需求:如何将现有 Kubernetes 集群的证书有效期延长至 10 年?
证书更新标准流程
1、查看证书有效期
# 查看证书有效期 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
2、更新证书
操作过程
root@K8S-Master-1:~# git clone https://github.com/yuyicai/update-kube-cert.git
Cloning into 'update-kube-cert'...
remote: Enumerating objects: 195, done.
remote: Counting objects: 100% (28/28), done.
remote: Compressing objects: 100% (26/26), done.
remote: Total 195 (delta 2), reused 2 (delta 2), pack-reused 167 (from 2)
Receiving objects: 100% (195/195), 86.99 KiB | 503.00 KiB/s, done.
Resolving deltas: 100% (93/93), done.
root@K8S-Master-1:~# cd update-kube-cert/
root@K8S-Master-1:~/update-kube-cert# ls
LICENSE other.md other-zh_CN.md README.md update-kubeadm-cert.sh
root@K8S-Master-1:~/update-kube-cert# chmod 755 update-kubeadm-cert.sh
root@K8S-Master-1:~/update-kube-cert# ./update-kubeadm-cert.sh all
[2025-05-19T18:35:22.64+0800] [INFO] checking if all certificate files are existed...
[2025-05-19T18:35:22.64+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.crt
[2025-05-19T18:35:22.64+0800] [INFO] found file: /etc/kubernetes/pki/etcd/ca.key
[2025-05-19T18:35:22.64+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.crt
[2025-05-19T18:35:22.64+0800] [INFO] found file: /etc/kubernetes/pki/etcd/server.key
[2025-05-19T18:35:22.65+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.crt
[2025-05-19T18:35:22.65+0800] [INFO] found file: /etc/kubernetes/pki/etcd/peer.key
[2025-05-19T18:35:22.65+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-05-19T18:35:22.65+0800] [INFO] found file: /etc/kubernetes/pki/etcd/healthcheck-client.key
[2025-05-19T18:35:22.65+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-05-19T18:35:22.65+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-etcd-client.key
[2025-05-19T18:35:22.65+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-05-19T18:35:22.66+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-05-19T18:35:22.66+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-05-19T18:35:22.66+0800] [INFO] found file: /etc/kubernetes/super-admin.conf
[2025-05-19T18:35:22.66+0800] [INFO] found file: /etc/kubernetes/pki/ca.crt
[2025-05-19T18:35:22.66+0800] [INFO] found file: /etc/kubernetes/pki/ca.key
[2025-05-19T18:35:22.66+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.crt
[2025-05-19T18:35:22.67+0800] [INFO] found file: /etc/kubernetes/pki/apiserver.key
[2025-05-19T18:35:22.67+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-05-19T18:35:22.67+0800] [INFO] found file: /etc/kubernetes/pki/apiserver-kubelet-client.key
[2025-05-19T18:35:22.67+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.crt
[2025-05-19T18:35:22.67+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-ca.key
[2025-05-19T18:35:22.68+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.crt
[2025-05-19T18:35:22.68+0800] [INFO] found file: /etc/kubernetes/pki/front-proxy-client.key
[2025-05-19T18:35:22.68+0800] [INFO] found file: /etc/kubernetes/controller-manager.conf
[2025-05-19T18:35:22.68+0800] [INFO] found file: /etc/kubernetes/scheduler.conf
[2025-05-19T18:35:22.68+0800] [INFO] found file: /etc/kubernetes/admin.conf
[2025-05-19T18:35:22.68+0800] [INFO] found file: /etc/kubernetes/super-admin.conf
[2025-05-19T18:35:22.68+0800] [INFO] all certificate files are existed
[2025-05-19T18:35:22.69+0800] [INFO] backup /etc/kubernetes to /etc/kubernetes.old-2025-05-19_18-35-22
[2025-05-19T18:35:22.69+0800] [INFO] checking certificate expiration before update...
|-----------------------------------|----------------------------|
| CERTIFICATE | EXPIRES |
| ca.crt | Mar 18 09:45:11 2035 GMT |
| apiserver.crt | Mar 20 09:45:11 2026 GMT |
| apiserver-kubelet-client.crt | Mar 20 09:45:12 2026 GMT |
| front-proxy-ca.crt | Mar 18 09:45:12 2035 GMT |
| front-proxy-client.crt | Mar 20 09:45:12 2026 GMT |
|-----------------------------------|----------------------------|
| controller-manager.conf | Mar 20 09:45:14 2026 GMT |
| scheduler.conf | Mar 20 09:45:14 2026 GMT |
| admin.conf | Mar 20 09:45:14 2026 GMT |
| super-admin.conf | Mar 20 09:45:14 2026 GMT |
|-----------------------------------|----------------------------|
| etcd/ca.crt | Mar 18 09:45:12 2035 GMT |
| etcd/server.crt | Mar 20 09:45:13 2026 GMT |
| etcd/peer.crt | Mar 20 09:45:13 2026 GMT |
| etcd/healthcheck-client.crt | Mar 20 09:45:13 2026 GMT |
| apiserver-etcd-client.crt | Mar 20 09:45:13 2026 GMT |
|-----------------------------------|----------------------------|
[2025-05-19T18:35:23.34+0800] [INFO] updating certificates with 3650 days expiration...
