• kubeadm 部署的 k8s 增加 ip 并重新生成证书

    文章目录

    上集回顾

    • 上一篇文章 利用 member update 实现 etcd 灾难恢复 [ 也可实现 etcd 集群迁移 ] 经历了许多,这一篇文章,也是由上一篇的事故引起的
    • 原因是客户环境为双网卡环境,对内和对外有两个不同的网段,因为前期的部署 [那肯定不是我部署的,是我部署,我也不一定注意的到],因为本机路由不对,没有走对外的网卡,而加入控制节点的时候,没有指定 ip,导致走的默认路由,后期发现了问题,现在需要重新生成证书来修复 etcd 和 apiserver 因为修改 ip 而引发的一系列问题

    正片开始

    证书的修改,必须要 apiserver 服务可用

    备份 kubernetes 目录

    cp -r /etc/kubernetes{,-bak}

    • 1

    查看证书内的 ip

    for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'DNS:';done

    • 1

    可以看到,只有 apiserver 和 etcd 的证书里面是包含了 ip 的

    /etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/server.crt
                DNS:master-03, DNS:localhost, IP Address:192.168.11.135, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/etcd/peer.crt
                DNS:master-03, DNS:localhost, IP Address:192.168.11.135, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
/etc/kubernetes/pki/apiserver.crt
                DNS:master-03, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-vip, IP Address:10.96.0.1, IP Address:192.168.11.135
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    生成集群配置

    kubeadm config view > /root/kubeadm.yaml

    • 1

    增加 ip

    vim kubeadm.yaml

    • 1
    apiServer:
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
  # 增加下面的配置
  certSANs:
  - 192.168.11.131
  - 192.168.11.134
  - 192.168.11.136
  # 增加上面的配置
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: lb-vip:6443
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
    # 增加下面的配置
    serverCertSANs:
    - 192.168.11.131
    - 192.168.11.135
    - 192.168.11.136
    peerCertSANs:
    - 192.168.11.131
    - 192.168.11.135
    - 192.168.11.136
    # 增加上面的配置
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.17.3
networking:
  dnsDomain: cluster.local
  podSubnet: 172.10.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38

    删除原有的证书

    需要保留 ca ,sa,front-proxy 这三个证书

    rm -rf /etc/kubernetes/pki/{apiserver*,front-proxy-client*}
rm -rf /etc/kubernetes/pki/etcd/{healthcheck*,peer*,server*}

    • 1
    • 2

    重新生成证书

    kubeadm init phase certs all --config /root/kubeadm.yaml

    • 1

    再次查看证书内的 ip

    for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'DNS:';done

    • 1

    这里可以得到验证,不会覆盖之前证书内已经有的 ip,会将新的 ip 追加到后面

    /etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/server.crt
                DNS:master-02, DNS:localhost, IP Address:192.168.11.134, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.11.131, IP Address:192.168.11.134, IP Address:192.168.11.136
/etc/kubernetes/pki/etcd/peer.crt
                DNS:master-02, DNS:localhost, IP Address:192.168.11.134, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.11.131, IP Address:192.168.11.134, IP Address:192.168.11.136
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/apiserver.crt
                DNS:master-02, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-vip, IP Address:10.96.0.1, IP Address:192.168.11.134, IP Address:192.168.11.131, IP Address:192.168.11.134, IP Address:192.168.11.136
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    将配置更新到 configmap 中

    这样,以后有升级,或者增加其他 ip 时,也会将配置的 CertSANs 的 ip 保留下来,方便以后删减

    kubeadm init phase upload-config kubeadm --config kubeadm.yaml

    • 1
  • 相关阅读:
    Activiti7工作流引擎:节点动态跳转
    c++中 多线程执行时 线程的执行顺序不固定
    论文《Heterogeneous Temporal Graph Neural Network》阅读
    计量龙头威胜电子正式加入能源区块链,携手零数打造区块链生态圈
    CMake Day 7 —— option
    经验分享:判断字符串的显示宽度
    Collection的使用
    SpringBoot——快速整合EasyExcel实现Excel的上传下载
    智慧城市如何助力疫情防控:科技赋能城市安全
    Janus: Data-Centric MoE 通讯成本分析(2)
  • 原文地址:https://blog.csdn.net/u010383467/article/details/126442557