Kubernetes 需要 PKI 證書才能進行基於 TLS 的身份驗證,如果你是使用kubeadm安裝的 Kubernetes,則會自動生成集群所需的證書。
♦ API 服務器端點的證書
♦ Kubelet 的客戶端證書,用於 API 服務器身份驗證
♦ 集群管理員的客戶端證書,用於 API 服務器身份認證
♦ API 服務器的客戶端證書,用於和 Kubelet 的會話
♦ API 服務器的客戶端證書,用於和 etcd 的會話
♦ 控制管理器的客戶端證書/kubeconfig,用於和 API server 的會話
♦ 調度器的客戶端證書/kubeconfig,用於和 API server 的會話
♦ 前端代理的客戶端及服務端證書
詳情參考官方說明:https://kubernetes.io/zh/docs/setup/best-practices/certificates/
查看證書
注意:默認根證書有效期為10年,其他所有證書有效期為1年。
[root@ymt108 ~]# cd /etc/kubernetes/pki [root@ymt108 pki]# tree . ├── apiserver.crt ├── apiserver-etcd-client.crt ├── apiserver-etcd-client.key ├── apiserver.key ├── apiserver-kubelet-client.crt ├── apiserver-kubelet-client.key ├── ca.crt ├── ca.key ├── etcd │ ├── ca.crt │ ├── ca.key │ ├── healthcheck-client.crt │ ├── healthcheck-client.key │ ├── peer.crt │ ├── peer.key │ ├── server.crt │ └── server.key ├── front-proxy-ca.crt ├── front-proxy-ca.key ├── front-proxy-client.crt ├── front-proxy-client.key ├── sa.key └── sa.pub 1 directory, 22 files [root@ymt108 pki]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jul 03, 2021 01:02 UTC 322d no apiserver Jul 03, 2021 01:02 UTC 322d ca no apiserver-etcd-client Jul 03, 2021 01:02 UTC 322d etcd-ca no apiserver-kubelet-client Jul 03, 2021 01:02 UTC 322d ca no controller-manager.conf Jul 03, 2021 01:02 UTC 322d no etcd-healthcheck-client Jul 03, 2021 01:02 UTC 322d etcd-ca no etcd-peer Jul 03, 2021 01:02 UTC 322d etcd-ca no etcd-server Jul 03, 2021 01:02 UTC 322d etcd-ca no front-proxy-client Jul 03, 2021 01:02 UTC 322d front-proxy-ca no scheduler.conf Jul 03, 2021 01:02 UTC 322d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Jul 01, 2030 01:02 UTC 9y no etcd-ca Jul 01, 2030 01:02 UTC 9y no front-proxy-ca Jul 01, 2030 01:02 UTC 9y no
更新證書
1、手動生成證書自定義時長
我們可以通過 easyrsa、openssl 或 cfssl 手動地為集群生成證書,然后自定義證書時長。
詳情參考官方說明:https://kubernetes.io/zh/docs/concepts/cluster-administration/certificates/
2、定期升級集群來升級證書時長
kubeadm 會在控制面板升級的時候更新所有證書,這個功能旨在解決最簡單的用例。
詳情參考官方說明:https://kubernetes.cn/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/
- 如果你對此類證書的更新沒有特殊要求,並且定期執行 Kubernetes 版本升級(每次升級之間的間隔時間少於 1 年),則 kubeadm 將確保你的集群保持最新狀態並保持合理的安全性。
- 如果你對證書更新有更復雜的需求,則可通過將
--certificate-renewal=false傳遞給kubeadm upgrade apply或者kubeadm upgrade node,從而選擇不采用默認行為。
3、通過kubeadm命令升級證書時長
你可以隨時通過 kubeadm alpha certs renew 命令手動更新證書,也可以選擇更新單個證書或者全部證書。
流程如下:備份配置 -> 獲取集群配置 -> 升級所有證書 -> 刪除已有配置 -> 重新生成配置 -> 拷貝config -> 重啟k8s容器 -> 重啟kubelet
注意: 如果你運行了一個 HA 集群,這個命令需要在所有控制面板節點上執行。
[root@k8s-master ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf May 17, 2022 02:52 UTC 364d no apiserver May 17, 2022 02:52 UTC 364d ca no apiserver-etcd-client May 17, 2022 02:52 UTC 364d etcd-ca no apiserver-kubelet-client May 17, 2022 02:52 UTC 364d ca no controller-manager.conf May 17, 2022 02:52 UTC 364d no etcd-healthcheck-client May 17, 2022 02:52 UTC 364d etcd-ca no etcd-peer May 17, 2022 02:52 UTC 364d etcd-ca no etcd-server May 17, 2022 02:52 UTC 364d etcd-ca no front-proxy-client May 17, 2022 02:52 UTC 364d front-proxy-ca no scheduler.conf May 17, 2022 02:52 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca May 15, 2031 02:52 UTC 9y no etcd-ca May 15, 2031 02:52 UTC 9y no front-proxy-ca May 15, 2031 02:52 UTC 9y no [root@k8s-master ~]# [root@k8s-master ~]# date -s "2022-2-2" Wed Feb 2 00:00:00 PST 2022 [root@k8s-master ~]# cp -r /etc/kubernetes /etc/kubernetes_old [root@k8s-master ~]# kubeadm