Introduzione
Questo documento descrive la procedura per rinnovare i certificati Kubernetes in Cisco 5G RCM(Redundancy Configuration Manager).
Prerequisito
Se è impostato RCM High Availability, la procedura deve essere eseguita prima su RCM in standby, quindi su switchover e infine su RCM in standby. Se non è disponibile alcuna disponibilità elevata di RCM, la ridondanza UP non sarà disponibile durante il riavvio di RCM, che fa parte del processo di rinnovo dei certificati.
Controlla se i certificati sono scaduti
Per verificare se i certificati sono scaduti, eseguire sudo kubeadm alpha certs check-expiration.
ubuntu@rcm:~$ sudo kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Oct 31, 2024 03:34 UTC <invalid> no
apiserver Oct 31, 2024 03:34 UTC <invalid> no
apiserver-etcd-client Oct 31, 2024 03:34 UTC <invalid> no
apiserver-kubelet-client Oct 31, 2024 03:34 UTC <invalid> no
controller-manager.conf Oct 31, 2024 03:34 UTC <invalid> no
etcd-healthcheck-client Oct 31, 2024 03:34 UTC <invalid> no
etcd-peer Oct 31, 2024 03:34 UTC <invalid> no
etcd-server Oct 31, 2024 03:34 UTC <invalid> no
front-proxy-client Oct 31, 2024 03:34 UTC <invalid> no
scheduler.conf Oct 31, 2024 03:34 UTC <invalid> no
Rinnova i certificati
Eseguire sudo kubeadm alpha certs renew all per rinnovare i certificati.
ubuntu@rcm:~$ sudo kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Controlla nuovamente se i certificati sono stati rinnovati
Eseguire sudo kubeadm alpha certs check-expiration per verificare se i certificati vengono rinnovati.
ubuntu@rcm:~$ sudo kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Nov 01, 2025 03:34 UTC 364d no
apiserver Nov 01, 2025 03:34 UTC 364d no
apiserver-etcd-client Nov 01, 2025 03:34 UTC 364d no
apiserver-kubelet-client Nov 01, 2025 03:34 UTC 364d no
controller-manager.conf Nov 01, 2025 03:34 UTC 364d no
etcd-healthcheck-client Nov 01, 2025 03:34 UTC 364d no
etcd-peer Nov 01, 2025 03:34 UTC 364d no
etcd-server Nov 01, 2025 03:34 UTC 364d no
front-proxy-client Nov 01, 2025 03:34 UTC 364d no
scheduler.conf Nov 01, 2025 03:34 UTC 364d no
Modifica kubelet.conf
Prima di kubeadm versione 1.17, è necessario modificare manualmente kubelet.conf. Sostituire i dati dei certificati client e i dati delle chiavi client con questo.
/etc/kubernetes/kubelet.conf
client-certificate:/var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
Copy admin.conf
Copiare admin.conf per sovrascrivere .kube/config.
sudo cp /etc/kubernetes/admin.conf ~/.kube/config
Riavviare il sistema
sudo reboot
Assicurarsi che il comando kubectl funzioni
Dopo il riavvio, verificare che il comando kubectl funzioni correttamente.
ubuntu@rcm:~$ kubectl get node
NAME STATUS ROLES AGE VERSION
rcm Ready master,oam 16d v1.15.12
Feedback