kubeadm deployment method renewal

1.1 Backup the original certificate

cp –r etc/kubernetes/pki etc/kubernetes/pki.bak

1.2 Back up the original files

cp -r /etc/kubernetes/*conf /etc/kubernetes/*conf-old

1.3 First look at the expiration time of the kubeadm client certificate

kubeadm alpha certs check-expiration

1.4 Update the cluster certificate:

kubeadm alpha certs renew all --config=/root/kubeadm.conf

or

kubeadm alpha certs renew all --config /root/kubeadm.conf

1.5 Replace the old config file

cp -f /etc/kubernetes/admin.conf ~/.kube/config

1.6 Configure kube-controller-manager to issue certificates automatically

vim /etc/kubernetes/manifests/kube-controller-manager.yaml

[root@k8s-master ~]# vim /etc/kubernetes/manifests/kube-controller-manager.yaml

  - command:

    - kube-controller-manager

    - --experimental-cluster-signing-duration=87600h0m0s #10 years

    - --feature-gates=RotateKubeletServerCertificate=true

1.7 Restart kube-controller-manager Pod and api-server Pod

1.8 Enable kubelet to automatically rotate certificates

By default kubelet certificate rotation is enabled:

A node node test, first check the validity period of the existing client certificate

Restart the kubelet component, it will verify the current certificate validity period and automatically renew it from kube-controller-manager