k8s的kubelet证书过期重生成

k8s的kubelet证书过期重生成

k8s证书默认一年有效期,所以到期之后需要重新生成证书。
重生成证书的指令

kubeadm alpha certs renew all

查看证书有效期

kubeadm alpha certs check-expiration

output

CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Nov 30, 2021 20:10 UTC   361d            no      
apiserver                  Nov 30, 2021 20:09 UTC   361d            no      
apiserver-etcd-client      Nov 30, 2021 20:09 UTC   361d            no      
apiserver-kubelet-client   Nov 30, 2021 20:09 UTC   361d            no      
controller-manager.conf    Nov 30, 2021 20:09 UTC   361d            no      
etcd-healthcheck-client    Nov 30, 2021 05:42 UTC   361d            no      
etcd-peer                  Nov 30, 2021 05:42 UTC   361d            no      
etcd-server                Nov 30, 2021 05:42 UTC   361d            no      
front-proxy-client         Nov 30, 2021 20:09 UTC   361d            no      
scheduler.conf             Nov 30, 2021 20:09 UTC   361d            no

但是这些证书生成之后,kubelet证书没有生成。
通过systemctl查看,发现kubelet没有启动

systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
   Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/kubelet.service.d
           └─10-kubeadm.conf
   Active: activating (auto-restart) (Result: exit-code) since Mon 2020-06-01 08:51:47 +0530; 3s ago
     Docs: https://kubernetes.io/docs/
  Process: 14027 ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS (code=exited, status=255)
 Main PID: 14027 (code=exited, status=255)

查看更详细的信息

journalctl -xefu kubelet
bootstrap.go:264] Part of the existing bootstrap client certificate is expired: 2020-04-11 02:01:22 +0000 UTC

kubelet证书重生成

cd /etc/kubenetes/
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 wind.kaisa@gmail.com

×

喜欢就点赞,疼爱就打赏