\n| k8scludes3\/192.168.110.130<\/td>\n | Ubuntu 18.04.5 LTS<\/td>\n | x86_64<\/td>\n | docker\uff0ckubelet\uff0ckube-proxy\uff0ccalico<\/td>\n | k8s worker\u8282\u70b9<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\u4e8c.\u524d\u8a00<\/h1>\nKubernetes\u96c6\u7fa4\u7684\u8bc1\u4e66\u5bf9\u4e8e\u96c6\u7fa4\u7684\u5b89\u5168\u6027\u548c\u7a33\u5b9a\u6027\u81f3\u5173\u91cd\u8981\u3002\u7136\u800c\uff0c\u968f\u7740\u65f6\u95f4\u7684\u63a8\u79fb\uff0c\u8fd9\u4e9b\u8bc1\u4e66\u4f1a\u8fc7\u671f\uff0c\u5bfc\u81f4\u96c6\u7fa4\u670d\u52a1\u4e0d\u53ef\u7528\u3002\u672c\u6587\u5c06\u8be6\u7ec6\u4ecb\u7ecd\u5982\u4f55\u4f7f\u7528kubeadm\u5de5\u5177\u4e3aKubernetes\u96c6\u7fa4\u7eed\u671f\u8bc1\u4e66\u3002<\/p>\n \u4e09.Kubernetes\u8bc1\u4e66\u8fc7\u671f\u53ca\u7eed\u671f\u7b80\u4ecb<\/h1>\nKubernetes\u96c6\u7fa4\u5728\u521d\u59cb\u5316\u65f6\uff0c\u4f1a\u81ea\u52a8\u751f\u6210\u4e00\u7cfb\u5217\u8bc1\u4e66\uff0c\u5305\u62ecAPI\u670d\u52a1\u5668\u8bc1\u4e66\u3001CA\u8bc1\u4e66\u3001Kubelet\u8bc1\u4e66\u7b49\u3002\u8fd9\u4e9b\u8bc1\u4e66\u901a\u5e38\u67091\u5e74\u7684\u6709\u6548\u671f\u3002\u5f53\u8bc1\u4e66\u8fc7\u671f\u540e\uff0cKubernetes\u96c6\u7fa4\u7684\u67d0\u4e9b\u670d\u52a1\u53ef\u80fd\u4f1a\u53d7\u5230\u5f71\u54cd\uff0c\u4f8b\u5982API\u670d\u52a1\u5668\u65e0\u6cd5\u8bbf\u95ee\u3002\u4e3a\u4e86\u89e3\u51b3\u8bc1\u4e66\u8fc7\u671f\u7684\u95ee\u9898\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528kubeadm\u5de5\u5177\u8fdb\u884c\u8bc1\u4e66\u7eed\u671f\u3002<\/p>\n \u56db.\u4f7f\u7528kubeadm\u4e3aKubernetes\u96c6\u7fa4\u8bc1\u4e66\u7eed\u671f<\/h1>\n4.1 \u67e5\u770bk8s\u96c6\u7fa4\u8bc1\u4e66\u8fc7\u671f\u65f6\u95f4<\/h2>\n\u73b0\u5728k8s\u96c6\u7fa4\u5df2\u7ecf\u4e0d\u80fd\u6b63\u5e38\u8fd0\u884c\u4e86\uff0c\u67e5\u8be2pod\u62a5\u9519\uff0c\u53ef\u4ee5\u770b\u5230\u62a5\u9519\u4fe1\u606f\u4e3a\uff1a\u201c\u8fde\u63a5API\u670d\u52a1\u5668\u62d2\u7edd\u201d\u3002<\/p>\n root@k8scludes1:~# kubectl get pod -o wie<\/span>\r\nThe connection to the server 192.168<\/span>.110.128:6443 was refused - did you specify the right host<\/span> or port?\r\n<\/code><\/pre>\nmaster\u8282\u70b9\u7684\/etc\/kubernetes\/pki\/\u76ee\u5f55\u4e0b\u5b58\u7684\u662f\u5404\u4e2a\u7ec4\u4ef6\u7684\u8bc1\u4e66\u3002<\/p>\n root@k8scludes1:~# ls \/etc\/kubernetes\/pki\/<\/span>\r\napiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-ca.srl front-proxy-client.key sa.key\r\napiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.crt mytok.csv sa.pub\r\n<\/code><\/pre>\n\u67e5\u770bmaster\u8282\u70b9\u7684apiserver\u8bc1\u4e66\u6709\u6548\u671f\uff0c\u53ef\u4ee5\u770b\u5230\u8bc1\u4e66\u57282023\u5e744\u670816\u53f7\u5c31\u8fc7\u671f\u4e86\uff0c\u8bc1\u4e66\u5df2\u7ecf\u8fc7\u671f\u4e00\u5e74\u591a\u4e86\u3002<\/p>\n root@k8scludes1:~# openssl x509 -in \/etc\/kubernetes\/pki\/apiserver.crt -noout -text | grep Not<\/span>\r\n Not Before: Apr 16<\/span> 14<\/span>:57:44 2022<\/span> GMT\r\n Not After :<\/span> Apr 16<\/span> 14<\/span>:57:44 2023<\/span> GMT \r\n<\/code><\/pre>\n\u5728master\u8282\u70b9\u67e5\u770b\u5404\u4e2a\u7ec4\u4ef6\u7684\u8bc1\u4e66\u8fc7\u671f\u65f6\u95f4\u3002<\/p>\n root@k8scludes1:~# kubeadm certs check-expiration<\/span>\r\n[<\/span>check-expiration]<\/span> Reading configuration from the cluster..