自建K8S集群认证过期

本日使用kubectl下令查看pod信息时，不停正常运行的k8s集群突然不能访问了，输入任何下令都提示以下报错：
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-01-25T11:35:45+08:00 is after 2024-11-22T23:44:48Z
解决方案：

参考官方文档： kubeadm证书管理 使用下令kubeadm alpha certs 来管理证书：

• 使用下令kubeadm alpha certs renew all更新证书，返回
  

1. [renew] Reading configuration from the cluster...
2. [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
4. certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
5. certificate for serving the Kubernetes API renewed
6. certificate the apiserver uses to access etcd renewed
7. certificate for the API server to connect to kubelet renewed
8. certificate embedded in the kubeconfig file for the controller manager to use renewed
9. certificate for liveness probes to healthcheck etcd renewed
10. certificate for etcd nodes to communicate with each other renewed
11. certificate for serving etcd renewed
12. certificate for the front proxy client renewed
13. certificate embedded in the kubeconfig file for the scheduler manager to use renewed

复制代码

• 使用如下下令拷贝新生成的设置文件
  

1. sudo kubeadm alpha kubeconfig user --client-name=admin --org=system:masters > /tmp/admin.conf
2. sudo cp /tmp/admin.conf $HOME/.kube/config
3. sudo chown $(id -u):$(id -g) $HOME/.kube/config

复制代码

• 重启kubeletsystemctl restart kubelet 即可正常使用K8S集群
  

1. [root@k8smaster k8s]# kubectl get po
2. NAME                             READY   STATUS      RESTARTS   AGE
3. cron-job-test-1732318920-k2g76   0/1     Completed   0          63d
4. cron-job-test-1732318980-kcr4x   0/1     Completed   0          63d
5. cron-job-test-1732319040-b88rf   0/1     Completed   0          63d

复制代码

• 再次查看证书到期环境
  

1. [root@k8smaster k8s]# kubeadm alpha certs check-expiration
2. [check-expiration] Reading configuration from the cluster...
3. [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
5. CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
6. admin.conf                 Jan 25, 2026 05:55 UTC   364d                                    no
7. apiserver                  Jan 25, 2026 05:55 UTC   364d            ca                      no
8. apiserver-etcd-client      Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no
9. apiserver-kubelet-client   Jan 25, 2026 05:55 UTC   364d            ca                      no
10. controller-manager.conf    Jan 25, 2026 05:55 UTC   364d                                    no
11. etcd-healthcheck-client    Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no
12. etcd-peer                  Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no
13. etcd-server                Jan 25, 2026 05:55 UTC   364d            etcd-ca                 no
14. front-proxy-client         Jan 25, 2026 05:55 UTC   364d            front-proxy-ca          no
15. scheduler.conf             Jan 25, 2026 05:55 UTC   364d                                    no
17. CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
18. ca                      Nov 20, 2033 23:44 UTC   8y              no
19. etcd-ca                 Nov 20, 2033 23:44 UTC   8y              no
20. front-proxy-ca          Nov 20, 2033 23:44 UTC   8y              no

复制代码

留意事项：

官网上给的下令是kubeadm certs check-expiration，标识的k8s版本是V1.15，直接在本地执行该下令报错：

1. [root@k8smaster k8s]# kubeadm certs check-expiration
2. unknown command "certs" for "kubeadm"
3. To see the stack trace of this error execute with --v=5 or higher

复制代码

查了下，我本地的k8s版本是1.19，certs下令放在了 kubeadm alpha下，须要将kubeadm certs 更换为   kubeadm aplha certs 执行即可

1. [root@k8smaster k8sh]# kubeadm version
2. kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.5", GitCommit:"e338cf2c6d297aa603b50ad3a301f761b4173aa6", GitTreeState:"clean", BuildDate:"2020-12-09T11:16:40Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}

复制代码

1. [root@k8smaster k8s]# kubeadm --help
4.     ┌──────────────────────────────────────────────────────────┐
5.     │ KUBEADM                                                  │
6.     │ Easily bootstrap a secure Kubernetes cluster             │
7.     │                                                          │
8.     │ Please give us feedback at:                              │
9.     │ https://github.com/kubernetes/kubeadm/issues             │
10.     └──────────────────────────────────────────────────────────┘
12. Example usage:
14.     Create a two-machine cluster with one control-plane node
15.     (which controls the cluster), and one worker node
16.     (where your workloads, like Pods and Deployments run).
18.     ┌──────────────────────────────────────────────────────────┐
19.     │ On the first machine:                                    │
20.     ├──────────────────────────────────────────────────────────┤
21.     │ control-plane# kubeadm init                              │
22.     └──────────────────────────────────────────────────────────┘
24.     ┌──────────────────────────────────────────────────────────┐
25.     │ On the second machine:                                   │
26.     ├──────────────────────────────────────────────────────────┤
27.     │ worker# kubeadm join <arguments-returned-from-init>      │
28.     └──────────────────────────────────────────────────────────┘
30.     You can then repeat the second step on as many other machines as you like.
32. Usage:
33.   kubeadm [command]
35. Available Commands:
36.   alpha       Kubeadm experimental sub-commands
37.   completion  Output shell completion code for the specified shell (bash or zsh)
38.   config      Manage configuration for a kubeadm cluster persisted in a ConfigMap in the                   cluster
39.   help        Help about any command
40.   init        Run this command in order to set up the Kubernetes control plane
41.   join        Run this on any machine you wish to join an existing cluster
42.   reset       Performs a best effort revert of changes made to this host by 'kubeadm init                  ' or 'kubeadm join'
43.   token       Manage bootstrap tokens
44.   upgrade     Upgrade your cluster smoothly to a newer version with this command
45.   version     Print the version of kubeadm
47. Flags:
48.       --add-dir-header           If true, adds the file directory to the header of the lo                  g messages
49.   -h, --help                     help for kubeadm
50.       --log-file string          If non-empty, use this log file
51.       --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is                   megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
52.       --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesyst                  em.
53.       --skip-headers             If true, avoid header prefixes in the log messages
54.       --skip-log-headers         If true, avoid headers when opening log files
55.   -v, --v Level                  number for the log level verbosity
57. Use "kubeadm [command] --help" for more information about a command.
58. [root@k8smaster k8s]# kubectl alpha --help
59. These commands correspond to alpha features that are not enabled in Kubernetes
60. clusters by default.
62. Available Commands:
63.   debug       Attach a debug container to a running pod
65. Use "kubectl <command> --help" for more information about a given command.
66. [root@k8smaster k8s]# kubeadm alpha --help
67. Kubeadm experimental sub-commands
69. Usage:
70.   kubeadm alpha [command]
72. Available Commands:
73.   certs       Commands related to handling kubernetes certificates
74.   kubeconfig  Kubeconfig file utilities
75.   selfhosting Make a kubeadm cluster self-hosted
77. Flags:
78.   -h, --help   help for alpha
80. Global Flags:
81.       --add-dir-header           If true, adds the file directory to the header of the log messages
82.       --log-file string          If non-empty, use this log file
83.       --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
84.       --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
85.       --skip-headers             If true, avoid header prefixes in the log messages
86.       --skip-log-headers         If true, avoid headers when opening log files
87.   -v, --v Level                  number for the log level verbosity
89. Additional help topics:
90.   kubeadm alpha phase Invoke subsets of kubeadm functions separately for a manual install
92. Use "kubeadm alpha [command] --help" for more information about a command.

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。