使用 kubeadm 部署的 K8S 集群中,apiserver 证书的默认可用年限只有一年。如果直接用在生产环境,当证书过期后会造成 K8S 集群瘫痪,从而影响现网业务。
1,查看 K8S 集群所有证书存放位置
ls /etc/kubernetes/pki/
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub2,查看 apiserver 证书信息,默认可用年限只有一年
cd /etc/kubernetes/pki/
openssl x509 -in apiserver.crt -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number: 1295513766016577226 (0x11fa96e8010beeca)Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: May 27 00:57:34 2021 GMTNot After : May 27 00:57:34 2022 GMT
3,查看 ca 证书信息,默认可用年限为10年
openssl x509 -in ca.crt -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number: 0 (0x0)Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: May 27 00:57:34 2021 GMTNot After : May 25 00:57:34 2031 GMT
4,修改证书可用年限
1、go 环境部署
登陆 https://studygolang.com/dl ,下载 Linux 版本的 Go 安装包,如:go1.16.5.linux-amd64.tar.gz//上传 go1.12.9.linux-amd64.tar.gz 到 master 节点的 /opt 目录中
tar zxvf go1.12.9.linux-amd64.tar.gz -C /usr/local///设置 go 软件程序的环境变量
echo 'export PATH=/usr/local/go/bin:$PATH' >> /etc/profile
source /etc/profile//查看 go 的版本
go version
go version go1.12.9 linux/amd642、下载源码
mkdir /data
cd /data//克隆代码
#在 master 节点上生成密钥对认证文件
ssh-keygen -t rsa#复制公钥文件内容到github中,用于ssh克隆 https://github.com/settings/keys
cat /root/.ssh/id_rsa.pub#在 master 节点上克隆
git clone git@github.com:kubernetes/kubernetes.git//查看当前版本
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}//切换分支
cd kubernetes/
git checkout -b remotes/origin/release-1.15.1 v1.15.13、修改 Kubeadm 源码包更新证书策略
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
......
//NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config,key crypto.Signer,caCert *x509.certificate,caKey crypto.Signcate, error) {const duration10years = time.Hour * 24 * 365 * 10 #定义常量duration10years为10年时间 serial,err := cryptorand.Int(cryptorand.Reader,new(big.Int).SetInt64(math.MaxInt64))if err != nil {return nil, err}if len(cfg. CommonName) == 0 {return nil, errors.New("must specify a CommonName")}if len(cfg.Usages) == 0 {return nil, errors.New("must specify at least one ExtKeyUsage")}certTmpl := x509.Certificate{Subject: pkix.Name{CommonName:cfg. CommonName ,0rganization : cfg.0rganization ,},DNSNames: cfg.AltNames.DNSNames,IPAddresses: cfg.AltNames.IPs,SerialNumber: serial,NotBefore: caCert.NotBefore,NotAfter: time.Now().Add(duration10years).UTC(), #修改证书可用年限KeyUsage: x509.KeyUsageKeyEncipherment │ x509.KeyUsageDigitalSignature,ExtKeyUsage: cfg.Usages,}
......//编译 kubeadm
make WHAT=cmd/kubeadm GOFLAGS=-v//获取新编译出的kubeadm文件
cp _output/bin/kubeadm /root/kubeadm-new5,更新kubeadm
//将原 kubeadm 进行备份
cp /usr/bin/kubeadm /usr/bin/kubeadm.old//将 kubeadm 进行替换
cp /root/kubeadm-new /usr/bin/kubeadmchmod +x /usr/bin/kubeadm6,更新个节点证书到master
//将原证书进行备份
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old//生成新证书
kubeadm alpha certs renew all --config=/opt/kubeadm-config.yaml//查看 apiserver 证书信息
cd /etc/kubernetes/pki
openssl x509 -in apiserver.crt -text -noout | grep NotHA集群其余 mater 节点证书更新
//将新生成的证书复制到其他 mater 节点上进行更新
#!/bin/bash
masterNode="192.168.80.14 192.168.80.15"
for host in ${masterNode}
doscp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}" root@$host:/etc/kubernetes/pki/scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} root@$host:/etc/kubernetes/pki/etcd/scp /etc/kubernetes/admin.conf root@$host:/etc/kubernetes/
done
)
)
![[激光原理与应用-72]:PLC架构与工作原理](http://pic.xiahunao.cn/[激光原理与应用-72]:PLC架构与工作原理)
)