<\/span>.\r\n[<\/span>check-expiration]<\/span> FYI: You can look<\/span> at this config file<\/span> with 'kubectl -n kube-system get cm kubeadm-config -o yaml'<\/span>\r\n[<\/span>check-expiration]<\/span> Error reading configuration from the Cluster. Falling back to default configuration\r\n\r\nCERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED\r\nadmin.conf Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y no \r\napiserver Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y ca no \r\napiserver-etcd-client Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y etcd-ca no \r\napiserver-kubelet-client Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y ca no \r\ncontroller-manager.conf Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y no \r\netcd-healthcheck-client Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y etcd-ca no \r\netcd-peer Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y etcd-ca no \r\netcd-server Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y etcd-ca no \r\nfront-proxy-client Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y front-proxy-ca no \r\nscheduler.conf Oct 21<\/span>, 2023<\/span> 14<\/span>:25 UTC 9y no \r\n\r\nCERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED\r\nca Apr 13<\/span>, 2023<\/span> 14<\/span>:57 UTC 7y no \r\netcd-ca Apr 13<\/span>, 2023<\/span> 14<\/span>:57 UTC 7y no \r\nfront-proxy-ca Apr 13<\/span>, 2023<\/span> 14<\/span>:57 UTC 7y no \r\n<\/code><\/pre>\n\u67e5\u770bmaster\u8282\u70b9\u7684kubelet\u8bc1\u4e66\u8fc7\u671f\u65f6\u95f4\u3002<\/p>\n root@k8scludes1:~# ls \/var\/lib\/kubelet\/pki\/<\/span>\r\nkubelet-client-2022-04-16-22-57-47.pem kubelet-client-current.pem kubelet.crt kubelet.key\r\n\r\nroot@k8scludes1:~# openssl x509 -in \/var\/lib\/kubelet\/pki\/kubelet-client-current.pem -noout -text |grep Not<\/span>\r\n Not Before: Apr 16<\/span> 14<\/span>:57:44 2022<\/span> GMT\r\n Not After :<\/span> Apr 16<\/span> 14<\/span>:57:46 2023<\/span> GMT\r\n<\/code><\/pre>\n4.2 \u4e3amaster\u8282\u70b9\u7eed\u671f\u8bc1\u4e66<\/h2>\n\u5728master\u8282\u70b9\u7ed9\u5404\u4e2a\u7ec4\u4ef6\u7eed\u7b7e\u8bc1\u4e66\u3002<\/p>\n root@k8scludes1:~# kubeadm certs renew all<\/span>\r\n[<\/span>renew]<\/span> Reading configuration from the cluster..<\/span>.\r\n[<\/span>renew]<\/span> FYI: You can look<\/span> at this config file<\/span> with 'kubectl -n kube-system get cm kubeadm-config -o yaml'<\/span>\r\n[<\/span>renew]<\/span> Error reading configuration from the Cluster. Falling back to default configuration\r\n\r\ncertificate embedded in<\/span> the kubeconfig file<\/span> for<\/span> the admin to use and for<\/span> kubeadm itself renewed\r\ncertificate for<\/span> serving the Kubernetes API renewed\r\ncertificate the apiserver uses to access etcd renewed\r\ncertificate for<\/span> the API server to connect to kubelet renewed\r\ncertificate embedded in<\/span> the kubeconfig