奶爸熊大

large picture of the cover

kubeadm 集群 证书管理

# 查看证书到期时间
kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 16, 2022 05:10 UTC   353d                                    no      
apiserver                  Aug 16, 2022 05:10 UTC   353d            ca                      no      
apiserver-kubelet-client   Aug 16, 2022 05:10 UTC   353d            ca                      no      
controller-manager.conf    Aug 16, 2022 05:10 UTC   353d                                    no      
front-proxy-client         Aug 16, 2022 05:10 UTC   353d            front-proxy-ca          no      
scheduler.conf             Aug 16, 2022 05:10 UTC   353d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 14, 2031 05:10 UTC   9y              no      
front-proxy-ca          Aug 14, 2031 05:10 UTC   9y              no 

# 续签证书
kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

# 查看续签证书状态
kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 27, 2022 08:44 UTC   364d                                    no      
apiserver                  Aug 27, 2022 08:44 UTC   364d            ca                      no      
apiserver-kubelet-client   Aug 27, 2022 08:44 UTC   364d            ca                      no      
controller-manager.conf    Aug 27, 2022 08:44 UTC   364d                                    no      
front-proxy-client         Aug 27, 2022 08:44 UTC   364d            front-proxy-ca          no      
scheduler.conf             Aug 27, 2022 08:44 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 14, 2031 05:10 UTC   9y              no      
front-proxy-ca          Aug 14, 2031 05:10 UTC   9y              no

备注:
证书到期时间发生了变化, 不过不是顺延一年, 而是从你执行renew成功的时间开始续签一年。

site logo

Hi,Friend

© 2025 奶爸熊大