소개
이 문서에서는 Cisco 5G RCM(Redundancy Configuration Manager)에서 Kubernetes 인증서를 갱신하는 절차에 대해 설명합니다.
사전 요구 사항
RCM High Availability setup인 경우 먼저 대기 RCM에서 절차를 실행한 다음 전환을 수행하고 새 대기 RCM에서 절차를 실행해야 합니다. RCM 고가용성을 사용할 수 없는 경우, 인증서 갱신 프로세스의 일부인 RCM 재부팅 중에는 UP 이중화를 사용할 수 없습니다.
인증서가 만료 되었는지 확인
인증서가 만료되었는지 확인하려면 sudo kubeadm alpha certs check-expiration을 실행합니다.
ubuntu@rcm:~$ sudo kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Oct 31, 2024 03:34 UTC <invalid> no
apiserver Oct 31, 2024 03:34 UTC <invalid> no
apiserver-etcd-client Oct 31, 2024 03:34 UTC <invalid> no
apiserver-kubelet-client Oct 31, 2024 03:34 UTC <invalid> no
controller-manager.conf Oct 31, 2024 03:34 UTC <invalid> no
etcd-healthcheck-client Oct 31, 2024 03:34 UTC <invalid> no
etcd-peer Oct 31, 2024 03:34 UTC <invalid> no
etcd-server Oct 31, 2024 03:34 UTC <invalid> no
front-proxy-client Oct 31, 2024 03:34 UTC <invalid> no
scheduler.conf Oct 31, 2024 03:34 UTC <invalid> no
인증서 갱신
sudo kubeadm alpha certs renew all을 실행하여 인증서를 갱신합니다.
ubuntu@rcm:~$ sudo kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
인증서가 갱신되었는지 다시 확인
sudo kubeadm alpha certs check-expiration을 실행하여 인증서가 갱신되었는지 확인합니다.
ubuntu@rcm:~$ sudo kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Nov 01, 2025 03:34 UTC 364d no
apiserver Nov 01, 2025 03:34 UTC 364d no
apiserver-etcd-client Nov 01, 2025 03:34 UTC 364d no
apiserver-kubelet-client Nov 01, 2025 03:34 UTC 364d no
controller-manager.conf Nov 01, 2025 03:34 UTC 364d no
etcd-healthcheck-client Nov 01, 2025 03:34 UTC 364d no
etcd-peer Nov 01, 2025 03:34 UTC 364d no
etcd-server Nov 01, 2025 03:34 UTC 364d no
front-proxy-client Nov 01, 2025 03:34 UTC 364d no
scheduler.conf Nov 01, 2025 03:34 UTC 364d no
kubelet.conf 수정
kubeadm 버전 1.17 이전에는 수동으로 kubelet.conf를 수정해야 합니다. client-certificate-data 및 client-key-data를 이 항목으로 교체합니다.
/etc/kubernetes/kubelet.conf
client-certificate:/var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
admin.conf 복사
admin.conf를 복사하여 .kube/config를 덮어씁니다.
sudo cp /etc/kubernetes/admin.conf ~/.kube/config
시스템 재부팅
sudo reboot
kubectl 명령이 작동하는지 확인합니다.
재부팅한 후 kubectl 명령이 제대로 작동하는지 확인합니다.
ubuntu@rcm:~$ kubectl get node
NAME STATUS ROLES AGE VERSION
rcm Ready master,oam 16d v1.15.12