file<\/span> for<\/span> the controller manager to use renewed\r\ncertificate for<\/span> liveness probes to healthcheck etcd renewed\r\ncertificate for<\/span> etcd nodes to communicate with each other renewed\r\ncertificate for<\/span> serving etcd renewed\r\ncertificate for<\/span> the front proxy client renewed\r\ncertificate embedded in<\/span> the kubeconfig file<\/span> for<\/span> the scheduler manager to use renewed\r\n\r\nDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.\r\n<\/code><\/pre>\n\u5728master\u8282\u70b9\u518d\u6b21\u67e5\u770b\u5404\u4e2a\u7ec4\u4ef6\u7684\u8bc1\u4e66\u8fc7\u671f\u65f6\u95f4\uff0c\u53ef\u4ee5\u770b\u5230\u8bc1\u4e66\u7eed\u7b7e\u4e86\u4e00\u5e74\u3002<\/p>\n root@k8scludes1:~# kubeadm certs check-expiration<\/span>\r\n[<\/span>check-expiration]<\/span> Reading configuration from the cluster..<\/span>.\r\n[<\/span>check-expiration]<\/span> FYI: You can look<\/span> at this config file<\/span> with 'kubectl -n kube-system get cm kubeadm-config -o yaml'<\/span>\r\n[<\/span>check-expiration]<\/span> Error reading configuration from the Cluster. Falling back to default configuration\r\n\r\nCERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED\r\nadmin.conf Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d no \r\napiserver Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d ca no \r\napiserver-etcd-client Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d etcd-ca no \r\napiserver-kubelet-client Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d ca no \r\ncontroller-manager.conf Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d no \r\netcd-healthcheck-client Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d etcd-ca no \r\netcd-peer Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d etcd-ca no \r\netcd-server Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d etcd-ca no \r\nfront-proxy-client Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d front-proxy-ca no \r\nscheduler.conf Oct 24<\/span>, 2025<\/span> 02:53 UTC 364d no \r\n\r\nCERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED\r\nca Apr 13<\/span>, 2025<\/span> 14<\/span>:57 UTC 7y no \r\netcd-ca Apr 13<\/span>, 2025<\/span> 14<\/span>:57 UTC 7y no \r\nfront-proxy-ca Apr 13<\/span>, 2025<\/span> 14<\/span>:57 UTC 7y no \r\n<\/code><\/pre>\n\u5f53\u524dkubernetes\u5404\u4e2a\u7ec4\u4ef6\u6240\u4f7f\u7528\u7684kubecong\u6587\u4ef6\u90fd\u5728\/etc\/kubernetes\/\u91cc\u3002<\/p>\n root@k8scludes1:~# ls \/etc\/kubernetes\/<\/span>\r\nadmin.conf admission-control-config-file audit controller-manager.conf kubelet.conf manifests pki scheduler.conf\r\n<\/code><\/pre>\n\u6587\u4ef6\u540e\u7f00\u4e3aconf\u7684\u90fd\u662f\u5404\u4e2a\u7ec4\u4ef6\u6240\u9700\u7684kubeconfig\u6587\u4ef6\uff0c\u4f46\u662f\u8fd9\u4e9b\u6587\u4ef6\u91cc\u4f7f\u7528\u7684\u8bc1\u4e66\u90fd\u662f\u4e4b\u524d\u8fc7\u671f\u7684\u8bc1\u4e66\uff0c\u9700\u8981\u628aconf\u6587\u4ef6\u5220\u9664\u5e76\u91cd\u65b0\u751f\u6210\u3002<\/p>\n root@k8scludes1:~# ls \/etc\/kubernetes\/*.conf<\/span>\r\n\/etc\/kubernetes\/admin.conf \/etc\/kubernetes\/controller-manager.conf \/etc\/kubernetes\/kubelet.conf \/etc\/kubernetes\/scheduler.conf\r\n\r\nroot@k8scludes1:~# mkdir k8sconf_bak<\/span>\r\n\r\nroot@k8scludes1:~# cp \/etc\/kubernetes\/*.conf k8sconf_bak\/<\/span>\r\n\r\nroot@k8scludes1:~# ls k8sconf_bak\/<\/span>\r\nadmin.conf controller-manager.conf kubelet.conf scheduler.conf\r\n\r\nroot@k8scludes1:~# rm -rf \/etc\/kubernetes\/*.conf<\/span>\r\n\r\nroot@k8scludes1:~# ls \/etc\/kubernetes\/<\/span>\r\nadmission-control-config-file audit manifests pki\r\n<\/code><\/pre>\n\u4e3ak8s\u7684\u5404\u4e2a\u7ec4\u4ef6\u91cd\u65b0\u751f\u6210kubeconfig\u6587\u4ef6\u3002<\/p>\n root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig all<\/span>\r\n[<\/span>kubeconfig]<\/span> Using kubeconfig folder \"\/etc\/kubernetes\"<\/span>\r\n[<\/span>kubeconfig]<\/span> Writing \"admin.conf\"<\/span> kubeconfig file<\/span>\r\n[<\/span>kubeconfig]<\/span> Writing \"kubelet.conf\"<\/span> kubeconfig file<\/span>\r\n[<\/span>kubeconfig]<\/span> Writing \"controller-manager.conf\"<\/span> kubeconfig file<\/span>\r\n[<\/span>kubeconfig]<\/span> Writing \"scheduler.conf\"<\/span> kubeconfig file<\/span>\r\n\r\nroot@k8scludes1:~# ls \/etc\/kubernetes\/<\/span>\r\nadmin.conf admission-control-config-file audit controller-manager.conf kubelet.conf manifests pki scheduler.conf\r\n<\/code><\/pre>\n\u66ff\u6362\u7ba1\u7406\u5458\u6240\u7528\u7684kubeconfig\u6587\u4ef6\u3002<\/p>\n root@k8scludes1:~# ls ~\/.kube\/config<\/span>\r\n\/root\/.kube\/config\r\n\r\nroot@k8scludes1:~# rm -rf ~\/.kube\/config<\/span>\r\n\r\nroot@k8scludes1:~# ls ~\/.kube\/<\/span>\r\ncache config.old-20241023 kubens\r\n\r\nroot@k8scludes1:~# cp \/etc\/kubernetes\/admin.conf ~\/.kube\/config<\/span>\r\n\r\nroot@k8scludes1:~# ls ~\/.kube\/config<\/span>\r\n\/root\/.kube\/config\r\n<\/code><\/pre>\n\u91cd\u542fkube-scheduler\u3002<\/p>\n root@k8scludes1:~# docker ps | grep kube-scheduler<\/span>\r\n47ac8592cf5c b51ddc1014b0 \"kube-scheduler --au\u2026\"<\/span> 6<\/span> minutes ago Up 6<\/span> minutes k8s_kube-scheduler_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_289\r\n6e65a5b16329 registry.aliyuncs.com\/google_containers\/pause:3.5 \"\/pause\"<\/span> 6<\/span> minutes ago Up 6<\/span> minutes k8s_POD_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_75\r\n\r\nroot@k8scludes1:~# docker ps | awk '\/kube-scheduler \/{print $1}'<\/span>\r\n47ac8592cf5c\r\n\r\nroot@k8scludes1:~# docker rm -f $(docker ps | awk '\/kube-scheduler \/{print $1}')<\/span>\r\n47ac8592cf5c\r\n\r\nroot@k8scludes1:~# kubectl get pods -n kube-system | grep scheduler<\/span>\r\nkube-scheduler-k8scludes1 1<\/span>\/1 Running 289<\/span> (<\/span>2y120d ago)<\/span> 2y191d\r\n<\/code><\/pre>\n <\/p>\n \u6279\u91cf\u91cd\u542f\u811a\u672c<\/p>\n for name in kube-apiserver kube-controller-manager kube-scheduler; do\r\ncid=$(crictl ps --name $name -q)\r\nif [ -n \"$cid\" ]; then\r\necho \"Restarting $name container $cid\"\r\ncrictl stop $cid\r\ncrictl start $cid\r\nelse\r\necho \"$name container not found\"\r\nfi\r\ndone<\/pre>\n <\/p>\n \u67e5\u770bmaster\u8282\u70b9\u7684kubelet\u5f53\u524d\u4f7f\u7528\u7684\u8bc1\u4e66\uff0ckubelet-client-current.pem\u8f6f\u94fe\u63a5\u5230\u4e86kubelet-client-2024-10-24-11-08-14.pem\uff0c\u8bf4\u660e\u73b0\u5728kubelet\u4f7f\u7528\u7684\u662f\u6700\u65b0\u7684\u8bc1\u4e66\u3002<\/p>\n root@k8scludes1:~# ls \/var\/lib\/kubelet\/pki\/<\/span>\r\nkubelet-client-2022-04-16-22-57-47.pem kubelet-client-2024-10-24-11-05-29.pem kubelet-client-2024-10-24-11-08-14.pem kubelet-client-current.pem kubelet.crt kubelet.key\r\n\r\nroot@k8scludes1:~# ls \/var\/lib\/kubelet\/pki\/kubelet-client-current.pem -l<\/span>\r\nlrwxrwxrwx 1<\/span> root root 59<\/span> Oct 24<\/span> 11<\/span>:08 \/var\/lib\/kubelet\/pki\/kubelet-client-current.pem -><\/span> \/var\/lib\/kubelet\/pki\/kubelet-client-2024-10-24-11-08-14.pem\r\n<\/code><\/pre>\n\u5982\u679ckubelet-client-current.pem\u8f6f\u94fe\u63a5\u5230kubelet-client-2022-04-16-22-57-47.pem\uff0c\u8bf4\u660ekubelet\u4f7f\u7528\u7684\u662f\u65e7\u7684\u8bc1\u4e66\uff0c\u91cd\u542fkebelet\u5373\u53ef\u3002<\/p>\n root@k8scludes1:~# systemctl restart kubelet<\/span>\r\n\r\nroot@k8scludes1:~# ls \/var\/lib\/kubelet\/pki\/<\/span>\r\nkubelet-client-2022-04-16-22-57-47.pem kubelet-client-2024-10-24-11-05-29.pem kubelet-client-2024-10-24-11-08-14.pem kubelet-client-current.pem kubelet.crt kubelet.key\r\n\r\nroot@k8scludes1:~# ls -l \/var\/lib\/kubelet\/pki\/kubelet-client-current.pem <\/span>\r\nlrwxrwxrwx 1<\/span> root root 59<\/span> Oct 24<\/span> 11<\/span>:08 \/var\/lib\/kubelet\/pki\/kubelet-client-current.pem -><\/span> \/var\/lib\/kubelet\/pki\/kubelet-client-2024-10-24-11-08-14.pem\r\n<\/code><\/pre>\n\u5728master\u8282\u70b9\u4e0a\u67e5\u770b\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42\uff08\u7b80\u79f0\u4e3aCSR\uff09\uff0c\u5982\u679cCONDITION\u663e\u793a\u7684\u662fApproved,Issued\uff0c\u8bf4\u660e\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42CSR\u5df2\u7ecf\u88ab\u6279\u51c6\uff0c\u5219\u4e0d\u9700\u8981\u6267\u884ckubectl certificate approve csr-htp29<\/code>\uff0c\u5982\u679cCONDITION\u663e\u793a\u7684\u662fPending\uff0c\u5219\u9700\u8981\u624b\u52a8\u6279\u51c6\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42CSR\uff0c\u8bed\u6cd5\u4e3a\uff1akubectl certificate approve CSR\u540d<\/code>\u3002<\/p>\nroot@k8scludes1:~# kubectl get csr<\/span>\r\nNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION\r\ncsr-htp29 12m kubernetes.io\/kube-apiserver-client-kubelet system:node:k8scludes1 <<\/span>none><\/span> Approved,Issued\r\n\r\n#\u6279\u51c6\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42CSR<\/span>\r\nroot@k8scludes1:~# kubectl certificate approve csr-htp29<\/span>\r\ncertificatesigningrequest.certificates.k8s.io\/csr-rn8xc approved\r\n<\/code><\/pre>\n\u5728master\u8282\u70b9\u67e5\u770bkubelet\u7684\u8bc1\u4e66\u8fc7\u671f\u65f6\u95f4\uff0c\u52302025\u5e74\u624d\u8fc7\u671f\u4e86\u3002<\/p>\n root@k8scludes1:~# openssl x509 -in \/var\/lib\/kubelet\/pki\/kubelet-client-current.pem -noout -text |grep Not<\/span>\r\n Not Before: Oct 24<\/span> 03:03:14 2024<\/span> GMT\r\n Not After
|