解决kubeadm部署的k8s 1.19.16 集群证书过期(The connection to the server 192.168.248.20:6443 was refused - did you specify the right host or port?)

2025-10-12

[root@k8s01 ~]# kubelet --version
Kubernetes v1.19.16

一、查看证书过期时间

[root@k8s01 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

W1011 22:38:10.876246   20842 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 23, 2024 23:08 UTC   <invalid>                               no
apiserver                  Jul 23, 2024 23:08 UTC   <invalid>       ca                      no
apiserver-etcd-client      Jul 23, 2024 23:08 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Jul 23, 2024 23:08 UTC   <invalid>       ca                      no
controller-manager.conf    Jul 23, 2024 23:08 UTC   <invalid>                               no
etcd-healthcheck-client    Jul 23, 2024 23:08 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Jul 23, 2024 23:08 UTC   <invalid>       etcd-ca                 no
etcd-server                Jul 23, 2024 23:08 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Jul 23, 2024 23:08 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Jul 23, 2024 23:08 UTC   <invalid>                               no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 21, 2033 23:08 UTC   7y              no
etcd-ca                 Jul 21, 2033 23:08 UTC   7y              no
front-proxy-ca          Jul 21, 2033 23:08 UTC   7y              no

二、通过命令续期

2.1 修改集群内所有机器的时间，模拟证书在过期的边缘

date -s "2024-3-1 12:00"

2.2 查看证书有效期

为了更直观的看到证书的有效期！

[root@k8s01 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 23, 2024 23:08 UTC   19h                                     no
apiserver                  Jul 23, 2024 23:08 UTC   19h             ca                      no
apiserver-etcd-client      Jul 23, 2024 23:08 UTC   19h             etcd-ca                 no
apiserver-kubelet-client   Jul 23, 2024 23:08 UTC   19h             ca                      no
controller-manager.conf    Jul 23, 2024 23:08 UTC   19h                                     no
etcd-healthcheck-client    Jul 23, 2024 23:08 UTC   19h             etcd-ca                 no
etcd-peer                  Jul 23, 2024 23:08 UTC   19h             etcd-ca                 no
etcd-server                Jul 23, 2024 23:08 UTC   19h             etcd-ca                 no
front-proxy-client         Jul 23, 2024 23:08 UTC   19h             front-proxy-ca          no
scheduler.conf             Jul 23, 2024 23:08 UTC   19h                                     no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 21, 2033 23:08 UTC   9y              no
etcd-ca                 Jul 21, 2033 23:08 UTC   9y              no
front-proxy-ca          Jul 21, 2033 23:08 UTC   9y              no
[root@k8s01 ~]#

2.3 备份原有数据

[root@k8s01 ~]# kubeadm config view > /root/kubeadm.yaml
Command "view" is deprecated, This command is deprecated and will be removed in a future release, please use 'kubectl get cm -o yaml -n kube-system kubeadm-config' to get the kubeadm config directly.
[root@k8s01 ~]# cat /root/kubeadm.yaml
apiServer:
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.19.0
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}
[root@k8s01 ~]#

2.4 备份证书

备份主要就是为了升级失败之后，便于回滚！

[root@k8s01 ~]# cp -rp /etc/kubernetes /etc/kubernetes_$(date +%F)
[root@k8s01 ~]# ls /etc/kubernetes_2024-07-23/
admin.conf  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf

2.5 更新证书

[root@k8s01 ~]# kubeadm alpha certs renew all --config=/root/kubeadm.yaml
W0723 00:09:21.778515   61631 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

2.6 确认证书有效期

kubeadm alpha certs check-expiration

2.7 更新kubeconfig文件

[root@k8s01 ~]# rm -f /etc/kubernetes/*.conf
[root@k8s01 ~]#  kubeadm init phase kubeconfig all --config /root/kubeadm.yaml
W0723 00:13:13.814519   68429 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[root@k8s01 ~]#

2.8 更新客户端证书

[root@k8s01 ~]#  cp $HOME/.kube/config{,.default}
[root@k8s01 ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp: overwrite ‘/root/.kube/config’? y
[root@k8s01 ~]# chown $(id -u):$(id -g) $HOME/.kube/config

2.9 重启相关的pod

[root@k8s01 ~]# docker ps |egrep "k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd" | awk '{print $1}' | xargs docker rm -f
bf4a2e7a2037
d274fe69e39b
afaa170431c5
25bde8ce36ee
[root@k8s01 ~]#

