kubeadm 安裝得證書默認為 1 年,注意原證書文件必須保留在服務器上才能做延期操作,否則就會重新生成,集群可能無法恢復
使用下面命令查看證書過期時間
[root@master ~]# kubeadm alpha certs check-expiration Command "check-expiration" is deprecated, please use the same command under "kubeadm certs" [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Mar 02, 2022 11:26 UTC 7d no apiserver Mar 02, 2022 11:26 UTC 7d ca no apiserver-etcd-client Mar 02, 2022 11:26 UTC 7d etcd-ca no apiserver-kubelet-client Mar 02, 2022 11:26 UTC 7d ca no controller-manager.conf Mar 02, 2022 11:26 UTC 7d no etcd-healthcheck-client Mar 02, 2022 11:26 UTC 7d etcd-ca no etcd-peer Mar 02, 2022 11:26 UTC 7d etcd-ca no etcd-server Mar 02, 2022 11:26 UTC 7d etcd-ca no front-proxy-client Mar 02, 2022 11:26 UTC 7d front-proxy-ca no scheduler.conf Mar 02, 2022 11:26 UTC 7d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Feb 28, 2031 11:26 UTC 9y no etcd-ca Feb 28, 2031 11:26 UTC 9y no front-proxy-ca Feb 28, 2031 11:26 UTC 9y no
可以看到證書還有7天時間到期。為了不每年更改一次證書,選擇直接修改源碼,講時間改成10年
1、下載源碼
拉取對應版本的源碼
# yum install git git clone --branch v1.20.2 https://github.com/kubernetes/kubernetes.git cd kubernetes
2、修改證書有效期為10年(ca證書有效期為10年,不做修改)
這個常量定義CertificateValidity,在基礎上*10年就行了
vim ./cmd/kubeadm/app/constants/constants.go
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 99
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
3、重新編譯源碼
方法有很多這邊提供本機編譯的方式
* 軟件包准備 CentOS: yum install gcc make -y yum install rsync jq -y
* 安裝golang # cat ./build/build-image/cross/VERSION v1.15.5-1
見附錄
一定要再同一個系統操作,踩坑在windows系統上解壓之后,編譯的時候會一直報錯,格式不對
* 重新編譯kubeadm make all WHAT=cmd/kubeadm GOFLAGS=-v # 編譯kubelet make all WHAT=cmd/kubelet GOFLAGS=-v # 編譯kubectl make all WHAT=cmd/kubectl GOFLAGS=-v * 編譯完的kubeadm在 _output/bin/kubeadm 目錄下,其中bin是使用了軟連接,真實路徑是_output/local/bin/linux/amd64/kubeadm mv /usr/bin/kubeadm /usr/bin/kubeadm_bak cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm chmod +x /usr/bin/kubeadm
4、執行更新證書操作
1、備份 cp -r /etc/kubernetes/pki /etc/kubernetes/pki.backup 2、備份配置文件 mkdir -p /etc/kubernetes/back && cp *.conf /etc/kubernetes/back 3、檢查證書到期時間 kubeadm alpha certs check-expiration 4、更新證書 kubeadm alpha certs renew all 5、再次檢查證書到期時間 kubeadm alpha certs check-expiration
附:go的安裝
Go 語言支持以下系統:
- Linux
- FreeBSD
- Mac OS X(也稱為 Darwin)
- Windows
安裝包下載地址為:https://golang.org/dl/。
如果打不開可以使用這個地址:https://golang.google.cn/dl/。
找到目標版本
1、下載壓縮包並解壓
[root@localhost ~]# tar xf go1.15.5.linux-amd64.tar.gz -C /usr/local/
2、添加環境變量
# vim /etc/profile export GOROOT=/usr/local/go export GOPATH=/usr/local/gopath export PATH=$PATH:$GOROOT/bin # source /etc/profile
3、查看go版本
[root@localhost ~]# go version go version go1.15.5 linux/amd64