码上快乐

相关内容   简体   繁体

kubeadm集群证书过期更换

本文转载自  查看原文  2022-02-23 14:28  742    k8s

kubeadm 安装得证书默认为 1 年,注意原证书文件必须保留在服务器上才能做延期操作,否则就会重新生成,集群可能无法恢复

使用下面命令查看证书过期时间

[root@master ~]# kubeadm alpha certs check-expiration
Command "check-expiration" is deprecated, please use the same command under "kubeadm certs"
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 02, 2022 11:26 UTC   7d                                      no
apiserver                  Mar 02, 2022 11:26 UTC   7d              ca                      no
apiserver-etcd-client      Mar 02, 2022 11:26 UTC   7d              etcd-ca                 no
apiserver-kubelet-client   Mar 02, 2022 11:26 UTC   7d              ca                      no
controller-manager.conf    Mar 02, 2022 11:26 UTC   7d                                      no
etcd-healthcheck-client    Mar 02, 2022 11:26 UTC   7d              etcd-ca                 no
etcd-peer                  Mar 02, 2022 11:26 UTC   7d              etcd-ca                 no
etcd-server                Mar 02, 2022 11:26 UTC   7d              etcd-ca                 no
front-proxy-client         Mar 02, 2022 11:26 UTC   7d              front-proxy-ca          no
scheduler.conf             Mar 02, 2022 11:26 UTC   7d                                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 28, 2031 11:26 UTC   9y              no
etcd-ca                 Feb 28, 2031 11:26 UTC   9y              no
front-proxy-ca          Feb 28, 2031 11:26 UTC   9y              no

 可以看到证书还有7天时间到期。为了不每年更改一次证书,选择直接修改源码,讲时间改成10年

1、下载源码

拉取对应版本的源码

# yum install git
git clone --branch v1.20.2 https://github.com/kubernetes/kubernetes.git
cd kubernetes

2、修改证书有效期为10年(ca证书有效期为10年,不做修改)

这个常量定义CertificateValidity,在基础上*10年就行了

vim ./cmd/kubeadm/app/constants/constants.go
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        // CertificateValidity = time.Hour * 24 * 365
        CertificateValidity = time.Hour * 24 * 365 * 99

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"

3、重新编译源码 

方法有很多这边提供本机编译的方式

* 软件包准备
CentOS:

yum install gcc make -y
yum install rsync jq -y


* 安装golang
# cat ./build/build-image/cross/VERSION
v1.15.5-1 


见附录
一定要再同一个系统操作,踩坑在windows系统上解压之后,编译的时候会一直报错,格式不对

* 重新编译kubeadm
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
make all WHAT=cmd/kubectl GOFLAGS=-v

* 编译完的kubeadm在 _output/bin/kubeadm 目录下,其中bin是使用了软连接,真实路径是_output/local/bin/linux/amd64/kubeadm

mv /usr/bin/kubeadm /usr/bin/kubeadm_bak
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm

4、执行更新证书操作 

1、备份
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.backup

2、备份配置文件
mkdir -p /etc/kubernetes/back &&  cp *.conf   /etc/kubernetes/back

3、检查证书到期时间
kubeadm alpha certs check-expiration

4、更新证书 
kubeadm alpha certs renew all

5、再次检查证书到期时间
kubeadm alpha certs check-expiration

  

  

附:go的安装

Go 语言支持以下系统:

  • Linux
  • FreeBSD
  • Mac OS X(也称为 Darwin)
  • Windows

安装包下载地址为:https://golang.org/dl/

如果打不开可以使用这个地址:https://golang.google.cn/dl/

找到目标版本

 

 1、下载压缩包并解压

[root@localhost ~]# tar xf go1.15.5.linux-amd64.tar.gz  -C /usr/local/

2、添加环境变量

# vim /etc/profile
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin

# source /etc/profile

3、查看go版本

[root@localhost ~]# go version
go version go1.15.5 linux/amd64

  

  

  

 

  

 

 


免责声明!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。



猜您在找 kubeadm安装的k8s集群证书过期处理 k8s集群证书过期(kubeadm 1.10.2 ) kubeadm修改证书过期时间 Kubernetes集群证书过期后,使用kubeadm重新颁发证书 Kubeadm证书过期时间调整 kubeadm证书过期问题解决 kubeadm证书过期解决方案 kubeadm安装的k8s集群证书有效期过期解决方案(v1.13.0之后版本) kubeadm升级证书-集群已GG K8S-kubeadm-集群证书续签
 
粤ICP备18138465号  © 2018-2025 CODEPRJ.COM