也可以干脆一点，直接重启docker即可！

2.10 查看pod是否运行正常

[root@k8s01 ~]# kubectl get pod -A

2.11 更新节点上kubelet证书有效期

	$ cp /etc/kubernetes/kubelet.conf{,.default}
	#kubeadm init phase kubeconfig kubelet --node-name <节点名称> --kubeconfig-dir /tmp/ --apiserver-advertise-address <集群VIP>，例如：
	$ kubeadm init phase kubeconfig kubelet --node-name k8s-master --kubeconfig-dir /tmp/ --apiserver-advertise-address 10.4.7.10
	$ \cp /tmp/kubelet.conf /etc/kubernetes/
	$ systemctl restart kubelet

kubelet 的配置文件master节点可以和node节点共用！

三、编译源码kubeadm，证书时间自定义

3.1 备份集群配置

	$ kubeadm config view > kubeadm-cluster.yaml # 备份
	$ kubeadm version
	kubeadm version: &version.Info{Major:"1", Minor:"16", GitVersion:"v1.18.3", GitCommit:"c97fe5036ef3df2967d086711e6c0c405941e14b", GitTreeState:"clean", BuildDate:"2019-10-15T19:15:39Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}
	# 我这里的版本是1.18.3

3.2 获取对应的kubeadm源码

	$ wget https://github.com/kubernetes/kubernetes/archive/v1.18.3.tar.gz
	$ tar zxvf v1.18.3.tar.gz

3.3 修改CA证书有效期

	$ vim kubernetes-1.18.3/staging/src/k8s.io/client-go/util/cert/cert.go
	65 NotBefore: now.UTC(),
	66 NotAfter: now.Add(duration365d * 100).UTC(), # 默认是10，改成100
	67 KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature \| x509.KeyUsageCertSign,
	68 BasicConstraintsValid: true,
	69 IsCA: true,

3.4 修改其他证书有效期

	$ vim kubernetes-1.18.3/cmd/kubeadm/app/constants/constants.go
	# 跳转至46行，修改如下(追加 * 100):
	46 CertificateValidity = time.Hour * 24 * 365 * 100

3.5 安装go环境进行编译

	$ wget https://dl.google.com/go/go1.13.9.linux-amd64.tar.gz
	$ tar zxf go1.13.9.linux-amd64.tar.gz -C /usr/local/
	$ echo 'export PATH=/usr/local/go/bin:$PATH' >> /etc/profile
	$ source /etc/profile
	$ go version
	go version go1.13.9 linux/amd64

3.6 go设置国内代理

Golang V1.13之后支持通过设置变量GOPROXY来修改代理地址，默认的代理服务器，https://proxy.golang.org在国内访问经常出现timeout！详见：https://github.com/goproxy/goproxy.cn/blob/master/README.zh-CN.md
在终端执行即可！

	$ go env -w GOPROXY=https://goproxy.cn,direct
	$ go env -w GOSUMDB="sum.golang.google.cn"

3.7 编译kubeadm

	$ cd kubernetes-1.18.3/ # 进入kubeadm源码目录
	$ make all WHAT=cmd/kubeadm GOFLAGS=-v

3.8 替换kubeadm指令

	$ cp /usr/bin/kubeadm{,.bak}
	$ \cp _output/local/bin/linux/amd64/kubeadm /usr/bin

3.9 更新集群证书

$ kubeadm config view > kubeadm-cluster.yaml

# 如果有多个master节点，请将 kubeadm-cluster.yaml 文件和编译后的kubeadm指令发送至其他master节点

# 更新证书（若有多个master，则需要在所有master上执行）

$ kubeadm alpha certs renew all --config=kubeadm-cluster.yaml

3.10 更新kubeconfig文件

$ rm -f /etc/kubernetes/*.conf
$ kubeadm init phase kubeconfig all --config kubeadm-cluster.yaml

3.11 重启相关pod

在所有Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器，以便使证书生效。

$ docker ps |egrep "k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd" | awk '{print $1}' | xargs docker restart

3.12 替换admin文件

	$ cp ~/.kube/config{,.old}
	$ \cp -i /etc/kubernetes/admin.conf ~/.kube/config
	$ chown $(id -u):$(id -g) ~/.kube/config

3.13 确认指令正常

$ kubectl get pod -A

3.14 确认证书更新成功

$ kubeadm alpha certs check-expiration

版权声明 1 本网站名称：EDUG博客
2 本站永久网址：https://www.edug.net/
3 本网站的文章部分内容可能来源于网络，仅供大家学习与参考，如有侵权，请联系站长 QQ2571176258进行删除处理。
4 本站一切资源不代表本站立场，并不代表本站赞同其观点和对其真实性负责。
5 本站一律禁止以任何方式发布或转载任何违法的相关信息，访客发现请向站长举报
6 本站资源大多存储在云盘，如发现链接失效，请联系我们我们会第一时间更新。
7 如无特别声明本文即为原创文章仅代表个人观点，版权归《EDUG博客》所有，欢迎转载，转载请保留原文链接。

THE END

Linux开机启动进入紧急模式emergency mode的解决方法

<<上一篇