeadm alpha certs check-expiration
可以查看到证书有效期就是在修改后的时间到有效期的时间。
第二步、更新证书有效期
备份配置文件:
kubeadm config view > /root/kubeadm.yaml
更新集群证书有效期:
kubeadm init phase certs all kubeadm init phase kubeconfig all
1.17集群里可使用:kubeadm alpha certs renew all
拷贝证书文件到用户目录下:
cp -rf /etc/kubernetes/admin.conf /root/.kube/config
将系统时间修改为正确的时间,重新使用上面的检查证书有效期的命令检查下,有效期已经增加一年了
第三步、重启集群相关的容器
重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器即可,命令如下:
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | xargs docker restart重启kubelet服务:
systemctl restart kubelet && journalctl -xefu kubelet
查看nodes状态和pod状态:
kubectl get nodes kubectl get pods -n kube-system
若不正常,可以检查下操作步骤,此方法在1.15的集群内验证通过.
参考文档:https://platformengineer.com/fix-kubernetes-bootstrap-client-certificate-expired-error/
相关文章
- 在Kubernetes里使用openkruise实现服务原地升级功能
- 吾八哥学k8s(十一):kubernetes里Pod的调度机制
- 吾八哥学k8s(十):kubernetes里Service和Ingress
- kubernetes中服务自定义Prometheus的metrics的方法
- k8s集群安装Prometheus监控以及Grafana面板的方法
- kubelet启动失败报failed to find cgroups of kubelet的解决方法
- 吾八哥学k8s(九):kubernetes里持久化存储
- macOs和Linux环境下kubectl命令自动补齐的方法
- 吾八哥学k8s(八):kubernetes里Secret的用法
- apps/v1版本下使用client-go实现kubernetes回滚的方法