kubeadm 部署的 k8s 增加 ip 并重新生成证书

共计 2243 个字符,预计需要花费 6 分钟才能阅读完成。

备份 kubernetes 目录

cp -r /etc/kubernetes{,-bak}

查看证书内的 ip

for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'DNS:';done
 ⚡ root@master  ~  for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'DNS:';done
/etc/kubernetes/pki/apiserver.crt
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:master, IP Address:10.96.0.1, IP Address:192.168.1.12, IP Address:127.0.0.1, IP Address:125.124.18.108
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/etcd/peer.crt
                DNS:localhost, DNS:master, IP Address:192.168.1.12, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
/etc/kubernetes/pki/etcd/server.crt
                DNS:localhost, DNS:master, IP Address:192.168.1.12, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/front-proxy-ca.crt

生成集群配置

kubeadm config view > /root/kubeadm.yaml
cat kubeadm.yaml
 ⚡ root@master  ~  cat kubeadm.yaml 
apiServer:
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
  certSANs:
  - localhost
  - 127.0.0.1
  # 新增外网IP段
  - 125.124.18.108
  - 192.168.1.12
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.20.0
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

删除原有证书

rm -rf /etc/kubernetes/pki/{apiserver*,front-proxy-client*}
rm -rf /etc/kubernetes/pki/etcd/{healthcheck*,peer*,server*}

重新生成证书

kubeadm init phase certs all --config /root/kubeadm.yaml

验证

for i in $(find /etc/kubernetes/pki -type f -name "*.crt");do echo ${i} && openssl x509 -in ${i} -text | grep 'DNS:';done

将配置更新到 configmap 中

kubeadm init phase upload-config kubeadm --config kubeadm.yaml

更新 controller-manager kubeconfig 文件

sudo kubeadm alpha kubeconfig user --org system:kube-controller-manager --client-name system:kube-controller-manager > cd /etc/kubernetes/controller-manager.conf

更新 scheduler kubeconfig 文件

sudo kubeadm init phase kubeconfig scheduler
正文完
 0
评论(没有评论)