Closed7
kubeadmで証明書更新
久日に起動したローカルのkubernetes環境が証明書期限が切れていたので更新する。
環境情報
- kubernetes: v1.20.6
- kubeadm:v1.20.6
更新前の状態。
クライアント側でkubectl
$ kubectl get node
Error from server (InternalError): an error on the server ("") has prevented the request from succeeding
ControlPlane側の証明書の状態
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 06, 2022 16:31 UTC <invalid> no
apiserver May 06, 2022 16:31 UTC <invalid> ca no
apiserver-etcd-client May 06, 2022 16:31 UTC <invalid> etcd-ca no
apiserver-kubelet-client May 06, 2022 16:31 UTC <invalid> ca no
controller-manager.conf May 06, 2022 16:31 UTC <invalid> no
etcd-healthcheck-client May 06, 2022 16:31 UTC <invalid> etcd-ca no
etcd-peer May 06, 2022 16:31 UTC <invalid> etcd-ca no
etcd-server May 06, 2022 16:31 UTC <invalid> etcd-ca no
front-proxy-client May 06, 2022 16:31 UTC <invalid> front-proxy-ca no
scheduler.conf May 06, 2022 16:31 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 04, 2031 16:31 UTC 8y no
etcd-ca May 04, 2031 16:31 UTC 8y no
front-proxy-ca May 04, 2031 16:31 UTC 8y no
ControlPlaneで以下を実行。
# 証明書更新
$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
# 更新後の期限確認
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 29, 2023 16:06 UTC 364d no
apiserver Jul 29, 2023 16:06 UTC 364d ca no
apiserver-etcd-client Jul 29, 2023 16:06 UTC 364d etcd-ca no
apiserver-kubelet-client Jul 29, 2023 16:06 UTC 364d ca no
controller-manager.conf Jul 29, 2023 16:06 UTC 364d no
etcd-healthcheck-client Jul 29, 2023 16:06 UTC 364d etcd-ca no
etcd-peer Jul 29, 2023 16:06 UTC 364d etcd-ca no
etcd-server Jul 29, 2023 16:06 UTC 364d etcd-ca no
front-proxy-client Jul 29, 2023 16:06 UTC 364d front-proxy-ca no
scheduler.conf Jul 29, 2023 16:06 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 04, 2031 16:31 UTC 8y no
etcd-ca May 04, 2031 16:31 UTC 8y no
front-proxy-ca May 04, 2031 16:31 UTC 8y no
1年後に更新された。
更新コマンドを実行した際に出力したメッセージにkubernetesのコンポーネントを再起動しろと指示あり。
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
VM再起動して一通り再起動かける。
ControlPlaneが複数台ある場合は、台数分証明書更新+再起動した。
※Workerは今回作業していないが、うまく動作しない場合はresetが必要そう。
クライアントでkubectlを実行しても以下でエラーに。
$ kubectl get node
error: You must be logged in to the server (Unauthorized)
証明書更新したためなので、ControlPlaneから設定ファイルをコピーして配置する。
設定ファイルのパス:/etc/kubernetes/admin.conf
$ scp <ControlPlane Node IP>:/etc/kubernetes/admin.conf .kube/config
$ kubectl get node
NAME STATUS ROLES AGE VERSION
cp01 Ready control-plane,master 448d v1.20.6
cp02 Ready control-plane,master 448d v1.20.6
cp03 Ready control-plane,master 448d v1.20.6
nd01 Ready <none> 448d v1.20.6
nd02 Ready <none> 448d v1.20.6
nd03 Ready <none> 448d v1.20.6
他考察
- WorkerNodeは特に作業しなかった(ControlPlaneだけでよさそう?)
- デプロイしていたPodも一通りRunningで起動した
- 証明書の更新事態は数分で完了
- 公式にも記載されている通りバージョンアップすると証明書も更新されるので、定期的なバージョンアップが推奨
参考にしたサイト
kubernetes 公式
Workerがだめだった時の対処法を紹介されていたブログ
このスクラップは2022/07/30にクローズされました