Specific to RHEL

 1# Create a trust zone for the two interconnect
 2sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods
 3sudo firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services 
 4sudo firewall-cmd --reload
 5sudo firewall-cmd --list-all-zones
 6
 7# on Master
 8sudo rm -f /var/lib/cni/networks/cbr0/lock
 9sudo /usr/local/bin/k3s-killall.sh
10sudo systemctl restart k3s
11sudo systemctl status k3s
12
13# on Worker
14sudo rm -f /var/lib/cni/networks/cbr0/lock
15sudo /usr/local/bin/k3s-killall.sh
16sudo systemctl restart k3s-agent
17sudo systemctl status k3s-agent

Check Certificates

 1# Get CA from K3s master
 2openssl s_client -connect localhost:6443 -showcerts < /dev/null 2>&1 | openssl x509 -noout -enddate
 3openssl s_client -showcerts -connect 193.168.51.103:6443 < /dev/null 2>/dev/null|openssl x509 -outform PEM
 4openssl s_client -showcerts -connect 193.168.51.103:6443 < /dev/null 2>/dev/null|openssl x509 -outform PEM | base64 | tr -d '\n'
 5
 6# Check end date:
 7for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
 8
 9# More efficient: 
10cd /var/lib/rancher/k3s/server/tls/
11for crt in *.crt; do printf '%s: %s\n' "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" "$crt"; done | sort
12
13# Check CA issuer
14for i in $(find . -maxdepth 1 -type f -name "*.crt"); do  openssl x509 -in ${i} -noout -issuer; done

General Checks RKE2/K3S

Nice gist to troubleshoot etcd link

 1journalctl -u rke2-server.service -f
 2
 3tail -f /var/lib/rancher/rke2/agent/containerd/containerd.log
 4
 5tail -f /var/lib/rancher/rke2/agent/logs/kubelet.log
 6
 7# crictl
 8export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
 9/var/lib/rancher/rke2/bin/crictl ps
10
11/var/lib/rancher/rke2/bin/crictl --config /var/lib/rancher/rke2/agent/etc/crictl.yaml ps
12
13/var/lib/rancher/rke2/bin/crictl --runtime-endpoint unix:///run/k3s/containerd/containerd.sock ps -a
14
15/var/lib/rancher/rke2/bin/ctr --address /run/k3s/containerd/containerd.sock --namespace k8s.io container ls
16
17# Kubectl
18export KUBECONFIG=/etc/rancher/rke2/rke2.yaml 
19export PATH=$PATH:/usr/local/bin/:/var/lib/rancher/rke2/bin/
20kubectl get addon -A

check etcd endpoint status

1export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
2etcdcontainer=$(/var/lib/rancher/rke2/bin/crictl ps --label io.kubernetes.container.name=etcd --quiet)
3/var/lib/rancher/rke2/bin/crictl exec $etcdcontainer sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/var/lib/rancher/rke2/server/tls/etcd/server-ca.crt' ETCDCTL_CERT='/var/lib/rancher/rke2/server/tls/etcd/server-client.crt' ETCDCTL_KEY='/var/lib/rancher/rke2/server/tls/etcd/server-client.key' ETCDCTL_API=3 etcdctl endpoint status --cluster --write-out=table"

check etcd health status

1export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
2etcdcontainer=$(/var/lib/rancher/rke2/bin/crictl ps --label io.kubernetes.container.name=etcd --quiet)
3/var/lib/rancher/rke2/bin/crictl exec $etcdcontainer sh -c "ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' ETCDCTL_CACERT='/var/lib/rancher/rke2/server/tls/etcd/server-ca.crt' ETCDCTL_CERT='/var/lib/rancher/rke2/server/tls/etcd/server-client.crt' ETCDCTL_KEY='/var/lib/rancher/rke2/server/tls/etcd/server-client.key' ETCDCTL_API=3 etcdctl endpoint health --cluster --write-out=table"

Rancher

1# Rancher local install - for example on WSL 
2sudo podman run --privileged -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher
3sudo podman ps 
4sudo podman logs 74533d50d991  2>&1 | grep "Bootstrap Password:"

«««< HEAD

Check Certificates

 1# Get CA from K3s master
 2openssl s_client -connect localhost:6443 -showcerts < /dev/null 2>&1 | openssl x509 -noout -enddate
 3openssl s_client -showcerts -connect 193.168.51.103:6443 < /dev/null 2>/dev/null|openssl x509 -outform PEM
 4openssl s_client -showcerts -connect 193.168.51.103:6443 < /dev/null 2>/dev/null|openssl x509 -outform PEM | base64 | tr -d '\n'
 5
 6# Check end date:
 7for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
 8
 9# More efficient: 
10cd /var/lib/rancher/k3s/server/tls/
11for crt in *.crt; do printf '%s: %s\n' "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" "$crt"; done | sort
12
13# Check CA issuer
14for i in $(find . -maxdepth 1 -type f -name "*.crt"); do  openssl x509 -in ${i} -noout -issuer; done

ef1214ec03ba0c42d44b7726b9081bb9aa63b5ba

🔱 K3S

Contents

Check Certificates

General Checks RKE2/K3S

Rancher

«««< HEAD

Check Certificates

Copyright

Comments