If the certificates that are used on the nodes of a Kubernetes cluster expire, you cannot communicate with the cluster API server by using kubectl or calling API operations. The expired certificates cannot be automatically updated based on template deployment. To update the certificates, you can log on to each node and run the docker run command.
Update the expired certificate on each master node
Log on to the master node as the root user and run the following command to update the certificate on the master node:
docker run -it --privileged=true -v /:/alicoud-k8s-host --pid host --net host \
registry.cn-hangzhou.aliyuncs.com/acs/cert-rotate:v1.0.0 /renew/upgrade-k8s.sh --role masterRepeat the preceding steps on each cluster master node to update the certificates for all master nodes.
Update the expired certificate on a worker node
Log on to a master node as the root user and run the following command to obtain the cluster rootCA private key:
cat /etc/kubernetes/pki/ca.keyRun either of the following commands to obtain the cluster root private key that is encoded in the Base64 format:
If the cluster rootCA private key contains a blank line, run the following command:
sed '1d' /etc/kubernetes/pki/ca.key| base64 -w 0If the cluster rootCA private key does not contain a blank line, run the following command:
cat /etc/kubernetes/pki/ca.key | base64 -w 0
Log on to a worker node as the root user and run the following command to update the certificate on the worker node:
docker run -it --privileged=true -v /:/alicoud-k8s-host --pid host --net host \ registry.cn-hangzhou.aliyuncs.com/acs/cert-rotate:v1.0.0 /renew/upgrade-k8s.sh --role node --rootkey ${base64CAKey}Note${base64CAKey} specifies the cluster root private key that is encoded in the Base64 format. The value of ${base64CAKey} is returned in Step 2.
Repeat the preceding steps on each worker node in the cluster to update the certificates for all worker nodes.