1. 百年的kubeadm

1.1 源码修改

• 源码下载

cd /usr/local/src/
git clone -b release-1.15 https://github.com/kubernetes/kubernetes.git

• 再次确认分支

cd  kubernetes
git branch -a

• 修改cert.go

vim ./staging/src/k8s.io/client-go/util/cert/cert.goNotBefore:             now.UTC(),#修改下边的10为100NotAfter:              now.Add(duration365d * 10).UTC(),KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,BasicConstraintsValid: true,IsCA:  

• 修改constants.go

vim ./cmd/kubeadm/app/constants/constants.go// CertificateValidity defines the validity for all the signed certificates generated by kubeadm#将下边time.Hour * 100CertificateValidity = time.Hour * 24 * 365

修改后如下：

vim ./cmd/kubeadm/app/constants/constants.go// CertificateValidity defines the validity for all the signed certificates generated by kubeadmCertificateValidity = time.Hour * 24 * 365 * 100

1.2 准备镜像

docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1

官方提供的编译镜像，无论如何弄到服务器上就行了

1.3 编译

docker run --rm -it -v /usr/local/src/k8s.io/kubernetes:/go/src/k8s.io/kubernetes \
mirrorgooglecontainers/kube-cross:v1.12.10-1 bashcd /go/src/k8s.io/kubernetes
make all WHAT=cmd/kubeadm GOFLAGS=-v
exit

1.4 成品备份

• 成品位置
  编译好的成品在： _output/local/bin/linux/amd64/kubeadm

• 成品测试

cp _output/local/bin/linux/amd64/kubeadm /usr/bin/
chmod a+x /usr/bin/kubeadm
kubeadm version

• 成本保存
  已上传至ftp服务器，ftp://10.252.97.213/soft/kubeadm

2. 生成证书

2.1 master主节点

• 将前边准备的kubeadm 拷贝到服务器

cd /usr/local/src
wget  ftp://10.252.97.213/soft/kubeadm

• 替换原来kubeadm文件

cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm

• 备份配置文件和证书

cp -ra /etc/kubernetes /etc/kubernetes_back

• 查看证书到期时间

kubeadm alpha certs check-expiration

• 更新证书和配置文件

 kubeadm alpha certs renew all

• 确认证书到期时间

[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Apr 03, 2120 06:46 UTC   99y             no
apiserver                  Apr 03, 2120 09:36 UTC   99y             no
apiserver-etcd-client      Apr 03, 2120 09:36 UTC   99y             no
apiserver-kubelet-client   Apr 03, 2120 09:36 UTC   99y             no
controller-manager.conf    Apr 03, 2120 09:36 UTC   99y             no
etcd-healthcheck-client    Apr 03, 2120 09:36 UTC   99y             no
etcd-peer                  Apr 03, 2120 09:36 UTC   99y             no
etcd-server                Apr 03, 2120 09:36 UTC   99y             no
front-proxy-client         Apr 03, 2120 06:47 UTC   99y             no
scheduler.conf             Apr 03, 2120 09:36 UTC   99y             no

• 重启docker

说明：主要为了重启proxy和etcd

service docker restart

• 重启kubelet

service kubelet restart

2.2 其他master节点

• 拷贝100年的kubeadmin 文件
• 将前边准备的kubeadm 拷贝到服务器

cd /usr/local/src
wget  ftp://10.252.97.213/soft/kubeadm

• 替换原来kubeadm文件

cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm

• 备份配置文件和证书

cp -ra /etc/kubernetes /etc/kubernetes_back

• 查看证书到期时间

kubeadm alpha certs check-expiration

• 更新证书和配置文件

 kubeadm alpha certs renew all

• 确认证书到期时间

[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Apr 03, 2120 06:46 UTC   99y             no
apiserver                  Apr 03, 2120 09:36 UTC   99y             no
apiserver-etcd-client      Apr 03, 2120 09:36 UTC   99y             no
apiserver-kubelet-client   Apr 03, 2120 09:36 UTC   99y             no
controller-manager.conf    Apr 03, 2120 09:36 UTC   99y             no
etcd-healthcheck-client    Apr 03, 2120 09:36 UTC   99y             no
etcd-peer                  Apr 03, 2120 09:36 UTC   99y             no
etcd-server                Apr 03, 2120 09:36 UTC   99y             no
front-proxy-client         Apr 03, 2120 06:47 UTC   99y             no
scheduler.conf             Apr 03, 2120 09:36 UTC   99y             no

• 从master-01 上拷贝证书文件
  从master01 上拷贝证书

ssh 10.251.137.187 "mkdir -p /etc/kubernetes/pki/etcd"
ssh 10.251.137.188 "mkdir -p /etc/kubernetes/pki/etcd"scp -r /etc/kubernetes/admin.conf 10.251.137.187:/etc/kubernetes/admin.conf
scp -r /etc/kubernetes/admin.conf 10.251.137.188:/etc/kubernetes/admin.confscp -r /etc/kubernetes/pki/{ca.*,sa.*,front*}  10.251.137.187:/etc/kubernetes/pki/
scp -r /etc/kubernetes/pki/{ca.*,sa.*,front*}  10.251.137.188:/etc/kubernetes/pki/scp -r /etc/kubernetes/pki/etcd/ca.*  10.251.137.187:/etc/kubernetes/pki/etcd/ 
scp -r /etc/kubernetes/pki/etcd/ca.*  10.251.137.188:/etc/kubernetes/pki/etcd/

• 重启docker

说明：主要为了重启proxy和etcd

service docker restart

• 重启kubelet

service kubelet restart