-
k8s master节点更换ip 重签证书
一、开始
证书的修改,必须要 apiserver 服务可用旧IP:
k8s-master 10.0.0.5 k8s-node-1 10.0.0.6 k8s-node-2 10.0.0.7 新IP:
k8s-master 10.0.0.10 k8s-node-1 10.0.0.11 k8s-node-2 10.0.0.12 修改/etc/hosts解析(所有节点):
- vim /etc/hosts
- k8s-master 10.0.0.10
- k8s-node-1 10.0.0.11
- k8s-node-2 10.0.0.12
二、备份 kubernetes 目录
cp -r /etc/kubernetes{,-bak}三、查看证书内的 ip
for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'Address'可以看到,只有 apiserver 和 etcd 的证书里面是包含了 ip 的
- /etc/kubernetes/pki/ca.crt
- /etc/kubernetes/pki/front-proxy-ca.crt
- /etc/kubernetes/pki/etcd/ca.crt
- /etc/kubernetes/pki/etcd/server.crt
- DNS:k8s-master, DNS:localhost, IP Address:10.0.0.1, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
- /etc/kubernetes/pki/etcd/healthcheck-client.crt
- /etc/kubernetes/pki/etcd/peer.crt
- DNS:k8s-master, DNS:localhost, IP Address:10.0.0.1, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
- /etc/kubernetes/pki/apiserver.crt
- DNS:k8s-master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-vip, IP Address:10.96.0.1, IP Address:10.0.0.1
- /etc/kubernetes/pki/apiserver-kubelet-client.crt
- /etc/kubernetes/pki/front-proxy-client.crt
- /etc/kubernetes/pki/apiserver-etcd-client.crt
四、生成集群配置
kubeadm config view > /root/kubeadm.yaml更换IP:
vim kubeadm.yaml
- apiServer:
- extraArgs:
- authorization-mode: Node,RBAC
- timeoutForControlPlane: 4m0s
- # 增加下面的配置
- certSANs:
- - 10.0.0.10
- # 增加上面的配置
- apiVersion: kubeadm.k8s.io/v1beta2
- certificatesDir: /etc/kubernetes/pki
- clusterName: kubernetes
- controlPlaneEndpoint: lb-vip:6443
- controllerManager: {}
- dns:
- type: CoreDNS
- etcd:
- local:
- dataDir: /var/lib/etcd
- # 增加下面的配置
- serverCertSANs:
- - 10.0.0.10
- peerCertSANs:
- - 10.0.0.10
- # 增加上面的配置
- imageRepository: registry.aliyuncs.com/google_containers
- kind: ClusterConfiguration
- kubernetesVersion: v1.17.3
- networking:
- dnsDomain: cluster.local
- podSubnet: 172.10.0.0/16
- serviceSubnet: 10.96.0.0/12
- scheduler: {}
五、删除原有的证书
需要保留 ca ,sa,front-proxy 这三个证书
- rm -rf /etc/kubernetes/pki/{apiserver*,front-proxy-client*}
- rm -rf /etc/kubernetes/pki/etcd/{healthcheck*,peer*,server*}
六、重新生成证书
kubeadm init phase certs all --config /root/kubeadm.yaml再次查看证书内的 ip
for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'DNS:';done- /etc/kubernetes/pki/etcd/ca.crt
- /etc/kubernetes/pki/etcd/server.crt
- DNS:k8s-master, DNS:localhost, IP Address:10.0.0.10, IP Address:127.0.0.1,
- /etc/kubernetes/pki/etcd/peer.crt
- DNS:k8s-master, DNS:localhost, IP Address:10.0.0.10, IP Address:127.0.0.1,
- /etc/kubernetes/pki/etcd/healthcheck-client.crt
- /etc/kubernetes/pki/ca.crt
- /etc/kubernetes/pki/front-proxy-ca.crt
- /etc/kubernetes/pki/apiserver.crt
- DNS:k8s-master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-vip, IP Address:10.96.0.1, IP Address:10.0.0.10
- /etc/kubernetes/pki/apiserver-kubelet-client.crt
- /etc/kubernetes/pki/front-proxy-client.crt
- /etc/kubernetes/pki/apiserver-etcd-client.crt
七、将配置更新到 configmap 中
这样,以后有升级,或者增加其他 ip 时,也会将配置的 CertSANs 的 ip 保留下来,方便以后删减
kubeadm init phase upload-config kubeadm --config kubeadm.yaml八、检查
- # 检查kubeadm.config配置的ip是否为新节点IP
- kubectl get cm -A|grep kubeadm
- kubectl get cm -A kubeadm-config -o yaml
- #检查所有容器健康状态
- kubectl get pod -A
node节点IP更换,证书会自动重新签发
-
相关阅读:
[附源码]计算机毕业设计游戏交易平台Springboot程序
平行进口美规,加版奔驰S500 S580更换主机,汉化导航,语音交互等功能
cookie
ajaxpro2 外网调用挂起问题
Docker学习
神经网络(十一)卷积运算DLC
java毕业设计商品供应管理系统源码+lw文档+mybatis+系统+mysql数据库+调试
Bootstrap Blazor 实战 Menu 导航菜单使用(1)
智能运维应用之道,告别企业数字化转型危机
Golang 方法使用的注意事项和细节
- 原文地址:https://blog.csdn.net/zfw_666666/article/details/126892220
