-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm部署的1master k8s集群1年后的证书刷新方法 #56
Comments
kubernetes的ca.crt证书是十年的,其他的证书是一年有效期,一般更新证书是更新ca.crt之外的其他证书。证书更新过程先清掉原有证书,再重新创建并把节点重新加入集群。 后续我补上证书更新的介绍吧。 |
大神...大概什么时候有时间出下高可用集群的证书更新介绍...13版的..现在我就卡这不敢上k8s集群... |
kubeadm alpha phase certs renew all 可以实现证书续订。 |
的确这是一个方法,不过我这边验证的略有不同。 |
那哥我就等你文档了.... |
大佬 我看从1.12版本证书就可以自动续订了,您可以看一下。https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ |
我刚看了一下其他人都好像有这个问题,不过还是看见有人数可以用renew的办法,我也尝试了一下
kubeadm alpha phase all
初步看好像是续期了一年的样子,但由于我是vmware的1master 3node的。。没有环境测试高可用情况下这样renew证书的话,其他master要怎么操作。
另外贴一下下面的help信息
[root@t0 etcd]# kubeadm alpha phase --help
This command is not meant to be run on its own. See list of available subcommands.
[root@t0 etcd]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
all renew all available certificates
apiserver Generates the certificate for serving the Kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-client Generates the client for the front proxy
Flags:
-h, --help help for renew
Global Flags:
--log-file string If non-empty, use this log file
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
-v, --v Level log level for V logs
Use "kubeadm alpha certs renew [command] --help" for more information about a command.
The text was updated successfully, but these errors were encountered: