k8s证书替换方法

0.前言 今天早上收到监控告警，k8s集群证书快要过期了，于是赶紧更新了下证书，顺便记录一下更新证书的过程。

1.查看证书过期时间

方法一：通过kubeadm命令，命令详情如下

kubeadm certs check-expiration

输出信息如下：

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 02, 2025 05:53 UTC   2d              ca                      no
apiserver                  Apr 02, 2025 05:53 UTC   2d              ca                      no
apiserver-etcd-client      Apr 02, 2025 05:53 UTC   2d              etcd-ca                 no
apiserver-kubelet-client   Apr 02, 2025 05:53 UTC   2d              ca                      no
controller-manager.conf    Apr 02, 2025 05:53 UTC   2d              ca                      no
etcd-healthcheck-client    Apr 02, 2025 05:53 UTC   2d              etcd-ca                 no
etcd-peer                  Apr 02, 2025 05:53 UTC   2d              etcd-ca                 no
etcd-server                Apr 02, 2025 05:53 UTC   2d              etcd-ca                 no
front-proxy-client         Apr 02, 2025 05:53 UTC   2d              front-proxy-ca          no
scheduler.conf             Apr 02, 2025 05:53 UTC   2d              ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 13, 2032 08:32 UTC   7y              no
etcd-ca                 Sep 13, 2032 08:32 UTC   7y              no
front-proxy-ca          Sep 13, 2032 08:32 UTC   7y              no

可以看到关于证书文件的信息输出非常详细。

方法二：openssl查看证书文件

openssl x509 -enddate -noout -in /etc/kubernetes/pki/apiserver.crt

输出信息如下：

notAfter=Apr  2 05:53:21 2025 GMT

通常k8s证书文件目录为/etc/kubernetes/pki，基于该命令只是打印出证书过期时间。

2.更新证书

k8s证书更新其实非常简单，一条命令就可以了，命令详情如下：

kubeadm certs renew all

输出信息如下：

[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

3.重启k8s组件容器

更新完证书之后，需要重启k8s核心组件的容器，命令如下：

docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

输出信息如下：

8d6cdd04fe39
3adb09ad87d2
c9189158f4b3
2b3daafcbc59

重启的k8s组件有：apiserver，kube-controller-manager，kube-scheduler，etcd

4.再次检查证书信息

我们重新检查下证书到期时间，命令如下：

openssl x509 -enddate -noout -in /etc/kubernetes/pki/apiserver.crt

输出信息如下：

notAfter=Mar 31 01:39:13 2026 GMT

可以看到证书过期时间来到了2026年，到此证书更新完成。

5.结语

可以看到证书更新还是非常简单的，但为避免出现异常情况，强烈建议更新证书前，先备份一下老版本证书，直接备份证书目录即可。