其他
Kubernetes 之修改证书时限
点击下方公众号「关注」和「星标」
回复“1024”获取独家整理的学习资料!
今天,我们一起学习如何修改 Kubernetes 的证书可用时限!
使用过的朋友肯定知道,Kubernetes 默认的证书有效期只有 1 年,因此需要每年手动更新一次节点上面的证书,显然这对我们实际生产环境来说是很不友好的;因此我们要对 Kubernetes 的 SSL 证书有效期进行修改。如下给出了具体的方法,但是有可能到你开始使用的时候,已经不再试用。
查看当前证书有效期
# 证书存放在: /etc/kubernetes/pki 目录下
$ ls -lh /etc/kubernetes/pki
-rw-r--r-- 1 root root 1212 May 19 14:01 apiserver.crt
-rw-r--r-- 1 root root 1090 May 19 14:01 apiserver-etcd-client.crt
-rw------- 1 root root 1679 May 19 14:01 apiserver-etcd-client.key
-rw------- 1 root root 1675 May 19 14:01 apiserver.key
-rw-r--r-- 1 root root 1099 May 19 14:01 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 May 19 14:01 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 May 17 2020 ca.crt
-rw------- 1 root root 1679 May 17 2020 ca.key
drwxr-xr-x 2 root root 4096 May 17 2020 etcd/
-rw-r--r-- 1 root root 1038 May 17 2020 front-proxy-ca.crt
-rw------- 1 root root 1679 May 17 2020 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 May 19 14:01 front-proxy-client.crt
-rw------- 1 root root 1675 May 19 14:01 front-proxy-client.key
-rw------- 1 root root 1675 May 17 2020 sa.key
-rw------- 1 root root 451 May 17 2020 sa.pub
# 查看有效期
$ for i in $(ls *.crt); do \
echo "===== $i ====="; \
openssl x509 -in $i -text -noout | grep -A 3 'Validity'; done
# 除了ca根证书外其他证书有效期都是1年
===== apiserver.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: CN = kube-apiserver
===== apiserver-etcd-client.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: O = system:masters, CN = kube-apiserver-etcd-client
===== apiserver-kubelet-client.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: O = system:masters, CN = kube-apiserver-kubelet-client
===== ca.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 10 07:51:36 2029 GMT
Subject: CN = kubernetes
===== front-proxy-ca.crt =====
Validity
Not Before: May 12 07:51:36 2019 GMT
Not After : May 10 07:51:36 2029 GMT
Subject: CN = front-proxy-ca
===== front-proxy-client.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: CN = front-proxy-client
Go 环境部署
# 安装Go语言
$ wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz
$ tar -zxvf go1.12.1.linux-amd64.tar.gz -C /usr/local
# 加入到系统配置中
$ vi /etc/profile
export PATH=$PATH:/usr/local/go/bin
source /etc/profile
下载 K8S 源码
# 创建并下载代码
$ cd /data && mkdir -pv k8s_src
$ git clone https://github.com/kubernetes/kubernetes.git
$ git checkout -b remotes/origin/release-1.15.1 v1.15.
修改 Kubeadm 源码包更新证书策略
# kubeadm1.14版本之前
$ vim staging/src/k8s.io/client-go/util/cert/cert.go
# kubeadm1.14至今的版本
$ vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
# 添加如下对应内容
const duration365d = time.Hour * 24 * 365
NotAfter: time.Now().Add(duration365d).UTC(),
make WHAT=cmd/kubeadm GOFLAGS=-v
cp _output/bin/kubeadm /root/kubeadm-new
更新 kubeadm 工具
# 将kubeadm进行替换
$ cp /usr/bin/kubeadm /usr/bin/kubeadm.old
$ cp /root/kubeadm-new /usr/bin/kubeadm
$ chmod a+x /usr/bin/kubeadm
更新各节点证书至 Master 节点
# 备份证书
$ cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
# 更新证书
$ cd /etc/kubernetes/pki
$ kubeadm alpha certs renew all --config=/root/kubeadm-config.yaml
$ openssl x509 -in apiserver.crt -text -noout | grep Not
HA 集群其余 Master 节点证书更新
#!/bin/bash
masterNode="192.168.66.20 192.168.66.21"
# for host in ${masterNode}; do
# scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
"${USER}"@$host:/etc/kubernetes/pki/
# scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/etc/kubernetes/pki/etcd
# scp /etc/kubernetes/admin.conf "root"@$host:/etc/kubernetes/
# done
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
"${USER}"@$host:/root/pki/
scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/root/etcd
scp /etc/kubernetes/admin.conf "root"@$host:/root/kubernetes/
done
最新、最全、最详细的 K8S 学习笔记总结(2021最新版)
作者: Escape 链接: https://escapelife.github.io/posts/538ec6b1.html