[2025-05-19T18:35:23.49+0800] [INFO] updated /etc/kubernetes/pki/etcd/server.crt
[2025-05-19T18:35:23.64+0800] [INFO] updated /etc/kubernetes/pki/etcd/peer.crt
[2025-05-19T18:35:23.75+0800] [INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.crt
[2025-05-19T18:35:23.86+0800] [INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.crt
[2025-05-19T18:35:24.05+0800] [INFO] restarted etcd
[2025-05-19T18:35:24.21+0800] [INFO] updated /etc/kubernetes/pki/apiserver.crt
[2025-05-19T18:35:24.31+0800] [INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt
[2025-05-19T18:35:24.43+0800] [INFO] updated /etc/kubernetes/controller-manager.conf
[2025-05-19T18:35:24.56+0800] [INFO] updated /etc/kubernetes/scheduler.conf
[2025-05-19T18:35:24.67+0800] [INFO] updated /etc/kubernetes/admin.conf
[2025-05-19T18:35:24.81+0800] [INFO] updated /etc/kubernetes/super-admin.conf
[2025-05-19T18:35:24.95+0800] [INFO] updated /etc/kubernetes/pki/front-proxy-client.crt
[2025-05-19T18:35:25.30+0800] [INFO] restarted control-plane pod: apiserver
[2025-05-19T18:35:25.54+0800] [INFO] restarted control-plane pod: controller-manager
[2025-05-19T18:35:25.77+0800] [INFO] restarted control-plane pod: scheduler
[2025-05-19T18:35:25.82+0800] [INFO] restarted kubelet
[2025-05-19T18:35:25.82+0800] [INFO] checking certificate expiration after update...
|-----------------------------------|----------------------------|
| CERTIFICATE | EXPIRES |
| ca.crt | Mar 18 09:45:11 2035 GMT |
| apiserver.crt | May 17 10:35:24 2035 GMT |
| apiserver-kubelet-client.crt | May 17 10:35:24 2035 GMT |
| front-proxy-ca.crt | Mar 18 09:45:12 2035 GMT |
| front-proxy-client.crt | May 17 10:35:24 2035 GMT |
|-----------------------------------|----------------------------|
| controller-manager.conf | May 17 10:35:24 2035 GMT |
| scheduler.conf | May 17 10:35:24 2035 GMT |
| admin.conf | May 17 10:35:24 2035 GMT |
| super-admin.conf | May 17 10:35:24 2035 GMT |
|-----------------------------------|----------------------------|
| etcd/ca.crt | Mar 18 09:45:12 2035 GMT |
| etcd/server.crt | May 17 10:35:23 2035 GMT |
| etcd/peer.crt | May 17 10:35:23 2035 GMT |
| etcd/healthcheck-client.crt | May 17 10:35:23 2035 GMT |
| apiserver-etcd-client.crt | May 17 10:35:23 2035 GMT |
|-----------------------------------|----------------------------|
[2025-05-19T18:35:26.82+0800] [INFO] DONE!!!enjoy itplease copy admin.conf to /root/.kube/config manually.# back old configcp /root/.kube/config /root/.kube/config_backup# copy new admin.conf to /root/.kube/config for kubectl manuallycp -i /etc/kubernetes/admin.conf /root/.kube/configroot@K8S-Master-1:~/update-kube-cert# cp -i /etc/kubernetes/admin.conf /root/.kube/config
cp: overwrite '/root/.kube/config'? y
root@K8S-Master-1:~/update-kube-cert# 再次操作证书有效期
操作命令
# 使用社区验证脚本(兼容 kubeadm 集群)
git clone https://github.com/yuyicai/update-kube-cert.git
cd update-kube-cert
chmod 755 update-kubeadm-cert.sh
./update-kubeadm-cert.sh all# 再次查看证书有效期
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not查看集群装态
查看当前主机kubelet,已自动重启
查看 kube-system相关pod可以看到已被更新重启
:容器存储接口 CSI)
