.png)
kubeadm方式部署的k8s修改证书年限
🍇 说明
kubeadm方式部署的k8s默认证书的年限为1一年,当集群更新时,证书也会更新,如果集群每年都会更新,那么证书年限就不用修改。但是大部分情况下, 为了保证线上环境稳定,集群很少去修改。所以需要将证书时间修改一下。
🍋 查看集群证书有效期
进入目录
cd /etc/kubernetes/pki/
查看有效期
openssl x509 -in apiserver.crt -text -noout
🥭 安装go环境
cd /data/
wget https://studygolang.com/dl/golang/go1.19.4.linux-amd64.tar.gz
tar -xf go1.19.4.linux-amd64.tar.gz -C /usr/local/
🍎 配置go环境变量
/etc/profile最末尾添加 export PATH=$PATH:/usr/local/go/bin
vim /etc/profile
刷新配置变量生效
source /etc/profile
查看版本
go version
go version go1.19.4 linux/amd64
🍏 下载k8s的项目(要符合自己的版本)
查看kubeadm版本
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"archive", BuildDate:"2023-03-21T06:34:26Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}
获取k8s源码
wget https://github.com/kubernetes/kubernetes/archive/v1.23.5.tar.gz
tar -zxvf v1.23.5.tar.gz
cd kubernetes-1.23.5
修改 Kubeadm 源码包更新证书策略
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
找到NewSignedCert方法
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
const duration365d = time.Hour * 24 * 365 * 10 #新增一个参数
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
if isCA {
keyUsage |= x509.KeyUsageCertSign
}
RemoveDuplicateAltNames(&cfg.AltNames)
notAfter := time.Now().Add(duration365d).UTC() # notAfter值换成: time.Now().Add(duration365d).UTC()
if cfg.NotAfter != nil {
notAfter = *cfg.NotAfter
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: notAfter,
KeyUsage: keyUsage,
ExtKeyUsage: cfg.Usages,
BasicConstraintsValid: true,
IsCA: isCA,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
编译kubeadm
cd kubernetes-1.23.5
make WHAT=cmd/kubeadm GOFLAGS=-v
cp _output/bin/kubeadm /root/kubeadm-new
更新 kubeadm(更新之前先备份)
cp /usr/bin/kubeadm /usr/bin/kubeadm.old
cp /root/kubeadm-new /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
备份pki
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
生成证书文件(这个config文件是初始化集群时候的配置)
kubeadm certs renew all --config=/root/kubeadm-config.yaml
生成集群的配置文件及查看 如果集群没有kubeadm-config.yaml文件,可以生成一个k8s的初始化文件
kubeadm config print init-defaults > /root/kubeadm-config.yaml
[root@k8s-master ~]# kubeadm certs renew all --config=/root/kubeadm-config.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
查看证书的年限
[root@021s kubernetes-1.23.5]# cd /etc/kubernetes/pki
[root@021s pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7056367101871158168 (0x61ed407e2fc87398)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 24 15:24:33 2022 GMT
Not After : Mar 18 07:49:39 2033 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
更新各节点证书
master上执行,替换xx.xx.xxx为各个节点ip
[root@k8s-node01 pki]# scp root@xx.xx.xxx:/etc/kubernetes/pki/ca.crt ./
评论区