因為是筆記本虛擬機(jī)搭建所以好久沒打開k8s集群了合呐，開機(jī)后先是提示：Unable to connect to the server: x509: certificate has expired or is not yet漩蟆，一會后就提示：The connection to the server 192.168.37.201:6443 was refused - did you specify the right host or port?滔金，排查后發(fā)現(xiàn)為證書過期塘砸。

1：先查看集群證書過期時間：

sudo openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

輸出：

? ? ? ? ? ? Not Before: May 24 03:32:37 2019 GMT

? ? ? ? ? ? Not After : May 23 03:32:38 2020 GMT

2：在當(dāng)前目錄編輯kubeadm.conf配置文件：

sion: kubeadm.k8s.io/v1beta1

kind: ClusterConfiguration

kubernetesVersion: v1.15.0? # kubernetes 版本

apiServer:

? certSANs:

? - 192.168.10.xxx # master 所有節(jié)點IP地址，包括master和slave

? - 192.168.10.xxx # slave1

? - 192.168.10.xxx # slave2

? extraArgs:

? ? service-node-port-range: 80-32767

? ? advertise-address: 0.0.0.0

controlPlaneEndpoint: "192.168.10.xxx:6443"? # APIserver 地址,也就是master節(jié)點地址

imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers #這里使用國內(nèi)阿里云的鏡像倉庫

3：更新證書

kubeadm alpha certs renew all --config kubeadm.conf

sudo openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

輸出：

? ? ? ? ? ? Not Before: Jun 24 10:55:40 2019 GMT

? ? ? ? ? ? Not After : Jul 27 08:37:35 2021 GMT

4：重新生成配置文件

mv /etc/kubernetes/*.conf ~/.

kubeadm init phase kubeconfig all --config kubeadm.conf

5：更新.kube下的配置文件：

mv $HOME/.kube/config $HOME/.kube/config.old

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

sudo chown $(id -u):$(id -g) $HOME/.kube/config

6：重啟kube-apiserver,kube-controller,kube-scheduler,etcd這4個容器：(一定要ps -a要不有可能服務(wù)容器沒啟動)

docker ps -a | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash

7：重啟容器后發(fā)現(xiàn)節(jié)點都為NotReady狀態(tài)

[root@k8s-master kubernetes]# kubectl get nodes

NAME? ? ? ? STATUS? ? ROLES? ? AGE? ? VERSION

k8s-master? NotReady? master? 384d? v1.15.0

k8s-node1? ? NotReady? node? ? 384d? v1.15.0

[root@k8s-master pki]# cd /var/lib/kubelet/pki/

[root@k8s-master pki]# ls

kubelet-client-2019-12-17-18-50-01.pem? kubelet-client-2019-12-17-18-50-52.pem?

kubelet-client-current.pem? kubelet.crt? kubelet.key

8：master節(jié)點中kubelet證書也需要更新墓塌，重新生成證書霞捡，刪除kubelet配置文件kubelet會向apiserver發(fā)起一個csr

[root@k8s-master pki]# mkdir bakup

[root@k8s-master pki]# mv kubelet* bakup/

[root@k8s-master pki]# lsbakup

[root@k8s-master pki]# systemctl restart kubelet

[root@k8s-master pki]# systemctl status kubelet

[root@k8s-master pki]# openssl x509 -in kubelet.crt -noout -text |grep ' Not ' Not Before: Jan 5 09:25:07 2021 GMT Not After : Jan 5 09:25:07 2022 GMT

//查看未授權(quán)的CSR請求：

[root@k8s-master pki]# kubectl get csr

//approve CSR 請求，有則同意愉昆，沒有則不管：

[root@k8s-master pki]# kubectl certificate approve csr-4pw6gNAME? ? ? ? AGE? ? ? REQUESTOR? ? ? ? ? CONDITIONcsr-4pw6g? 1h? ? ? ? kubelet-bootstrap? Approved,Issued

//驗證結(jié)果

[root@k8s-master kubernetes]# kubectl get nodes

NAME? ? ? ? STATUS? ROLES? ? AGE? ? VERSIONk8s-master? Ready? ? master? 384d? v1.15.0

9：master節(jié)點就更新完成了职员，然后獲取token在更新slave節(jié)點時要用

[root@k8s-master kubernetes]# kubeadm token create

[root@k8s-master kubernetes]# kubeadm token listTOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPSyszrm3.d1zaj2uwj1pfo627 23h 2021-01-06T18:14:57+08:00 authentication,signing system:bootstrappers:kubeadm:default-node-token

10：node節(jié)點添加進(jìn)集群（需刪除原先kubelet配置文件，否則加入失敽惩佟）

[root@k8s-node2 ~]# rm -rf /etc/kubernetes/kubelet.conf

[root@k8s-node2 ~]# rm -rf /etc/kubernetes/pki/ca.crt

[root@k8s-node2 ~]# rm -rf /etc/kubernetes/bootstrap-kubelet.conf

[root@k8s-node2 ~]# systemctl stop kubelet

[root@k8s-node2 ~]# kubeadm join --token=yszrm3.d1zaj2uwj1pfo627? 192.168.10.XXX:6443 --node-name k8s-node2 --discovery-token-unsafe-skip-ca-verification

11：驗證結(jié)果

[root@k8s-master kubernetes]# kubectl get nodes

NAME STATUS ROLES AGE VERSION

k8s-master Ready master 384d v1.15.0

k8s-node1 Ready node 384d v1.15.0

k8s-node2 Ready 11m v1.15.0