1. 排查流程

# 今天看到执行kubectl出现访问api-service不可用，但是telnet 6443又是可以使用的，判断问题出在高可用上
[root@hybxvuca01 /]# kubectl get po -A
Unable to connect to the server: dial tcp 10.207.40.2:6443: connect: no route to host
[root@hybxvuca01 /]# telnet 127.0.0.1 6443
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

# 当前集群已知是由kube-vip提供的高可用，由于无法使用kubectl故使用docker logs方式查看kube-vip容器在出现什么错误
[root@hybxvuca01 /]# docker ps | grep kube-vip
8e287edaf6eb   f1f7621457da                                                   "/kube-vip manager"      4 hours ago     Up 4 hours               k8s_kube-vip_kube-vip-hybxvuca01_kube-system_fe06773c9a7dfed3d84dfc34da51ccce_67
a9ddec358404   harbor.bx.crpharm.com/k8s/pause:3.4.1                          "/pause"                 8 months ago    Up 8 months              k8s_POD_kube-vip-hybxvuca01_kube-system_fe06773c9a7dfed3d84dfc34da51ccce_0

# 可以看到他在提示 certificate has expired or is not yet valid 证书过期了
# docker logs -f 8e287edaf6eb
error retrieving resource lock kube-system/plndr-svcs-lock: Get "https://kubernetes:6443/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/plndr-svcs-lock": x509: certificate has expired or is not yet valid: current time 2025-03-27T07:08:10Z is after 2025-03-27T02:41:44Z

# 由于集群是通过kubeadm部署的，使用 kubeadm certs check-expiration 来查看证书有效情况，可以看到证书都在今天过期了，那么问题就定位到了，需要重新生成证书即可
[root@hybxvuca01 /]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 27, 2025 02:41 UTC   <invalid>       ca                      no      
apiserver                  Mar 27, 2025 02:41 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Mar 27, 2025 02:41 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Mar 27, 2025 02:41 UTC   <invalid>       ca                      no      
controller-manager.conf    Mar 27, 2025 02:41 UTC   <invalid>       ca                      no      
etcd-healthcheck-client    Mar 27, 2025 02:41 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Mar 27, 2025 02:41 UTC   <invalid>       etcd-ca                 no      
etcd-server                Mar 27, 2025 02:41 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Mar 27, 2025 02:41 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Mar 27, 2025 02:41 UTC   <invalid>       ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 27, 2032 08:46 UTC   7y              no      
etcd-ca                 Mar 27, 2032 08:46 UTC   7y              no      
front-proxy-ca          Mar 27, 2032 08:46 UTC   7y              no      


# 使用 kubeadm certs renew all 来续签证书，由于上述信息是我其他环境的服务器，续签成功忘记粘贴内容了，以下内容是我的虚拟机，流程是一样的。
root@tanqidi:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0404 01:12:37.689388   34330 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
root@tanqidi:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0404 01:12:42.060824   34459 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 03, 2026 17:12 UTC   364d            ca                      no      
apiserver                  Apr 03, 2026 17:12 UTC   364d            ca                      no      
apiserver-kubelet-client   Apr 03, 2026 17:12 UTC   364d            ca                      no      
controller-manager.conf    Apr 03, 2026 17:12 UTC   364d            ca                      no      
front-proxy-client         Apr 03, 2026 17:12 UTC   364d            front-proxy-ca          no      
scheduler.conf             Apr 03, 2026 17:12 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 02, 2034 13:56 UTC   9y              no      
front-proxy-ca          Oct 02, 2034 13:56 UTC   9y              no      

# 重启kubele, apiserver, scheduler, controller-manager 等

# 复制kubeconfig
root@tanqidi:~# cp /etc/kubernetes/admin.conf ~/.kube/config

2. 集群续签

集群模式续签证书是每个master节点都执行一次命令即可，然后重启必要的核心组件让它重新加载识别。

# master1,2,3 都执行一次
root@tanqidi:~# kubeadm certs renew all

# 重启kubele, apiserver, scheduler, controller-manager 等

# 复制kubeconfig
root@tanqidi:~# cp /etc/kubernetes/admin.conf ~/.kube/config