By default, Kubernetes certificates need to be renewed every other year, and the following is a documented certificate renewal process.
1. View Certificate
Check the certificate expiration time on the Master node:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 02, 2023 09:53 UTC 296d no
apiserver Apr 02, 2023 09:53 UTC 296d ca no
apiserver-kubelet-client Apr 02, 2023 09:53 UTC 296d ca no
controller-manager.conf Apr 02, 2023 09:53 UTC 296d no
front-proxy-client Apr 02, 2023 09:53 UTC 296d front-proxy-ca no
scheduler.conf Apr 02, 2023 09:53 UTC 296d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 30, 2032 09:53 UTC 9y no
front-proxy-ca Mar 30, 2032 09:53 UTC 9y no
|
Here you can directly backup the entire Kubernetes configuration file
1
|
cp -r /etc/kubernetes /etc/kubernetes.old
|
3. Execute the command on each Master node to update the certificate
1
2
3
4
5
6
7
8
9
10
|
kubeadm certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
|
4. Restart the relevant services on each Master node
1
|
docker ps |egrep "k8s_kube-apiserver|k8s_kube-scheduler|k8s_kube-controller"|awk '{print $1}'|xargs docker restart
|
5. Update ~/.kube/config file
1
2
|
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
|