Closed7

kubeadmで証明書更新

t_umet_ume

久日に起動したローカルのkubernetes環境が証明書期限が切れていたので更新する。

環境情報

  • kubernetes: v1.20.6
  • kubeadm:v1.20.6
t_umet_ume

更新前の状態。

クライアント側でkubectl
$ kubectl get node
Error from server (InternalError): an error on the server ("") has prevented the request from succeeding
ControlPlane側の証明書の状態
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 06, 2022 16:31 UTC   <invalid>                               no
apiserver                  May 06, 2022 16:31 UTC   <invalid>       ca                      no
apiserver-etcd-client      May 06, 2022 16:31 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   May 06, 2022 16:31 UTC   <invalid>       ca                      no
controller-manager.conf    May 06, 2022 16:31 UTC   <invalid>                               no
etcd-healthcheck-client    May 06, 2022 16:31 UTC   <invalid>       etcd-ca                 no
etcd-peer                  May 06, 2022 16:31 UTC   <invalid>       etcd-ca                 no
etcd-server                May 06, 2022 16:31 UTC   <invalid>       etcd-ca                 no
front-proxy-client         May 06, 2022 16:31 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             May 06, 2022 16:31 UTC   <invalid>                               no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      May 04, 2031 16:31 UTC   8y              no
etcd-ca                 May 04, 2031 16:31 UTC   8y              no
front-proxy-ca          May 04, 2031 16:31 UTC   8y              no
t_umet_ume

ControlPlaneで以下を実行。

# 証明書更新
$  kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

# 更新後の期限確認
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 29, 2023 16:06 UTC   364d                                    no
apiserver                  Jul 29, 2023 16:06 UTC   364d            ca                      no
apiserver-etcd-client      Jul 29, 2023 16:06 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Jul 29, 2023 16:06 UTC   364d            ca                      no
controller-manager.conf    Jul 29, 2023 16:06 UTC   364d                                    no
etcd-healthcheck-client    Jul 29, 2023 16:06 UTC   364d            etcd-ca                 no
etcd-peer                  Jul 29, 2023 16:06 UTC   364d            etcd-ca                 no
etcd-server                Jul 29, 2023 16:06 UTC   364d            etcd-ca                 no
front-proxy-client         Jul 29, 2023 16:06 UTC   364d            front-proxy-ca          no
scheduler.conf             Jul 29, 2023 16:06 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      May 04, 2031 16:31 UTC   8y              no
etcd-ca                 May 04, 2031 16:31 UTC   8y              no
front-proxy-ca          May 04, 2031 16:31 UTC   8y              no

1年後に更新された。

t_umet_ume

更新コマンドを実行した際に出力したメッセージにkubernetesのコンポーネントを再起動しろと指示あり。

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

VM再起動して一通り再起動かける。
ControlPlaneが複数台ある場合は、台数分証明書更新+再起動した。
※Workerは今回作業していないが、うまく動作しない場合はresetが必要そう。

t_umet_ume

クライアントでkubectlを実行しても以下でエラーに。

$ kubectl get node
error: You must be logged in to the server (Unauthorized)

証明書更新したためなので、ControlPlaneから設定ファイルをコピーして配置する。
設定ファイルのパス:/etc/kubernetes/admin.conf

$ scp <ControlPlane Node IP>:/etc/kubernetes/admin.conf .kube/config

$ kubectl get node
NAME   STATUS   ROLES                  AGE    VERSION
cp01   Ready    control-plane,master   448d   v1.20.6
cp02   Ready    control-plane,master   448d   v1.20.6
cp03   Ready    control-plane,master   448d   v1.20.6
nd01   Ready    <none>                 448d   v1.20.6
nd02   Ready    <none>                 448d   v1.20.6
nd03   Ready    <none>                 448d   v1.20.6
t_umet_ume

他考察

  • WorkerNodeは特に作業しなかった(ControlPlaneだけでよさそう?)
  • デプロイしていたPodも一通りRunningで起動した
  • 証明書の更新事態は数分で完了
  • 公式にも記載されている通りバージョンアップすると証明書も更新されるので、定期的なバージョンアップが推奨
このスクラップは2022/07/30にクローズされました