在最开始创建集群的时候我们的apiserver证书可能只加了一个IP,随着集群需要高可用稳定性,所以需要增加master的IP或者迁移master,这个时候就需要重新签发apiserver证书
将kubeadm的配置文件导出
kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm-init.yaml
修改文件内容添加masterIP
apiServer:
certSANs:
- 192.168.1.100
- 192.168.1.101
- 192.168.1.102
- 192.168.1.103
- 192.168.1.104
- 192.168.1.105
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 192.168.1.100:6443
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.28.2
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
编辑内容添加IP后将下现有的证书移动备份下,因为 kubeadm 检测到他们已经存在于指定的位置,它就不会创建新的了。
mv /etc/kubernetes/pki /etc/kubernetes/pki.bak
使用 kubeadm 命令签发新的证书
kubeadm init phase certs all --config kubeadm-init.yaml
如果多个master需要将master上执行拷贝证书拷贝到其它master节点替换其它master节点原有证书
newmaster=192.168.1.101
scp /etc/kubernetes/pki/ca.* /etc/kubernetes/pki/sa.* /etc/kubernetes/pki/front-proxy-ca.* ${newmaster}:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.* ${newmaster}:/etc/kubernetes/pki/etcd/
检查新的证书有效期
kubeadm certs check-expiration openssl x509 -in /etc/kubernetes/pki/ca.crt -text|grep -E "Before|After"
没有问题的话重启master上所有组件(etcd、kube-apiserver、kube-controller-manager、kube-scheduler)
mkdir /tmp/kubernetes mv /etc/kubernetes/manifests/*.yaml /tmp/kubernetes/ && sleep 5 && mv /tmp/kubernetes/*.yaml /etc/kubernetes/manifests/
更新kubeadm-config的configmap内容
kubeadm init phase upload-config kubeadm --config kubeadm-init.yaml
检查更新后的configmap
kubectl -n kube-system get configmap kubeadm-config -o yaml
重启其它master上的组件