报错内容localhost:6443: connect: connection refusedkube-apiserver 服务没有正常运行6443 端口没有监听所有组件kubelet、kubectl向 192.168.52.130:6443 发起请求全部被拒绝连接。原因kubeadm 初始化集群默认签发证书有效期 1 年到期后 apiserver 直接启动失败静态 Pod 反复崩溃无法常驻所以你 ps 看不到该进程。排查过程# 查看apiserver服务是否启动 ps -ef | grep kube-apiserver root 4078 2517 0 15:58 pts/0 00:00:00 grep --colorauto kube-apiserver # 查看容器状态及报错日志 docker ps -a | grep kube-apiserver 9fec6a6720f4 8a9000f98a52 kube-apiserver --ad… 52 seconds ago Exited (255) 31 seconds ago k8s_kube-apiserver_kube-apiserver-k8s-master01_kube-system_108b6c7b4e81bd853b98abef5d52b169_73 d605c0ad3bce registry.aliyuncs.com/google_containers/pause:3.8 /pause 19 minutes ago Up 19 minutes k8s_POD_kube-apiserver-k8s-master01_kube-system_108b6c7b4e81bd853b98abef5d52b169_65 docker logs 9fec6a6720f4 Err: connection error: desc transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-07-04T08:11:42Z is after 2026-06-12T08:57:18Z 从 apiserver 容器日志可以明确etcd 通信的 TLS 证书已经过期解决方法1. 先查看当前所有证书过期时间 kubeadm certs check-expiration 2. 一键续期集群全部证书 kubeadm certs renew all 3. 重新生成管理员 kubeconfig 证书配置 kubeadm init phase kubeconfig admin # 覆盖当前用户的kubeconfig cp-f /etc/kubernetes/admin.conf ~/.kube/config 4. 重启 kubelet让控制平面静态 Podapiserver/controller/scheduler/etcd重建加载新证书 systemctl restart kubelet 5. 等待 30 秒验证服务恢复 # 查看apiserver是否正常运行 dockerps|grep kube-apiserver # 验证6443端口监听 ss -tnlp|grep6443 # 集群命令测试 kubectl get nodes kubectl get pods -n kube-system验证