'데이터 엔지니어'로 성장하기

정리하는 걸 좋아하고, 남이 읽으면 더 좋아함

기타/K8S

K8S) 인증서 갱신하기

MightyTedKim 2023. 2. 26. 15:12
728x90
반응형

온프렘 쿠버 세팅하고 1년 정도 지나니까 인증서 갱신 문제가 발생하더라고요
 
문제가 발생하면 먼저 인증서 상태를 확인해줍니다.
 
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 14, 2022 09:49 UTC <invalid> no
apiserver Oct 14, 2022 09:49 UTC <invalid> ca no
apiserver-etcd-client Oct 14, 2022 09:49 UTC <invalid> etcd-ca no
apiserver-kubelet-client Oct 14, 2022 09:49 UTC <invalid> ca no
controller-manager.conf Oct 14, 2022 09:49 UTC <invalid> no
etcd-healthcheck-client Oct 14, 2022 09:49 UTC <invalid> etcd-ca no
etcd-peer Oct 14, 2022 09:49 UTC <invalid> etcd-ca no
etcd-server Oct 14, 2022 09:49 UTC <invalid> etcd-ca no
front-proxy-client Oct 14, 2022 09:49 UTC <invalid> front-proxy-ca no
scheduler.conf Oct 14, 2022 09:49 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 12, 2031 09:49 UTC 8y no
etcd-ca Oct 12, 2031 09:49 UTC 8y no
front-proxy-ca Oct 12, 2031 09:49 UTC 8y no'
 
그런 다음 sudo 권한으로 인증서를 갱신해줘
 
$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
 
다시 확인하면 인증서가 갱신된걸 알 수 있어요
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 17, 2023 04:15 UTC 364d no
apiserver Oct 17, 2023 04:15 UTC 364d ca no
apiserver-etcd-client Oct 17, 2023 04:15 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 17, 2023 04:15 UTC 364d ca no
controller-manager.conf Oct 17, 2023 04:15 UTC 364d no
etcd-healthcheck-client Oct 17, 2023 04:15 UTC 364d etcd-ca no
etcd-peer Oct 17, 2023 04:15 UTC 364d etcd-ca no
etcd-server Oct 17, 2023 04:15 UTC 364d etcd-ca no
front-proxy-client Oct 17, 2023 04:15 UTC 364d front-proxy-ca no
scheduler.conf Oct 17, 2023 04:15 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 12, 2031 09:49 UTC 8y no
etcd-ca Oct 12, 2031 09:49 UTC 8y no
front-proxy-ca Oct 12, 2031 09:49 UTC 8y no
 
이제 사용자 계정으로 가서, config 파일을 복사해줍니다.
만약 이 작업하지 않으며 아래와 같이 인증서 문제가 계속 뜰거에요
$k get all
error: You must be logged in to theserver (Unauthorized)
 
저같은 경우 manager 계정이라 이렇게 해줫습니다.
$ cp /etc/kubernetes/admin.conf /home/manager/.kube/config
 
잘 나오는 것을 확인했어요
$k get pod
NAME READY STATUS RESTARTS AGE
goldpinger-87kmn 1/1 Running 4 (146d ago) 300d
goldpinger-v5v49 1/1 Running 4 (146d ago) 321d
goldpinger-vmvn5 1/1 Running 7 (146d ago) 321d
 
마지막으로
스태틱 팟들을 재시작해줘야해요
etcd apiserver controllermanager scheduler가 잇어요

인증서가 바껴서 rollout logs등의
작업이 안될거에요

manifest 옮겨주면 팟 안에 컨테이너가 재실행돠요
- static pod 재시작
mv /etc/kubernetes/manifests /etc/kubernetes/manifests-backup

20초뒤

- mv /etc/kubernetes/manifests-backup /etc/kubernetes/manifests


참고: https://txconsole.com/certificate-renewal-manually-in-kubernetes/

728x90
반응형