Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeadm部署的1master k8s集群1年后的证书刷新方法 #56

Open
76439984jc opened this issue Mar 17, 2019 · 6 comments
Open

kubeadm部署的1master k8s集群1年后的证书刷新方法 #56

76439984jc opened this issue Mar 17, 2019 · 6 comments

Comments

@76439984jc
Copy link

我刚看了一下其他人都好像有这个问题,不过还是看见有人数可以用renew的办法,我也尝试了一下
kubeadm alpha phase all
初步看好像是续期了一年的样子,但由于我是vmware的1master 3node的。。没有环境测试高可用情况下这样renew证书的话,其他master要怎么操作。

另外贴一下下面的help信息
[root@t0 etcd]# kubeadm alpha phase --help
This command is not meant to be run on its own. See list of available subcommands.

[root@t0 etcd]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.

Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]

Available Commands:
all renew all available certificates
apiserver Generates the certificate for serving the Kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-client Generates the client for the front proxy

Flags:
-h, --help help for renew

Global Flags:
--log-file string If non-empty, use this log file
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
-v, --v Level log level for V logs

Use "kubeadm alpha certs renew [command] --help" for more information about a command.

@cookeem
Copy link
Owner

cookeem commented Mar 19, 2019

kubernetes的ca.crt证书是十年的,其他的证书是一年有效期,一般更新证书是更新ca.crt之外的其他证书。证书更新过程先清掉原有证书,再重新创建并把节点重新加入集群。

后续我补上证书更新的介绍吧。

@76439984jc
Copy link
Author

大神...大概什么时候有时间出下高可用集群的证书更新介绍...13版的..现在我就卡这不敢上k8s集群...

@gzchen008
Copy link

kubeadm alpha phase certs renew all 可以实现证书续订。
也可以开启证书轮换功能门
@cookeem

@cookeem
Copy link
Owner

cookeem commented Mar 28, 2019

的确这是一个方法,不过我这边验证的略有不同。
今天刚刚验证完v1.14.0的高可用安装,下周更新文档。
证书更新在v1.14.x中也有了很多不同,更加简单了。

@76439984jc
Copy link
Author

那哥我就等你文档了....
我希望你能在文档里面讲一下高可用14版的..然后在说说证书刷新的问题....
另外..我看你也是广州的呀..找天请你吃饭.
@cookeem

@904715872
Copy link

大佬 我看从1.12版本证书就可以自动续订了,您可以看一下。https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants