1，问题描述

[root@Centos7-80-k8s-ser1 ~] kubectl get pods
 Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-11-28T14:07:44+08:00 is after 2022-11-23T08:09:17Z
上面提示错误证书过期

使用命令查看证书的有效期
[root@centos7-ansible-85 ~]# 
Command "check-expiration" is deprecated, please use the same command under "kubeadm certs"
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 12, 2021 04:54 UTC   <invalid>                               no      
apiserver                  Dec 12, 2021 04:54 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Dec 12, 2021 04:54 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Dec 12, 2021 04:54 UTC   <invalid>       ca                      no      
controller-manager.conf    Dec 12, 2021 04:54 UTC   <invalid>                               no      
etcd-healthcheck-client    Dec 12, 2021 04:54 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Dec 12, 2021 04:54 UTC   <invalid>       etcd-ca                 no      
etcd-server                Dec 12, 2021 04:54 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Dec 12, 2021 04:54 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Dec 12, 2021 04:54 UTC   <invalid>                               no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 10, 2030 04:54 UTC   8y              no      
etcd-ca                 Dec 10, 2030 04:54 UTC   8y              no      
front-proxy-ca          Dec 10, 2030 04:54 UTC   8y              no

###正常的应该是这样
[root@Centos7-80-k8s-ser1 ~]# kubeadm alpha certs check-expiration 
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 28, 2023 06:27 UTC   361d                                    no      
apiserver                  Nov 28, 2023 06:27 UTC   361d            ca                      no      
apiserver-etcd-client      Nov 28, 2023 06:27 UTC   361d            etcd-ca                 no      
apiserver-kubelet-client   Nov 28, 2023 06:27 UTC   361d            ca                      no      
controller-manager.conf    Nov 28, 2023 06:27 UTC   361d                                    no      
etcd-healthcheck-client    Nov 28, 2023 06:27 UTC   361d            etcd-ca                 no      
etcd-peer                  Nov 28, 2023 06:27 UTC   361d            etcd-ca                 no      
etcd-server                Nov 28, 2023 06:27 UTC   361d            etcd-ca                 no      
front-proxy-client         Nov 28, 2023 06:27 UTC   361d            front-proxy-ca          no      
scheduler.conf             Nov 28, 2023 06:27 UTC   361d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 14, 2030 08:22 UTC   7y              no      
etcd-ca                 Nov 14, 2030 08:22 UTC   7y              no      
front-proxy-ca          Nov 14, 2030 08:22 UTC   7y              no    

正常情况下RESIDUAL 这里会显示证书剩余的天数

2，更新证书

1，由kubeadm部署的k8s集群生成的客户端证书有效期是一年，
更新证书的方法
1，升级k8s集群自动更新证书
2，手动更新证书
手动更新：
kubeadm certs renew --help 可以使用help查看具体使用方法

[root@Centos7-80-k8s-ser1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
        
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 28, 2023 06:27 UTC   364d                                    no      
apiserver                  Nov 28, 2023 06:27 UTC   364d            ca                      no      
apiserver-etcd-client      Nov 28, 2023 06:27 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Nov 28, 2023 06:27 UTC   364d            ca                      no      
controller-manager.conf    Nov 28, 2023 06:27 UTC   364d                                    no      
etcd-healthcheck-client    Nov 28, 2023 06:27 UTC   364d            etcd-ca                 no      
etcd-peer                  Nov 28, 2023 06:27 UTC   364d            etcd-ca                 no      
etcd-server                Nov 28, 2023 06:27 UTC   364d            etcd-ca                 no      
front-proxy-client         Nov 28, 2023 06:27 UTC   364d            front-proxy-ca          no      
scheduler.conf             Nov 28, 2023 06:27 UTC   364d                                    no      
        
CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 14, 2030 08:22 UTC   7y              no      
etcd-ca                 Nov 14, 2030 08:22 UTC   7y              no      
front-proxy-ca          Nov 14, 2030 08:22 UTC   7y              no 

看到了RESIDUAL =364就说明刚刚更新就已经成功了
重启kubelet
systemctl restart kubelet
重新执行kubectl get pods 
error: You must be logged in to the server (Unauthorized)

集群的证书是更新了，但是admin.conf的证书还没有更新，所以admin.conf的配置也要重新更一下

cp /etc/kubernetes/admin.conf /root/.kube/config
然后重新执行就可以了，
[root@Centos7-80-k8s-ser1 ~]# kubectl get nodes 
NAME                  STATUS   ROLES    AGE     VERSION
centos7-80-k8s-ser1   Ready    master   2y12d   v1.19.2
centos7-81-k8s-ser2   Ready    <none>   2y11d   v1.19.2
centos7-82-k8s-ser3   Ready    <none>   2y11d   v1.19.2
centos7-83-k8s-ser4   Ready    <none>   2y11d   v1.19.2
centos7-91-k8s-ser5   Ready    <none>   693d    v1.19.5