目录

如何修复 kubelet 证书过期

背景

今天发现线上集群一个node节点kubelet-client证书莫名其妙消失了,导致该节点 NotReady,因为该证书已经没了,导致controller-manager无法自动轮换该证书,所以需要自己签发证书。 以及 kubeconfig 也失效,导致 kubectl 使用不了

环境信息

1
2
3
4
5
$ kubenertes: v1.15.3
$ centos: 7.5
$ kernel: 4.14.49
$ cfssl: 1.2.0

签发 kubelet 证书

kubelet访问api-server是双向https协议,所以kubelet 会验证api-server,api-server也会验证kubelet。目前出问题的是api-server验证kubelet时,kubelet无法提供证书,所以我们需要使用api-server验证kubelet的CA来签发kubelet-client.crt。

这里使用cfssl工具签发证书。

1、安装cfssl,cfssljson

1
https://github.com/cloudflare/cfssl/releases

2、获取ca.crt,ca.key,可以直接从api-server所在服务器拷贝

3、生成ca-config.json,将以下信息写入ca-config.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "876000h"
      }
    }
  }
}

4、生成kubelet-client证书请求文件,将以下信息写入 kubelet-client-csr.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
        "CN": "system:node:node-1",
        "key": {
                "algo": "rsa",
                "size":2048
        },
        "names": [{
                "O": "system:nodes"
        }]
}

5、生成证书

1
2
$ cfssl gencert -ca=ca.crt -ca-key=ca.key --config=ca-config.json -profile=kubernetes kubelet-client-csr.json | cfssljson -bare kubelet-client

6、修改kubelet.conf

查看kubelet 访问api-server的凭证文件即kubelet.conf,默认在/etc/kubernetes/kubelet.conf下。

将生成crt,key放入对应目录下,这里为/var/lib/kubelet/pki/kubelet-client.crt、/var/lib/kubelet/pki/kubelet-client.key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1URXhOakF5TkRFMU4xb1hEVE14TVRFeE5EQXlOREUxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUN5Ck1xVFpYNjlOc3p2WTRpMk5FTUdtMUd6RXQrSVN4K2Z1UXAwbDJjVUk2bFk4UnJqTkdsK1ZKTVNjVlBITUtDSzYKSkFKcUVCb3FKdXZaN3FsalZ5V0JpZmc4Y1RaMmRtUnNKU3gyYWMyd2VDb0lVQlJBYVRrOG5yRWQyNVFkVnViYgpHbDRYNnlFbm9tT0RpODQzL25od1NCb05vZE1OdmdKaW1IR291NCszZWhZSVNWVVVoWTNzT3BlVTVQSlcxK0FwCmZkeTk3S3RrMUJ6NTYvU1lBS3h0bHkyelhYRnkzaGJ4WTM2NWpjRHNGcGdRTDJ4cWdENWcwS1NCMjlHNXZWWnUKVWtwTWFXZmp4b0w5UmlFd2J5VmpUZFJrM01YNWxTZkFrM3NlYmNENEhSczJmMnJHVjFlaHpnbVBxQmVnUlVMYQo1dnpTYzU2c3FNc08xbUJZWVkwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHbmlmbTNNRFIzV2VrODE3Q3ZvZVBWOGF4ckoKVlVRenMxSFJrNVR1WHdhSmNOQUhnQlZyNXZOWUk3Q3F3QWdCOWcwdGtxTjlpQmNtU2JLMVVnVlVsT3krUnE4LwpUcGp4OEVPN0pCQVh0UTd1cGJRWU5BdEMrTk8xOURIUVM4K0IvaktJbU5GRmNWL0tsZ0RTQzB0KzU1ZVRxQjdtCmFIZlpmUzl0dVhUWit1OUthVlpkcVpOUkdzOGh4eVBqazBpcS9mU1c1aDVNb1djaFM0TkVhbmhidkF3QlR6QTcKc1BMZWRaZUxLVzlXemZaRFJWN0M3M3NlNVZsbStnR2RhSTNoT0dSaXcxMVg4cFRrMVo5YnVocnc5bEYwNzFQRgowaXlJNUFrTGRCVzkxQXpXT3IyZVhwYzA1cElLVTlldGRqWXp2RTIrT1FvK1VUeVZKR2cvYVFzSnRiTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://172.30.13.88:6443
  name: default-cluster
contexts:
- context:
    cluster: default-cluster
    namespace: default
    user: default-auth
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users:
- name: default-auth
  user:
    client-certificate: /var/lib/kubelet/pki/kubelet-client.crt
    client-key: /var/lib/kubelet/pki/kubelet-client.key

