The Kubernetes cluster certificates have a lifespan of one year. If the Kubernetes cluster certificate expires on the Kubernetes master, then the kubelet service will fail. Issuing a kubectl command, such as kubectl get pods or kubectl exec -it container_name bash, will result in a message similar to Unable to connect to the server: x509: certificate has expired or is not yet valid.

Procedure

  1. Log on to the Kubernetes master node as the root user and run the following command to check when the Kubernetes certificates will expire. 
    kubeadm alpha certs check-expiration
    The output will be similar to the following. In this case the certificates will expire in 273 days. 
    CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Sep 17, 2020 21:24 UTC   273d            no
apiserver                  Sep 17, 2020 21:24 UTC   273d            no
apiserver-etcd-client      Sep 17, 2020 21:24 UTC   273d            no
apiserver-kubelet-client   Sep 17, 2020 21:24 UTC   273d            no
controller-manager.conf    Sep 17, 2020 21:24 UTC   273d            no
etcd-healthcheck-client    Sep 17, 2020 21:24 UTC   273d            no
etcd-peer                  Sep 17, 2020 21:24 UTC   273d            no
etcd-server                Sep 17, 2020 21:24 UTC   273d            no
front-proxy-client         Sep 17, 2020 21:24 UTC   273d            no
scheduler.conf             Sep 17, 2020 21:24 UTC   273d            no
  2. Run the following commands to back up the existing Kubernetes certificates: 
    mkdir -p $HOME/fcik8s-old-certs/pki
/bin/cp -p /etc/kubernetes/pki/*.* $HOME/fcik8s-old-certs/pki
ls -l $HOME/fcik8s-old-certs/pki/
    The output will be similar to the following: 
    total 56
-rw-r--r-- 1 root root 1261 Sep  4  2019 apiserver.crt
-rw-r--r-- 1 root root 1090 Sep  4  2019 apiserver-etcd-client.crt
-rw------- 1 root root 1679 Sep  4  2019 apiserver-etcd-client.key
-rw------- 1 root root 1679 Sep  4  2019 apiserver.key
-rw-r--r-- 1 root root 1099 Sep  4  2019 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Sep  4  2019 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 Sep  4  2019 ca.crt
-rw------- 1 root root 1675 Sep  4  2019 ca.key
-rw-r--r-- 1 root root 1038 Sep  4  2019 front-proxy-ca.crt
-rw------- 1 root root 1675 Sep  4  2019 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 Sep  4  2019 front-proxy-client.crt
-rw------- 1 root root 1679 Sep  4  2019 front-proxy-client.key
-rw------- 1 root root 1675 Sep  4  2019 sa.key
-rw------- 1 root root  451 Sep  4  2019 sa.pub
  3. Run the following commands to back up the existing configurtion files: 
    /bin/cp -p /etc/kubernetes/*.conf $HOME/fcik8s-old-certs
ls -ltr $HOME/fcik8s-old-certs
    The output will be similar to the following: 
    total 36
-rw------- 1 root root 5451 Sep  4  2019 admin.conf
-rw------- 1 root root 5595 Sep  4  2019 kubelet.conf
-rw------- 1 root root 5483 Sep  4  2019 controller-manager.conf
-rw------- 1 root root 5435 Sep  4  2019 scheduler.conf
drwxr-xr-x 2 root root 4096 Dec 19 21:21 pki
  4. Run the following commands to back up your home configuration: 
    mkdir -p $HOME/fcik8s-old-certs/.kube
/bin/cp -p ~/.kube/config $HOME/fcik8s-old-certs/.kube/.
ls -l $HOME/fcik8s-old-certs/.kube/.
    The output will be similar to the following: 
    -rw------- 1 root root 5451 Sep  4  2019 config
  5. Run the following command to renew all the Kubernetes certificates: 
    kubeadm alpha certs renew all
    The output of the command will be similar to the following: 
    certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
  6. Run the following command to confirm the certificates have been renewed and will expire in 364 days: 
    kubeadm alpha certs check-expiration
    The output should look similar to the following: 
    CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2021 02:35 UTC   364d            no      
apiserver                  Dec 20, 2021 02:35 UTC   364d            no      
apiserver-etcd-client      Dec 20, 2021 02:35 UTC   364d            no      
apiserver-kubelet-client   Dec 20, 2021 02:35 UTC   364d            no      
controller-manager.conf    Dec 20, 2021 02:35 UTC   364d            no      
etcd-healthcheck-client    Dec 20, 2021 02:35 UTC   364d            no      
etcd-peer                  Dec 20, 2021 02:35 UTC   364d            no      
etcd-server                Dec 20, 2021 02:35 UTC   364d            no      
front-proxy-client         Dec 20, 2021 02:35 UTC   364d            no      
scheduler.conf             Dec 20, 2021 02:35 UTC   364d            no
  7. Confirm the kubelet services are running and communication between the worker nodes and the Kubernetes master is working.
  8. After waiting a few minutes, run the following command from the Kubernetes master node to confirm that the worker nodes are available: 
    kubectl get nodes
    If you get a response similar to the following: 
    The connection to the server 9.37.21.119:6443 was refused - did you specify the right host or port?
    continue with the next steps to resolve the issue. Otherwise, your Kubernetes cluster certificates have been successfully renewed.
  9. Run the following command: 
    diff $HOME/fcik8s-old-certs/kubelet.conf /etc/kubernetes/kubelet.conf
    If there is no output, the kubelet.conf file was not updated with the new certificate information.
  10. Update the /etc/kubernetes/kubelet.conf file and display the difference from the old version to the new one: 
    cd /etc/kubernetes
sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf
diff $HOME/fcik8s-old-certs/kubelet.conf /etc/kubernetes/kubelet.conf
    If the output shows a difference, the file kubelet.conf was updated with the new certificate information.
  11. Run the following command: 
    diff ~/.kube/config $HOME/fcik8s-old-certs/.kube/config
    If there is no output, the config file still has the outdated keys and certificate values in it.
  12. Update client-certificate-data and client-key-data in ~/.kube/config with the values from the updated file in /etc/kubernetes/kubelet.conf: 
    • cat /etc/kubernetes/kubelet.conf

      Select and copy the output after client-key-data:.

    • In the ~/.kube/config file, replace the information after client-key-data: with the text copied in the previous step.
    • cat /etc/kubernetes/kubelet.conf

      Select and copy the output after client-certificate-data:.

    • In the ~/.kube/config file, replace the information after client-certificate-data: with the text copied in the previous step.
  13. Restart the kubelet service: 
    systemctl daemon-reload&&systemctl restart kubelet
    This command is successful if there is no output.
  14. Verify master and worker nodes are available: 
    kubectl get nodes
  15. Verify all pods are in the running state: 
    kubectl get pods

'나는 노동자 > KUBERNETES' 카테고리의 다른 글

GRAFANA Time Range(V9.3.6 UP)  (0) 2023.02.24
인증서 기간 연장하기  (0) 2021.11.25
kubelet.conf certification 기간 확인  (0) 2021.11.24
계속 꺼지는 etcd 컨테이너 etcd 용량 줄이기  (0) 2021.11.21
minikube etcd 조각 모음 defrag  (0) 2021.11.21

+ Recent posts

티스토리툴바