kubeadm部署的1master k8s集群1年后的证书刷新方法 #56
Comments
|
kubernetes的ca.crt证书是十年的,其他的证书是一年有效期,一般更新证书是更新ca.crt之外的其他证书。证书更新过程先清掉原有证书,再重新创建并把节点重新加入集群。 后续我补上证书更新的介绍吧。 |
|
大神...大概什么时候有时间出下高可用集群的证书更新介绍...13版的..现在我就卡这不敢上k8s集群... |
|
kubeadm alpha phase certs renew all 可以实现证书续订。 |
|
的确这是一个方法,不过我这边验证的略有不同。 |
|
那哥我就等你文档了.... |
|
大佬 我看从1.12版本证书就可以自动续订了,您可以看一下。https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
我刚看了一下其他人都好像有这个问题,不过还是看见有人数可以用renew的办法,我也尝试了一下
kubeadm alpha phase all
初步看好像是续期了一年的样子,但由于我是vmware的1master 3node的。。没有环境测试高可用情况下这样renew证书的话,其他master要怎么操作。
另外贴一下下面的help信息
[root@t0 etcd]# kubeadm alpha phase --help
This command is not meant to be run on its own. See list of available subcommands.
[root@t0 etcd]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
all renew all available certificates
apiserver Generates the certificate for serving the Kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-client Generates the client for the front proxy
Flags:
-h, --help help for renew
Global Flags:
--log-file string If non-empty, use this log file
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
-v, --v Level log level for V logs
Use "kubeadm alpha certs renew [command] --help" for more information about a command.
The text was updated successfully, but these errors were encountered: