kubeadm证书替换
//
kubeadm创建的集群内部证书默认过期时间大多为一年,为避免后期维护更换证书,在集群创建好之后,先把证书重新更新更长过期时间
# 替换主控服务的certs
手动执行替换命令:kubeadm certs renew all
,证书过期时间为1年,默认开启自动轮换机制,
警告: kubeadm 不能管理由外部 CA 签名的证书
# 查看kubelet证书
cd /etc/kubernetes/pki
openssl x509 -in ./ca.crt -noout -text |grep Not
1
2
2
建议在node节点kubelet开启csr,将允许启动引导 kubelet 的服务证书 :vi /var/lib/kubelet/config.yaml
添加行:serverTLSBootstrap: true
重启kubelet:systemctl restart kubelet.service
# 报错Error from server: error dialing backend: remote error: tls: internal error
kubectl exec -it nginx-dp-69df87f76d-6vrzm bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Error from server: error dialing backend: remote error: tls: internal error
- 修复命令,原因未知
for i in `kubectl get csr|awk '{print $1}'`;do kubectl certificate approve $i;done
1
//
点击 -->> 给博主买咖啡 (opens new window)
上次更新: 2022/12/20, 17:50:55