1、查看证书到期时间

kubeadm certs check-expiration 

1.1、输出如下内容

讯享网[root@master pki]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Mar 15, 2023 12:07 UTC 335d ca no apiserver Mar 15, 2023 12:07 UTC 335d ca no apiserver-etcd-client Mar 15, 2023 12:07 UTC 335d etcd-ca no apiserver-kubelet-client Mar 15, 2023 12:07 UTC 335d ca no controller-manager.conf Mar 15, 2023 12:07 UTC 335d ca no etcd-healthcheck-client Mar 15, 2023 12:07 UTC 335d etcd-ca no etcd-peer Mar 15, 2023 12:07 UTC 335d etcd-ca no etcd-server Mar 15, 2023 12:07 UTC 335d etcd-ca no front-proxy-client Mar 15, 2023 12:07 UTC 335d front-proxy-ca no scheduler.conf Mar 15, 2023 12:07 UTC 335d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Mar 12, 2032 12:07 UTC 9y no etcd-ca Mar 12, 2032 12:07 UTC 9y no front-proxy-ca Mar 12, 2032 12:07 UTC 9y no 该命令显示了 所有证书的到期/剩余时间，包括在etc/kubernetes/pki目录下的客户端证书及由kubeadm嵌入到KUBECONFIG文件中的客户端证书（admin.conf，controller-manager.conf和scheduler.conf） 

2、手动续订证书
使用 kubeadm certs renew 命令 可以随时手动续订证书，该命令使用存储在/etc/kubernetes/pki中的 CA (or front-proxy-CA)证书和密钥来更新证书
2.1、查看 kubeadm certs renew 帮助信息

[root@master pki]# kubeadm certs renew -h This command is not meant to be run on its own. See list of available subcommands. Usage: kubeadm certs renew [flags] kubeadm certs renew [command] Available Commands: admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself all Renew all available certificates apiserver Renew the certificate for serving the Kubernetes API apiserver-etcd-client Renew the certificate the apiserver uses to access etcd apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd etcd-peer Renew the certificate for etcd nodes to communicate with each other etcd-server Renew the certificate for serving etcd front-proxy-client Renew the certificate for the front proxy client scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use Flags: -h, --help help for renew Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --one-output If true, only write logs to their native severity level (vs also writing to each lower severity level) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm certs renew [command] --help" for more information about a command. 

说明：如上所知，指定某个证书就能续订该证书，指定 all 则续订所有证书。

2.2、命令执行后，注意：

• 无论证书的到期时间如何，都会无条件地续订一年。
• 证书的SAN等信息基于原证书，无需再次提供。
• renew执行后，为使更改生效，需要重启各组件。

说明：kubeadm certs命令仅支持v1.15及其以上的版本
2.3、手动续订所有证书
2.3.1、备份源文件及执行证书更新命令

讯享网

讯享网[root@master ~]# cp -r /etc/kubernetes /etc/kubernetes.bak [root@master ~]# kubeadm certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so tha 

2.4、查看新证书文件

[root@master ~]# ll /etc/kubernetes 总用量 36 -rw-------. 1 root root 5639 4月 14 14:48 admin.conf -rw-------. 1 root root 5671 4月 14 14:48 controller-manager.conf -rw-------. 1 root root 1963 3月 15 20:07 kubelet.conf drwxr-xr-x. 2 root root 113 3月 22 10:24 manifests drwxr-xr-x. 3 root root 4096 3月 15 20:07 pki drwxr-xr-x. 3 root root 4096 4月 14 14:37 pki.old -rw-------. 1 root root 5619 4月 14 14:48 scheduler.conf [root@master ~]# ll /etc/kubernetes/pki 总用量 56 -rw-r--r--. 1 root root 1281 4月 14 14:48 apiserver.crt -rw-r--r--. 1 root root 1155 4月 14 14:48 apiserver-etcd-client.crt -rw-------. 1 root root 1675 4月 14 14:48 apiserver-etcd-client.key -rw-------. 1 root root 1675 4月 14 14:48 apiserver.key -rw-r--r--. 1 root root 1164 4月 14 14:48 apiserver-kubelet-client.crt -rw-------. 1 root root 1679 4月 14 14:48 apiserver-kubelet-client.key -rw-r--r--. 1 root root 1099 3月 15 20:07 ca.crt -rw-------. 1 root root 1679 3月 15 20:07 ca.key drwxr-xr-x. 2 root root 162 3月 15 20:07 etcd -rw-r--r--. 1 root root 1115 3月 15 20:07 front-proxy-ca.crt -rw-------. 1 root root 1679 3月 15 20:07 front-proxy-ca.key -rw-r--r--. 1 root root 1119 4月 14 14:48 front-proxy-client.crt -rw-------. 1 root root 1675 4月 14 14:48 front-proxy-client.key -rw-------. 1 root root 1675 3月 15 20:07 sa.key -rw-------. 1 root root 451 3月 15 20:07 sa.pub 

2.5、再次查看证书有效期

讯享网[root@master ~]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Apr 14, 2023 06:48 UTC 364d ca no apiserver Apr 14, 2023 06:48 UTC 364d ca no apiserver-etcd-client Apr 14, 2023 06:48 UTC 364d etcd-ca no apiserver-kubelet-client Apr 14, 2023 06:48 UTC 364d ca no controller-manager.conf Apr 14, 2023 06:48 UTC 364d ca no etcd-healthcheck-client Apr 14, 2023 06:48 UTC 364d etcd-ca no etcd-peer Apr 14, 2023 06:48 UTC 364d etcd-ca no etcd-server Apr 14, 2023 06:48 UTC 364d etcd-ca no front-proxy-client Apr 14, 2023 06:48 UTC 364d front-proxy-ca no scheduler.conf Apr 14, 2023 06:48 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Mar 12, 2032 12:07 UTC 9y no etcd-ca Mar 12, 2032 12:07 UTC 9y no front-proxy-ca Mar 12, 2032 12:07 UTC 9y no 

[root@master ~]# mv /etc/kubernetes/manifests/* /tmp/ //约等30秒后 kube-apiserver、kube-controller-manager、kube-scheduler、etcd 容器会停止，然后，再将清单文件移过来： [root@master ~]# mv /tmp/kube-* /etc/kubernetes/manifests/ [root@master ~]# mv /tmp/etcd.yaml /etc/kubernetes/manifests/ 

3.2、重启方法2：

讯享网[root@master ~]# kubectl delete pod etcd-master -n kube-system [root@master ~]# kubectl delete pod kube-apiserver-master -n kube-system [root@master ~]# kubectl delete pod kube-controller-manager-master -n kube-system [root@master ~]# kubectl delete pod kube-scheduler-master -n kube-system 

4、修改config文件

[root@master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [root@master ~]# chown $(id -u):$(id -g) $HOME/.kube/config