Kontrol etmemiz gereken ilk şey, sertifikanın sona erme zamanıdır. Sertifikanın sona erme zamanını kontrol edelim.

$ sudo kubeadm certs check-expiration

Çıktı aşağıdakine benzer olacaktır. Bu durumda sertifikaların süresi 320 gün içinde dolacak.

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 19, 2023 07:20 UTC   320d                                    no
apiserver                  Oct 19, 2023 07:20 UTC   320d            ca                      no
apiserver-etcd-client      Oct 19, 2023 07:20 UTC   320d            etcd-ca                 no
apiserver-kubelet-client   Oct 19, 2023 07:20 UTC   320d            ca                      no
controller-manager.conf    Oct 19, 2023 07:20 UTC   320d                                    no
etcd-healthcheck-client    Oct 19, 2023 07:20 UTC   320d            etcd-ca                 no
etcd-peer                  Oct 19, 2023 07:20 UTC   320d            etcd-ca                 no
etcd-server                Oct 19, 2023 07:20 UTC   320d            etcd-ca                 no
front-proxy-client         Oct 19, 2023 07:20 UTC   320d            front-proxy-ca          no
scheduler.conf             Oct 19, 2023 07:20 UTC   320d                                    no

Herhangi bir değişiklik yapmadan önce mevcut konfigürasyonları ve sertifikaları yedeklemek çok önemlidir.

$ sudo mkdir -p $HOME/yedek/kconf
$ sudo mkdir -p ~/yedek/kconfcert
$ sudo mkdir -p ~/yedek/kcerts

$ sudo cp -r /etc/kubernetes/*.conf $HOME/yedek/kconf/
$ sudo cp -r /etc/kubernetes/pki/ $HOME/yedek/kconfcert/
$ sudo cp -r /var/lib/kubelet/pki/* $HOME/yedek/kcerts

Evet yedekleme işlemlerimizi gerçekleştirdik yenileme işlemine geçebiliriz.

Tüm Kubernetes sertifikalarını yenilemek için aşağıdaki komutu çalıştırın

sudo kubeadm certs renew all

Komutun çıktısı aşağıdakine benzer olacaktır:

[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

Sertifikaların yenilendiğini ve ne zaman sona ereceğini kontrol edelim sona erme tarihi 364 gün olarak yazması gerekiyor.

sudo kubeadm certs check-expiration

Çıktımız:

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 19, 2023 07:32 UTC   364d                                    no
apiserver                  Oct 19, 2023 07:32 UTC   364d            ca                      no
apiserver-etcd-client      Oct 19, 2023 07:32 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Oct 19, 2023 07:32 UTC   364d            ca                      no
controller-manager.conf    Oct 19, 2023 07:32 UTC   364d                                    no
etcd-healthcheck-client    Oct 19, 2023 07:32 UTC   364d            etcd-ca                 no
etcd-peer                  Oct 19, 2023 07:32 UTC   364d            etcd-ca                 no
etcd-server                Oct 19, 2023 07:32 UTC   364d            etcd-ca                 no
front-proxy-client         Oct 19, 2023 07:32 UTC   364d            front-proxy-ca          no
scheduler.conf             Oct 19, 2023 07:32 UTC   364d                                    no

EVET SERTİFİKALARIMIZ YENİLENDİ...

Control plane durumlarını ve podlarımızı kontrol edelim.

kubectl get nodes
kubectl get pods --all-namespaces

Çıktımız:

oem@master:~$ kubectl get nodes
NAME     STATUS   ROLES                  AGE   VERSION
master   Ready    control-plane,master   14m   v1.22.0
worker   Ready    <none>                 13m   v1.22.0
oem@master:~$ kubectl get pods --all-namespaces
NAMESPACE     NAME                                      READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-78cbb44df-trwbb   1/1     Running   0          13m
kube-system   calico-node-tlsml                         1/1     Running   0          13m
kube-system   calico-node-zgbvg                         1/1     Running   0          13m
kube-system   coredns-78fcd69978-2qf9m                  1/1     Running   0          14m
kube-system   coredns-78fcd69978-tlz96                  1/1     Running   0          14m
kube-system   etcd-master                               1/1     Running   0          14m
kube-system   kube-apiserver-master                     1/1     Running   0          14m
kube-system   kube-controller-manager-master            1/1     Running   0          14m
kube-system   kube-proxy-djj9s                          1/1     Running   0          14m
kube-system   kube-proxy-znpq2                          1/1     Running   0          13m
kube-system   kube-scheduler-master                     1/1     Running   0          14m

Evet Kubernetes sertifikalarımızı yeniledik ve sistemimiz ayakta :)