证书过期问题

查看证书过期时间

kubeadm alpha certs check-expiration

证书过期升级命令

kubeadm alpha certs renew all

日志查看命令

journalctl -xefu kubelet

发现更新证书后，日志还是报错未发现**/etc/kubernetes/bootstrap-kubelet.conf** ，则继续执行如下操作重新生成证书

cd /etc/kubernetes/pki/
mkdir backup
## 一定要mv走
mv {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} /etc/kubernetes/pki/backup 
$ kubeadm init --apiserver-advertise-address=当前NodeIP  phase certs all

$ cd /etc/kubernetes/
## 一定要mv走
$ mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} /etc/kubernetes/backup1 
$ kubeadm init --apiserver-advertise-address=当前NodeIP phase kubeconfig all
$ reboot
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

还需要将ca.crt拷贝到其它节点

[root@node1 kubernetes]# scp -rp kubelet.conf node2:/etc/kubernetes
[root@node1 pki]# scp -rp pki/ca.crt node2:/etc/kubernetes/pki
$ scp -rp /etc/kubernetes/admin.conf  node2:/root/.kube/config

如发现从节点状态为No Ready，node节点重新绑定节点

# 生成纳管节点命令，记录此命令，后面会在node节点上执行
kubeadm token create --print-join-command
# 重置节点
kubeadm reset
# 对接master，执行上面记录的命令
kubeadm join 192.168.0.183:6443 --token 804ljn.mdw*****m5xr7 --discovery-token-ca-cert-hash sha256:dfe6a54******************48a6ee3134c085529335012ea2f39895261

重启kubelet

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet.service

微信公众号搜索：程序员Realeo