一.第一种解决方法
1.修改kube-controller-manager.service添加或者修改如下内容
–experimental-cluster-signing-duration=87600h \
然后执行以下命令重启kube-controller-manager
systemctl daemon-reload
systemctl restart kube-controller-manager
2.执行以下步骤重新生成kubelet证书,xx.xx.xx.xx为k8s apiserver的 IP
mkdir -p /app/k8s
cd /app/k8s
export KUBE_APISERVER=“https://xx.xx.xx.xx:6443”
export node_name=“kube-node1”
创建 token
export BOOTSTRAP_TOKEN=KaTeX parse error: Undefined control sequence: \ at position 23: …m token create \̲ ̲--description k…{node_name}
–kubeconfig ~/.kube/config)
#设置集群参数
kubectl config set-cluster kubernetes
–certificate-authority=/etc/kubernetes/cert/ca.pem
–embed-certs=true
–server=KaTeX parse error: Undefined control sequence: \ at position 18: …UBE_APISERVER} \̲ ̲--kubeconfig=ku…{node_name}.kubeconfig
#设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap
–token=KaTeX parse error: Undefined control sequence: \ at position 19: …OTSTRAP_TOKEN} \̲ ̲--kubeconfig=ku…{node_name}.kubeconfig
#设置上下文参数
kubectl config set-context default
–cluster=kubernetes
–user=kubelet-bootstrap
–kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
设置默认上下文
kubectl config use-context default --kubeconfig=kubelet-bootstrap-${node_name}.kubeconfig
kubeadm token list --kubeconfig ~/.kube/config
rm -rf /etc/kubernetes/kubelet-bootstrap.kubeconfig
cp kubelet-bootstrap-${node_name}.kubeconfig /etc/kubernetes/kubelet-bootstrap.kubeconfig
rm -rf /etc/kubernetes/cert/kubelet-client*
service kubelet restart
sleep 5
kubectl get csr | awk ‘{print $1}’ | grep -v “NAME”|xargs kubectl certificate approve
3.在kulebet服务器执行以下命令验证kubelet证书的有效期,如果是10年代表修改成功
二.第二种解决方法
1.修改kubelet.service添加如下内容
–feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletClientCertificate=true --rotate-certificates \
2.修改kube-controller-manager.service添加如下内容
#证书有效期为10年
–experimental-cluster-signing-duration=87600h0m0s --feature-gates=RotateKubeletServerCertificate=true \
3.创建自动批准相关CSR请求的ClusterRole
3.1.vim tls-instructs-csr.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups: [“certificates.k8s.io”]
resources: [“certificatesigningrequests/selfnodeserver”]
verbs: [“create”]
3.2.kubectl apply -f tls-instructs-csr.yaml
4.自动批准 kubelet-bootstrap 用户 TLS bootstrapping 首次申请证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --user=kubelet-bootstrap
5.自动批准 system:nodes 组用户更新 kubelet 10250 api 端口证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
6.重启kube-controller-manager服务
systemctl daemon-reload
systemctl restart kube-controller-manager
7.进入到ssl配置目录,删除 kubelet 证书
cd /etc/kubernetes/cert
rm -f kubelet-client*.pem kubelet.key kubelet.crt
8.重启kubelet服务
systemctl daemon-reload
systemctl restart kubelet
9.进入到ssl配置目录,查看kubelet-client证书有效期
cd /etc/kubernetes/cert
openssl x509 -in kubelet-client-current.pem -noout -text | grep “Not”
Not Before: May 13 02:36:00 2019 GMT
Not After : May 10 02:36:00 2029 GMT
