回答以下问题:
在不更新控制平面的情况下自动更新所有控制平面证书的推荐方法是什么
根据 k8s 文档和最佳实践,最佳实践是在控制平面升级中使用“自动证书更新”:
自动更新证书
此功能旨在解决最简单的用例;如果您对证书续订没有特定要求并定期执行 Kubernetes 版本升级(每次升级之间的时间少于 1 年),kubeadm 将负责使您的集群保持最新并相当安全。
注意:最好经常升级集群以确保安全。
-- Kubernetes.io: Administer cluster: Kubeadm certs: Automatic certificate renewal
为什么这是推荐的方式:
从最佳实践的角度来看,您应该升级您的 control-plane 以修补漏洞、添加功能并使用当前支持的版本。
每次control-plane 升级都会按照说明更新证书(默认为true):
$ kubeadm upgrade apply --help
--certificate-renewal Perform the renewal of certificates used by component changed during upgrades. (default true)
您还可以通过运行检查control-plane 证书的到期情况:
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 30, 2022 13:36 UTC 364d no
apiserver May 30, 2022 13:36 UTC 364d ca no
apiserver-etcd-client May 30, 2022 13:36 UTC 364d etcd-ca no
apiserver-kubelet-client May 30, 2022 13:36 UTC 364d ca no
controller-manager.conf May 30, 2022 13:36 UTC 364d no
etcd-healthcheck-client May 30, 2022 13:36 UTC 364d etcd-ca no
etcd-peer May 30, 2022 13:36 UTC 364d etcd-ca no
etcd-server May 30, 2022 13:36 UTC 364d etcd-ca no
front-proxy-client May 30, 2022 13:36 UTC 364d front-proxy-ca no
scheduler.conf May 30, 2022 13:36 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 28, 2031 13:36 UTC 9y no
etcd-ca May 28, 2031 13:36 UTC 9y no
front-proxy-ca May 28, 2031 13:36 UTC 9y no
附注!
kubelet.conf 未包含在上述列表中,因为kubeadm 将kubelet 配置为自动更新证书。
从默认情况下可以看到:
还有其他功能允许您以“半自动”方式轮换证书。
您可以选择手动更新证书:
您可以自动(使用命令)更新指定(或所有)证书:
$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
请具体看一下输出:
You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
如前所述,您需要重新启动 control-plane 的组件才能使用新证书,但请记住:
-
$ kubectl delete pod -n kube-system kube-scheduler-ubuntu 不起作用。
您将需要重新启动负责该组件的 docker 容器:
$ docker ps | grep -i "scheduler"-
$ docker restart 8c361562701b(示例)
8c361562701b 38f903b54010 "kube-scheduler --au…" 11 minutes ago Up 11 minutes k8s_kube-scheduler_kube-scheduler-ubuntu_kube-system_dbb97c1c9c802fa7cf2ad7d07938bae9_5
b709e8fb5e6c k8s.gcr.io/pause:3.4.1 "/pause" About an hour ago Up About an hour k8s_POD_kube-scheduler-ubuntu_kube-system_dbb97c1c9c802fa7cf2ad7d07938bae9_0
如下链接所示,kubelet 可以自动更新其证书(kubeadm 以启用此选项的方式配置集群):
根据您的环境中使用的版本,可以禁用此功能。目前在kubeadm管理的最新版k8s中,据我所知,这个选项是默认开启的。
请记住,在开始任何 kubernetes 节点/控制平面/更新/升级之前,请阅读特定于您的 k8s 版本的“紧急升级说明”(示例):
定义证书轮换的自动方式可以采用任何一种方式,但您可以使用已经提到的命令来自动执行此过程。您需要创建一个脚本(您已经拥有),该脚本将被放入 cron 中,一段时间后会触发并更新它们。