@@ -99,41 +99,15 @@ Configurations with a single API server will experience unavailability while the
9999 {{< /note >}}
100100
101101<!--
102- 1. Update all Secrets that hold service account tokens to include both old and new CA certificates.
102+ 1. Wait for the controller manager to update ca.crt in the service account Secrets to include both old and new CA certificates.
103103
104- If any pods are started before new CA is used by API servers, the new Pods get this update and will trust both
105- old and new CAs.
104+ If any Pods are started before new CA is used by API servers, the new Pods get this update and will trust both old and new CAs.
106105-->
107- 3 . 更新所有的保存服务账号令牌的 Secret,使之同时包含老的和新的 CA 证书。
106+ 3 . 等待该控制器管理器更新服务账号 Secret 中的 ` ca.crt ` ,使之同时包含老的和新的 CA 证书。
108107
109108 如果在 API 服务器使用新的 CA 之前启动了新的 Pod,这些新的 Pod
110109 也会获得此更新并且同时信任老的和新的 CA 证书。
111110
112- <!--
113- ```shell
114- base64_encoded_ca="$(base64 -w0 <path to file containing both old and new CAs>)"
115-
116- for namespace in $(kubectl get ns --no-headers | awk '{print $1}'); do
117- for token in $(kubectl get secrets --namespace "$namespace" --field-selector type=kubernetes.io/service-account-token -o name); do
118- kubectl get $token --namespace "$namespace" -o yaml | \
119- /bin/sed "s/\(ca.crt:\).*/\1 ${base64_encoded_ca}/" | \
120- kubectl apply -f -
121- done
122- done
123- ```
124- -->
125- ``` shell
126- base64_encoded_ca=" $( base64 -w0 < 同时包含老的和新的 CA 的文件路径> ) "
127-
128- for namespace in $( kubectl get ns --no-headers | awk ' {print $1}' ) ; do
129- for token in $( kubectl get secrets --namespace " $namespace " ) ; do
130- kubectl get $token --namespace " $namespace " | \
131- /bin/sed " s/\(ca.crt:\).*/\1 ${base64_encoded_ca} /" | \
132- kubectl apply -f -
133- done
134- done
135- ```
136-
137111<!--
1381121. Restart all pods using in-cluster configurations (for example: kube-proxy, CoreDNS, etc) so they can use the
139113 updated certificate authority data from Secrets that link to ServiceAccounts.
0 commit comments