1.环境说明

lient Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.6", GitCommit:"fbf646b339dc52336b55d8ec85c181981b86331a", GitTreeState:"clean", BuildDate:"2020-12-18T12:09:30Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.6", GitCommit:"fbf646b339dc52336b55d8ec85c181981b86331a", GitTreeState:"clean", BuildDate:"2020-12-18T12:01:36Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

[root@k8s-master ~]# docker --version
Docker version 23.0.1, build a5ee5b1

k8s 单机版

2.问题复现

2024年春节回来时，发现家里服务器挂了，平时重启完docker和k8s都能正常启动，可是这次不行了，重启完，用docker ps,如下查看，发现k8s apiserver没有启动，

接着用 docker ps -a |grep api 查到apiserver的 容器id

再用docker logs 容器id 查找日志，发现k8s 证书过期了！

验证证书是否过期：

#查询api证书过期时间
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
#查询etcd证书过期时间
openssl x509 -in /etc/kubernetes/pki/etcd/healthcheck-client.crt -noout -text |grep ' Not '

通过以上命令发现都过期了，所以它们启动不了的原因是因为证书过期了。

3.问题处理

#续证书
kubeadm alpha certs renew all

#可以用如下命令查看证书是否续成功
kubeadm alpha certs check-expiration
[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 18, 2025 15:07 UTC   364d                                    no      
apiserver                  Feb 18, 2025 15:07 UTC   364d            ca                      no      
apiserver-etcd-client      Feb 18, 2025 15:07 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Feb 18, 2025 15:07 UTC   364d            ca                      no      
controller-manager.conf    Feb 18, 2025 15:07 UTC   364d                                    no      
etcd-healthcheck-client    Feb 18, 2025 15:07 UTC   364d            etcd-ca                 no      
etcd-peer                  Feb 18, 2025 15:07 UTC   364d            etcd-ca                 no      
etcd-server                Feb 18, 2025 15:07 UTC   364d            etcd-ca                 no      
front-proxy-client         Feb 18, 2025 15:07 UTC   364d            front-proxy-ca          no      
scheduler.conf             Feb 18, 2025 15:07 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 09, 2033 11:29 UTC   8y              no      
etcd-ca                 Feb 09, 2033 11:29 UTC   8y              no      
front-proxy-ca          Feb 09, 2033 11:29 UTC   8y              no   

重启各组件（重启机器 reboot，我这边因为apiserver组件没有启动成功所发采用重启机器的方式）

更新之后还出现如下问题：

[root@k8s-master ~]# kubectl get pods
error: You must be logged in to the server (Unauthorized)

解决：

$ cd ~/.kube

# Archive the old config file containing the out of date certificates
$ mv config conf.archive.2021

# Copy the new configuration file created using kubeadm
$ cp /etc/kubernetes/admin.conf config

# apply permissions to your current admin user and group
$ sudo chown $(id -u):$(id -g) config

4.参考

Kubernetes kubeadm 证书到期，更新证书