config view > kubeadm-upgrade.yaml [root@k8s-master ~]# cat kubeadm-upgrade.yaml apiServer: extraArgs: authorization-mode: Node,RBAC timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta2 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd imageRepository: registry.aliyuncs.com/google_containers kind: ClusterConfiguration kubernetesVersion: v1.17.5 networking: dnsDomain: cluster.local podSubnet: 10.244.0.0/16 serviceSubnet: 10.96.0.0/12 scheduler: {} [root@k8s-master ~]# kubeadm alpha certs renew all --config kubeadm-upgrade.yaml W0202 00:00:39.255964 43273 validation.go:28] Cannot validate kube-proxy config - no validator is available W0202 00:00:39.256023 43273 validation.go:28] Cannot validate kubelet config - no validator is available certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed [root@k8s-master ~]# [root@k8s-master ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Feb 02, 2023 08:00 UTC 364d no apiserver Feb 02, 2023 08:00 UTC 364d ca no apiserver-etcd-client Feb 02, 2023 08:00 UTC 364d etcd-ca no apiserver-kubelet-client Feb 02, 2023 08:00 UTC 364d ca no controller-manager.conf Feb 02, 2023 08:00 UTC 364d no etcd-healthcheck-client Feb 02, 2023 08:00 UTC 364d etcd-ca no etcd-peer Feb 02, 2023 08:00 UTC 364d etcd-ca no etcd-server Feb 02, 2023 08:00 UTC 364d etcd-ca no front-proxy-client Feb 02, 2023 08:00 UTC 364d front-proxy-ca no scheduler.conf Feb 02, 2023 08:00 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca May 15, 2031 02:52 UTC 9y no etcd-ca May 15, 2031 02:52 UTC 9y no front-proxy-ca May 15, 2031 02:52 UTC 9y no [root@k8s-master ~]# [root@k8s-master ~]# rm -rf /etc/kubernetes/*.conf [root@k8s-master ~]# kubeadm init phase kubeconfig all --config kubeadm-upgrade.yaml W0202 00:01:00.936473 43453 validation.go:28] Cannot validate kube-proxy config - no validator is available W0202 00:01:00.936517 43453 validation.go:28] Cannot validate kubelet config - no validator is available [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [root@k8s-master ~]# [root@k8s-master ~]# \cp /etc/kubernetes/admin.conf $HOME/.kube/config [root@k8s-master ~]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart 912e36b808af 57e3c34bf9eb 2b53c4267a3b a19d0ad23539 [root@k8s-master ~]# date -s "2023-1-1" Sun Jan 1 00:00:00 PST 2023 [root@k8s-master ~]# systemctl restart kubelet [root@k8s-master ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Feb 02, 2023 08:00 UTC 31d no apiserver Feb 02, 2023 08:00 UTC 31d ca no apiserver-etcd-client Feb 02, 2023 08:00 UTC 31d etcd-ca no apiserver-kubelet-client Feb 02, 2023 08:00 UTC 31d ca no controller-manager.conf Feb 02, 2023 08:00 UTC 31d no etcd-healthcheck-client Feb 02, 2023 08:00 UTC 31d etcd-ca no etcd-peer Feb 02, 2023 08:00 UTC 31d etcd-ca no etcd-server Feb 02, 2023 08:00 UTC 31d etcd-ca no front-proxy-client Feb 02, 2023 08:00 UTC 31d front-proxy-ca no scheduler.conf Feb 02, 2023 08:00 UTC 31d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca May 15, 2031 05:57 UTC 8y no etcd-ca May 15, 2031 05:57 UTC 8y no front-proxy-ca May 15, 2031 05:57 UTC 8y no
[root@k8s-master ~]# kubectl get nodes -w NAME STATUS ROLES AGE VERSION k8s-master Ready master 77s v1.17.5 k8s-master Ready master 261d v1.17.5 [root@k8s-master ~]# kubectl get nodes -w NAME STATUS ROLES AGE VERSION k8s-master Ready master 261d v1.17.5 k8s-master Ready master 261d v1.17.5 k8s-master NotReady master 594d v1.17.5 k8s-master NotReady master 594d v1.17.5 k8s-master NotReady master 594d v1.17.5 k8s-master Ready master 594d v1.17.5 k8s-master Ready master 594d v1.17.5
