K8S搭建运行一周年后，发现api-server服务器的证书过期了，默认只有一年。记录下续期方法。前提是用kubeadm 搭建的集群

过期主要症状：运行kubectl apply -f 失败

+ kubectl apply -f k8s-deployment.yaml
10:36:55  error: error validating "k8s-deployment.yaml": error validating data: failed to download openapi: Get "https://192.168.5.31:6443/openapi/v2?timeout=32s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-01-26T10:36:55+08:00 is after 2026-01-23T09:10:31Z; if you choose to ignore these errors, turn validation off with --validate=false

检查证书：kubeadm certs check-expiration

更新证书：kubeadm certs renew all

重启组件，使证书生效

# 移出
mv /etc/kubernetes/manifests/kube-controller-manager.yaml /tmp/
mv /etc/kubernetes/manifests/kube-scheduler.yaml /tmp/

# 等待 10 秒后移回
sleep 10
mv /tmp/kube-controller-manager.yaml /etc/kubernetes/manifests/
mv /tmp/kube-scheduler.yaml /etc/kubernetes/manifests/

# 重启 Kubelet
systemctl restart kubelet

更新你的本地管理员配置
cp /etc/kubernetes/admin.conf ~/.kube/config