Skip to main content

kubernetes 인증서 만료되어 kubectl 실행 안될 때

Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-10-18T14:59:15+09:00 is after 2023-10-17T01:26:03Z

위와 같은 에러 발생하며 kubectl 명령을 사용할 수 없는 상황

대충 영문 경고 해석해보면 느낌이 오겠지만, 인증서 기간이 만료된 것임

[root@Minhang02 pki]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 17, 2023 01:26 UTC   <invalid>       ca                      no      
apiserver                  Oct 17, 2023 01:26 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Oct 17, 2023 01:26 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Oct 17, 2023 01:26 UTC   <invalid>       ca                      no      
controller-manager.conf    Oct 17, 2023 01:26 UTC   <invalid>       ca                      no      
etcd-healthcheck-client    Oct 17, 2023 01:26 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Oct 17, 2023 01:26 UTC   <invalid>       etcd-ca                 no      
etcd-server                Oct 17, 2023 01:26 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Oct 17, 2023 01:26 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Oct 17, 2023 01:26 UTC   <invalid>       ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 14, 2032 01:26 UTC   8y              no      
etcd-ca                 Oct 14, 2032 01:26 UTC   8y              no      
front-proxy-ca          Oct 14, 2032 01:26 UTC   8y              no     

-> kubeadm certs check-expiration 명령어를 통해 인증서 만료 일자를 확인해보니 이미 기간이 만료되어 있었음

[root@Minhang02 pki]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

-> kubeadm certs renew all 명령어를 통해 인증서를 갱신할 수 있음

갱신하고 다시 인증서 정보를 확인해보면

[root@Minhang02 pki]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 17, 2024 06:21 UTC   364d            ca                      no      
apiserver                  Oct 17, 2024 06:21 UTC   364d            ca                      no      
apiserver-etcd-client      Oct 17, 2024 06:21 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Oct 17, 2024 06:21 UTC   364d            ca                      no      
controller-manager.conf    Oct 17, 2024 06:21 UTC   364d            ca                      no      
etcd-healthcheck-client    Oct 17, 2024 06:21 UTC   364d            etcd-ca                 no      
etcd-peer                  Oct 17, 2024 06:21 UTC   364d            etcd-ca                 no      
etcd-server                Oct 17, 2024 06:21 UTC   364d            etcd-ca                 no      
front-proxy-client         Oct 17, 2024 06:21 UTC   364d            front-proxy-ca          no      
scheduler.conf             Oct 17, 2024 06:21 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 14, 2032 01:26 UTC   8y              no      
etcd-ca                 Oct 14, 2032 01:26 UTC   8y              no      
front-proxy-ca          Oct 14, 2032 01:26 UTC   8y              no 

-> 인증서 갱신되어 이제 364일 남았다고 뜸

[root@Minhang02 pki]# kubectl get pod -o wide
NAME                        READY   STATUS    RESTARTS   AGE    IP            NODE        NOMINATED NODE   READINESS GATES
bookstack-77df4879c-6z2v2   1/1     Running   0          28d    10.244.1.42   minhang03   <none>           <none>
bookstack-77df4879c-hqwgp   1/1     Running   0          28d    10.244.2.45   minhang04   <none>           <none>
jupyter-66477949-jvvqk      1/1     Running   0          307d   10.244.2.31   minhang04   <none>           <none>

-> 이제 kubectl도 다시 정상적으로 사용됨