[root@k8s-master ~]# kubectl get pod --all-namespaces -w NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-9d85f5447-cm47b 1/1 Running 0 117s kube-system coredns-9d85f5447-mmhrk 1/1 Running 0 117s kube-system etcd-k8s-master 1/1 Running 0 114s kube-system kube-apiserver-k8s-master 1/1 Running 0 114s kube-system kube-controller-manager-k8s-master 1/1 Running 0 114s kube-system kube-flannel-ds-amd64-v87r4 1/1 Running 0 37s kube-system kube-proxy-k288j 1/1 Running 0 117s kube-system kube-scheduler-k8s-master 1/1 Running 0 114s kube-system coredns-9d85f5447-cm47b 1/1 Running 0 261d kube-system coredns-9d85f5447-mmhrk 1/1 Running 0 261d kube-system etcd-k8s-master 1/1 Running 0 261d kube-system kube-apiserver-k8s-master 1/1 Running 0 261d kube-system kube-controller-manager-k8s-master 1/1 Running 0 261d kube-system kube-flannel-ds-amd64-v87r4 1/1 Running 0 261d kube-system kube-proxy-k288j 1/1 Running 0 261d kube-system kube-scheduler-k8s-master 1/1 Running 0 261d [root@k8s-master ~]# kubectl get pod --all-namespaces -w kube-system etcd-k8s-master 1/1 Running 0 261d kube-system kube-apiserver-k8s-master 1/1 Running 0 261d kube-system kube-controller-manager-k8s-master 1/1 Running 0 261d kube-system coredns-9d85f5447-mmhrk 0/1 Running 0 261d kube-system coredns-9d85f5447-cm47b 0/1 Running 0 261d kube-system kube-scheduler-k8s-master 1/1 Running 0 261d kube-system coredns-9d85f5447-cm47b 1/1 Running 0 261d kube-system coredns-9d85f5447-mmhrk 1/1 Running 0 261d kube-system etcd-k8s-master 1/1 Running 0 594d kube-system kube-apiserver-k8s-master 1/1 Running 0 594d kube-system kube-controller-manager-k8s-master 1/1 Running 0 594d kube-system kube-flannel-ds-amd64-v87r4 1/1 Running 0 594d kube-system kube-proxy-k288j 1/1 Running 0 594d kube-system kube-scheduler-k8s-master 1/1 Running 0 594d kube-system coredns-9d85f5447-cm47b 1/1 Running 0 594d kube-system coredns-9d85f5447-mmhrk 1/1 Running 0 594d
[root@localhost k8s]# kubeadm init phase kubeconfig all --help Generates all kubeconfig files Usage: kubeadm init phase kubeconfig all [flags] Flags: --apiserver-advertise-address string The IP address the API Server will advertise it's listening on. Specify '0.0.0.0' to use the address of the default network interface. --apiserver-bind-port int32 Port for the API Server to bind to. (default 6443) --cert-dir string The path where to save and store the certificates. (default "/etc/kubernetes/pki") --config string Path to kubeadm config file. WARNING: Usage of a configuration file is experimental. -h, --help help for all --kubeconfig-dir string The path where to save the kubeconfig file. (default "/etc/kubernetes") --node-name string Specify the node name. Global Flags: --log-file string If non-empty, use this log file --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages -v, --v Level log level for V logs
個人想法: 手動生成證書和編譯kubeadm都有點繁瑣,定期升級k8s版本也得要項目情況,最簡單就是每年進行一次 kubeadm alpha certs renew 即可。
參考博文: 使用 kubeadm 進行證書管理 附025.kubeadm部署Kubernetes更新證書 Kubernetes v1.13.0 證書升級詳解
作者:Leozhanggg
出處:https://www.cnblogs.com/leozhanggg/p/13401877.html
本文版權歸作者和博客園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接,否則保留追究法律責任的權利。