7、重启kubelet

1
$ systemctl restart kubelet

签发 kubeconfig 证书

1、生成 kubeconfig 证书请求文件,将以下信息写入 admin-csr.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

{
	"CN": "kubernetes-admin",
	# 集群 master ip
	"hosts": [
		"172.16.8.60", "172.16.8.61", "172.16.8.62"
	],
	"key": {
		"algo": "rsa",
		"size": 2048
	},
	"names": [{
		"C": "CN",
		"O": "system:masters"
	}]
}

2、生成证书

1
2
$ cfssl gencert -ca=ca.crt -ca-key=ca.key --config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

3、修改 kubeconfig 将 kubeconfig 文件里证书路径替换为新生成的证书,或者将新生成的证书内容进行 base64 编码,替换 kubeconfig 文件内容。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJeU1Ea3dOakE1TWpFMU5sb1lEekl4TWpJd09ERXpNRGt5TVRVMldqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCitTWHZXcENhLzVMUHdKWmVhMkZ0RitQZU9na2VZM0hFcGZJTVNsdkNQZjQyL1U4bFJTTXhGeEc5b0Jaa3J3bHoKeEgxRHRlNXhVN0szZGZtMm1zdGd4bVhCQ3FialhnRStHNlk1Q3JLYmdkOE1ucGJjeXhvQ2l4OHB4RVZNaHpFbApwZm1KL29vc2ZtbHcrNk1vZ29hNkVDT2pnRWloZDZidDdNblJMcCs4Z1M4djR6a09SWWNxaEFjSjYwc0t3QmF3Cm51TlFmRERqeVMvbHp2WDhoa0JXeWVFUTdYZzVHQWdNbFFQSVgyZFRoQU1weE1VUWxCZS9LTURVQ0hQeEd0UkcKL3l3Y3BnTG9ZUTE4K2Q1czFVM3VORXdlalVxQzBQRkZabjFyZmZYR3NmZU5CN1EwSy81alpmWUUwaUtncWlDdQpES1pZd0R3ODRseVhOM0tMU3Npcll3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVvdGtEZVBUQkJGemFUWXdXQmpuMXl2SC8yeWN3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFQZjZCcEd6TGY2L0RhdzdkS2FvbTlTYzFQWWZ1dDdRWlQ0Q3hOdXJuSVFTd04rZQpGSys5MzJYVVhoVnExWUx0N1RpcE9xc0JMOXBlS0p6YUtmQmpoN1N1WVV2OTM1TkxZaXEySTkyWXJwVEtyWlpxCjhvQ3BnQWloZEFmaVpOekkyK0NoZVRKOVhOek5yZTRSdW04cVM4ZVRFWEN5UW5Fd2RQU1RyUFJuR2M5OEdXQlcKYW5Gc0NiYnZpYnoyY3d4LytXLzlnSzFGaW5zOUhhNE5yS0hQbldsalppOExycTlSN1RlSDNBRzVFT3dZek0rUAo3UGJnYTdhK24wWUpQVGtqb3VqUWRkYmdaQ01VSjNxc0Z3dE1LemhybTZQZGtGQ0dpSWg5elhlMGthdk4ybnlEClVVaUdVM2FmK2UyTXQyTE42Mk5SM3dpYXBJNS9QTUdrajFjVC9zMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://apiserver.cluster.local:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    # 修改这里即可
    client-certificate: /path/to/kubeconfig.pem
    client-key: /path/to/kubeconfig-key.pem


WeChat Pay
关注微信公众号,可了解更多云原生详情~

相关文章