前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >kubeadm集群修改证书时间到99年

kubeadm集群修改证书时间到99年

作者头像
极客运维圈
发布2020-06-24 15:55:44
1.3K0
发布2020-06-24 15:55:44
举报
文章被收录于专栏:乔边故事

kubeadm修改证书时间

(1)、查看当前的证书时间

代码语言:javascript
复制
# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 20, 2021 11:21 UTC   364d                                    no      
apiserver                  Jun 20, 2021 11:21 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 20, 2021 11:21 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 20, 2021 11:21 UTC   364d            ca                      no      
controller-manager.conf    Jun 20, 2021 11:21 UTC   364d                                    no      
etcd-healthcheck-client    Jun 20, 2021 11:21 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 20, 2021 11:21 UTC   364d            etcd-ca                 no      
etcd-server                Jun 20, 2021 11:21 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 20, 2021 11:21 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 20, 2021 11:21 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 18, 2030 11:21 UTC   9y              no      
etcd-ca                 Jun 18, 2030 11:21 UTC   9y              no      
front-proxy-ca          Jun 18, 2030 11:21 UTC   9y              no      

(2)、下载源码

代码语言:javascript
复制
git clone https://github.com/kubernetes/kubernetes.git

(3)、切换到自己的版本,修改源码,比如我的是v1.17.2版本

代码语言:javascript
复制
cd kubernetes
git checkout v1.17.2

vim cmd/kubeadm/app/constants/constants.go,找到CertificateValidity,修改如下

代码语言:javascript
复制
....
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100
....

(4)、编译kubeadm

代码语言:javascript
复制
make WHAT=cmd/kubeadm

编译完生成如下目录和二进制文件

代码语言:javascript
复制
# ll _output/bin/
total 76172
-rwxr-xr-x 1 root root  6799360 Jun 20 21:08 conversion-gen
-rwxr-xr-x 1 root root  6778880 Jun 20 21:08 deepcopy-gen
-rwxr-xr-x 1 root root  6750208 Jun 20 21:08 defaulter-gen
-rwxr-xr-x 1 root root  4883629 Jun 20 21:08 go2make
-rwxr-xr-x 1 root root  2109440 Jun 20 21:09 go-bindata
-rwxr-xr-x 1 root root 39256064 Jun 20 21:11 kubeadm
-rwxr-xr-x 1 root root 11419648 Jun 20 21:09 openapi-gen

(5)、备份原kubeadm和证书文件

代码语言:javascript
复制
cp /usr/bin/kubeadm{,.bak20200620}
cp -r /etc/kubernetes/pki{,.bak20200620}

(7)、将新生成的kubeadm进行替换

代码语言:javascript
复制
cp _output/bin/kubeadm /usr/bin/kubeadm

(8)、生成新的证书

代码语言:javascript
复制
cd /etc/kubernetes/pki
kubeadm alpha certs renew all

输出如下

代码语言:javascript
复制
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

(9)、验证结果

代码语言:javascript
复制
kubeadm alpha certs check-expiration

输出如下

代码语言:javascript
复制
[root@k8s-master pki]#  kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 27, 2120 13:25 UTC   99y                                     no      
apiserver                  May 27, 2120 13:25 UTC   99y             ca                      no      
apiserver-etcd-client      May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   May 27, 2120 13:25 UTC   99y             ca                      no      
controller-manager.conf    May 27, 2120 13:25 UTC   99y                                     no      
etcd-healthcheck-client    May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
etcd-peer                  May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
etcd-server                May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
front-proxy-client         May 27, 2120 13:25 UTC   99y             front-proxy-ca          no      
scheduler.conf             May 27, 2120 13:25 UTC   99y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 18, 2030 11:21 UTC   9y              no      
etcd-ca                 Jun 18, 2030 11:21 UTC   9y              no      
front-proxy-ca          Jun 18, 2030 11:21 UTC   9y              no      

查看集群状态是否OK。

代码语言:javascript
复制
[root@k8s-master pki]# kubectl get node
NAME         STATUS   ROLES    AGE    VERSION
k8s-master   Ready    master   127m   v1.17.2
k8s-node01   Ready    <none>   94m    v1.17.2
k8s-node02   Ready    <none>   95m    v1.17.2
[root@k8s-master pki]# kubectl get pod -n kube-system 
NAME                                       READY   STATUS    RESTARTS   AGE
calico-kube-controllers-589b5f594b-76vwr   1/1     Running   0          93m
calico-node-4qvfj                          1/1     Running   0          93m
calico-node-cn79s                          1/1     Running   0          93m
calico-node-sppn9                          1/1     Running   0          93m
coredns-7f9c544f75-hc5q5                   1/1     Running   0          127m
coredns-7f9c544f75-z77s8                   1/1     Running   0          127m
etcd-k8s-master                            1/1     Running   0          114m
kube-apiserver-k8s-master                  1/1     Running   0          115m
kube-controller-manager-k8s-master         1/1     Running   0          114m
kube-proxy-6kckk                           1/1     Running   0          94m
kube-proxy-r7mn2                           1/1     Running   0          127m
kube-proxy-zf48c                           1/1     Running   0          95m
kube-scheduler-k8s-master                  1/1     Running   0          114m

到此证书修改完成。

如果github上下载很慢的话可以到gitee上下载,地址:https://gitee.com/mirrors/Kubernetes/tree/master/

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-06-23,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 极客运维圈 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档