一、背景
k8s默認證書有效時間是1年,證書過期后就不能執行相關命令進行管理,如下圖:
二、查看證書有效時間
可以看出RESIDUAL的顯示結果是invalid,表示過期
[root@master pki]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Dec 28, 2021 08:24 UTC <invalid> ca no apiserver Dec 28, 2021 08:24 UTC <invalid> ca no apiserver-etcd-client Dec 28, 2021 08:24 UTC <invalid> etcd-ca no apiserver-kubelet-client Dec 28, 2021 08:24 UTC <invalid> ca no controller-manager.conf Dec 28, 2021 08:24 UTC <invalid> ca no etcd-healthcheck-client Dec 28, 2021 08:24 UTC <invalid> etcd-ca no etcd-peer Dec 28, 2021 08:24 UTC <invalid> etcd-ca no etcd-server Dec 28, 2021 08:24 UTC <invalid> etcd-ca no front-proxy-client Dec 28, 2021 08:24 UTC <invalid> front-proxy-ca no scheduler.conf Dec 28, 2021 08:24 UTC <invalid> ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Dec 20, 2031 07:18 UTC 9y no etcd-ca Dec 20, 2031 07:18 UTC 9y no front-proxy-ca Dec 20, 2031 07:18 UTC 9y no
三、解決方案
修改源碼重新生成
官方默認證書都是一年,我就以生成證書有效期為10年為例
現在機器上安裝go環境,這個過程就省略了,度娘下很簡單
1、查看當前環境安裝的看k8s版本
kubeamd version
2、下載源碼
github上下載看k8s的源碼,版本是第一步查詢的版本,過程略
3、修改代碼
我的版本是1.23.1版本,修改/opt/kubernetes/cmd/kubeadm/app/util/pkiutil/pki_helpers.go文件,我的大概在653行,有可能不同版本地方不一樣,可以通過kubeadmconstants.CertificateValidity關鍵詞搜索定位
注釋掉notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
在上面添加:
const year10 = time.Hour * 24 * 365 * 10
notAfter := time.Now().Add(year10).UTC()
4、重新編譯
make WHAT=cmd/kubeadm GOFLAGS=-v
會在/opt/kubernetes/_output/bin 下生成kubeadm命令
5、備份原來的kubeadm和證書文件,避免出錯還原
cp /usr/bin/kubeadm /usr/bin/kubeadm_bak cp -r /etc/kubernetes/pki /etc/kubernetes/pki_bak
6、拷貝kubeadm到/usr/bin/下
[root@master bin]# pwd /opt/kubernetes-master/_output/bin [root@master bin]# [root@master bin]# [root@master bin]# ll total 79136 -rwxr-xr-x 1 root root 6295552 Dec 28 16:58 conversion-gen -rwxr-xr-x 1 root root 6021120 Dec 28 16:58 deepcopy-gen -rwxr-xr-x 1 root root 6029312 Dec 28 16:58 defaulter-gen -rwxr-xr-x 1 root root 3376703 Dec 28 16:58 go2make -rwxr-xr-x 1 root root 45187072 Dec 28 17:00 kubeadm -rwxr-xr-x 1 root root 8126464 Dec 28 16:58 openapi-gen -rwxr-xr-x 1 root root 5996544 Dec 28 16:58 prerelease-lifecycle-gen [root@master bin]# [root@master bin]# cp kubeadm /usr/bin/ cp: overwrite ‘/usr/bin/kubeadm’? y
7、重新生成證書
[root@master bin]# kubeadm certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [renew] Error reading configuration from the Cluster. Falling back to default configuration certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
8、重啟相關服務
[root@master bin]# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
3af36fb43da0
6ff7681f2556
91eaaacf2664
b886b4e5f623
9、確認證書時間
這里圖上看是9年有肯能是時間取整了的原因
可以使用基本管理命令了
