kubeadm修改证书有效期100年
kubeadm 默认证书为一年,一年过期后,会导致api service不可用,使用过程中会出现以下报错:x509: certificate has expired or is not yet valid. 相信大家都知道接下来怎么更换证书了,但是真的局限在每年更换一次吗? 我是接受不了,所以我决定其他方法:直接修改源码把证书有效期变成100年一劳永逸,完美!
修改源码:
拉取对应的源码
# yum install git
git clone --branch v1.18.0 https://github.com/kubernetes/kubernetes.git
cd kubernetes
修改 CA 有效期为 100 年(默认为 10 年)
- 方法里面NotAfter,默认有效期就是10年,改成100年
vim ./staging/src/k8s.io/client-go/util/cert/cert.go
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 99).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
修改证书有效期为 100 年(默认为 1 年)
- 这个常量定义CertificateValidity,在基础上*100年就行了
vim ./cmd/kubeadm/app/constants/constants.go
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 99
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
重新编译源码
- 方法有很多这边提供本机编译的方式
* 软件包准备
CentOS:
yum install gcc make -y
yum install rsync jq -y
Ubuntu:
sudo apt install build-essential
sudo apt install rsync jq -y
* 安装golang
# cat ./build/build-image/cross/VERSION
v1.13.8-1`
wget https://dl.google.com/go/go1.13.8.linux-amd64.tar.gz
tar zxvf go1.13.8.linux-amd64.tar.gz -C /usr/local
# vim /etc/profile
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin
# source /etc/profile
* 重新编译kubeadm
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
* 编译完的kubeadm在 _output/bin/kubeadm 目录下,其中bin是使用了软连接,真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_bak
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
执行更换证书操作
- 仍是先备份
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.backup
- 配置文件也备份
mkdir -p /etc/kubernetes/back && cp *.conf /etc/kubernetes/back
- 检查证书到期时间
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 14, 2022 07:19 UTC 280d no
apiserver Jan 14, 2022 07:19 UTC 280d ca no
apiserver-etcd-client Jan 14, 2022 07:19 UTC 280d etcd-ca no
apiserver-kubelet-client Jan 14, 2022 07:19 UTC 280d ca no
controller-manager.conf Jan 14, 2022 07:20 UTC 280d no
etcd-healthcheck-client Jan 14, 2022 07:19 UTC 280d etcd-ca no
etcd-peer Jan 14, 2022 07:19 UTC 280d etcd-ca no
etcd-server Jan 14, 2022 07:19 UTC 280d etcd-ca no
front-proxy-client Jan 14, 2022 07:19 UTC 280d front-proxy-ca no
scheduler.conf Jan 14, 2022 07:20 UTC 280d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 12, 2031 07:19 UTC 9y no
etcd-ca Jan 12, 2031 07:19 UTC 9y no
front-proxy-ca Jan 12, 2031 07:19 UTC 9y no
- 更新证书
kubeadm alpha certs renew all
执行更新证书之后再次检查就是100年了
# kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
#kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Dec 14, 2121 07:50 UTC 99y no
apiserver Dec 14, 2121 07:50 UTC 99y no
apiserver-etcd-client Dec 14, 2121 07:50 UTC 99y no
apiserver-kubelet-client Dec 14, 2121 07:50 UTC 99y no
controller-manager.conf Dec 14, 2121 07:50 UTC 99y no
etcd-healthcheck-client Dec 14, 2121 07:50 UTC 99y no
etcd-peer Dec 14, 2121 07:50 UTC 99y no
etcd-server Dec 14, 2121 07:50 UTC 99y no
front-proxy-client Dec 14, 2121 07:50 UTC 99y no
scheduler.conf Dec 14, 2121 07:50 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 14, 2121 07:50 UTC 90y no
etcd-ca Dec 14, 2121 07:50 UTC 90y no
front-proxy-ca Dec 14, 2121 07:50 UTC 99y no
* 重启docker让apiserver、controller、scheduler配置生效
docker ps |grep -E ‘k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd’ | awk -F ‘ ‘ ‘{print $1}’ |xargs docker restart
多master的集群建议操作以下步骤
1 生成集群配置yaml
kubeadm config view > /root/kubeadm.yaml
2 通过集群配置更新证书
kubeadm alpha certs renew all –config=/root/kubeadm.yaml
3 查看证书时间
kubeadm alpha certs check-expiration
4 重启docker让apiserver、controller、scheduler配置生效
docker ps |grep -E ‘k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd’ | awk -F ‘ ‘ ‘{print $1}’ |xargs docker restart
