更新 kubernetes 证书

默认的证书在 365 后就会到期，需要更新。

使用 kubeadm 更新证书（如果是 kubeadm 初始化的集群

以管理员身份登录到控制节点。
运行命令 kubeadm certs check-expiration 检查证书的过期时间：

这是已经更新过证书的状态了

root@master:~#    kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 20, 2025 02:24 UTC   364d            ca                      no
apiserver                  Sep 20, 2025 02:24 UTC   364d            ca                      no
apiserver-etcd-client      Sep 20, 2025 02:24 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Sep 20, 2025 02:24 UTC   364d            ca                      no
controller-manager.conf    Sep 20, 2025 02:24 UTC   364d            ca                      no
etcd-healthcheck-client    Sep 20, 2025 02:24 UTC   364d            etcd-ca                 no
etcd-peer                  Sep 20, 2025 02:24 UTC   364d            etcd-ca                 no
etcd-server                Sep 20, 2025 02:24 UTC   364d            etcd-ca                 no
front-proxy-client         Sep 20, 2025 02:24 UTC   364d            front-proxy-ca          no
scheduler.conf             Sep 20, 2025 02:24 UTC   364d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 17, 2033 13:10 UTC   8y              no
etcd-ca                 Sep 17, 2033 13:10 UTC   8y              no
front-proxy-ca          Sep 17, 2033 13:10 UTC   8y              no

运行证书更新命令：

kubeadm certs renew all

重启 controller 节点
重启后检测节点

先拷贝 .kubeconfig 文件

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

获取节点状态

kubectl get nodes

集群缩容部署 ElasticSearch（8.x）