1、环境介绍
k8s版本:1.15
安装方式:kubeadm
系统:centos 7.9
说明:kubeadm默认的安装方式,K8S CA证书是10年,各种组件证书只有1年
2、故障现象
执行任何k8s命令,出现如下报错:
The connection to the server 192.168.0.1:6443 was refused - did you specify the right host or port?
查看kube-apiserver进程
ss -atnlp | grep kube-apiserver
返回为空,说明kube-apiserver服务已经挂掉
查看日志,/var/log/message,出现如下报错
Part of the existing bootstrap client certificate is expired: 2023-03-07 11:44:01 +0000 UTC
failed to run Kubelet: unable to load bootstrap kubeconfig: stat /etc/kubernetes/bootst
rap-kubelet.conf: no such file or directory
从上面的日志可以明确看出来是k8s集群的证书过期,导致的集群不可用
还可以通过下面的命令来查看k8s集群各个组件的证书有效时间
for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;
do openssl x509 -in $item -text -noout| grep Not;
echo ======================$item===============;
done
3、更新证书和配置文件
备份k8s证书和配置文件
cp -r /etc/kubernetes /etc/kubernetes_bak
cp $HOME/.kube/config $HOME/.kube/config.bak
更新证书
kubeadm alpha certs renew all
备份kubelet配置文件
mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.bak
单master更新配置文件
kubeadm init phase kubeconfig all
多master更新配置文件
kubeadm init phase certs all --control-plane-endpoint "kube-apiserver:6443"
4、重启服务
复制kubelet文件
cp /etc/kubernetes/admin.conf ~/.kube/config
重启kubelet服务
systemctl restart kubelet
重新执行k8s命令
kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 1y3d v1.15.0
k8s-node01 Ready <none> 1y3d v1.15.0
k8s-node02 Ready <none> 1y3d v1.15.0
评论区