如何修改Kubernetes的SSL证书有效期
主机配置规划
| 服务器名称(hostname) | 系统版本 | 配置 | 内网IP | 外网IP(模拟) |
|---|---|---|---|---|
| k8s-master | CentOS7.7 | 2C/4G/20G | 172.16.1.110 | 10.0.0.110 |
| k8s-node01 | CentOS7.7 | 2C/4G/20G | 172.16.1.111 | 10.0.0.111 |
| k8s-node02 | CentOS7.7 | 2C/4G/20G | 172.16.1.112 | 10.0.0.112 |
为什么要修改证书有效期
Kubernetes默认的证书有效期都是1年,因此需要我们每年都更新证书,显然这对我们实际生产环境来说是很不友好的;因此我们要对Kubernetes的SSL证书有效期进行修改。
证书有效期查看
1 [root@k8s-master pki]# pwd 2 /etc/kubernetes/pki 3 [root@k8s-master pki]# ll 4 total 56 5 -rw-r--r-- 1 root root 1224 May 12 15:51 apiserver.crt 6 -rw-r--r-- 1 root root 1090 May 12 15:51 apiserver-etcd-client.crt 7 -rw------- 1 root root 1675 May 12 15:51 apiserver-etcd-client.key 8 -rw------- 1 root root 1675 May 12 15:51 apiserver.key 9 -rw-r--r-- 1 root root 1099 May 12 15:51 apiserver-kubelet-client.crt 10 -rw------- 1 root root 1675 May 12 15:51 apiserver-kubelet-client.key 11 -rw-r--r-- 1 root root 1025 May 12 15:51 ca.crt 12 -rw------- 1 root root 1675 May 12 15:51 ca.key 13 drwxr-xr-x 2 root root 162 May 12 15:51 etcd 14 -rw-r--r-- 1 root root 1038 May 12 15:51 front-proxy-ca.crt 15 -rw------- 1 root root 1675 May 12 15:51 front-proxy-ca.key 16 -rw-r--r-- 1 root root 1058 May 12 15:51 front-proxy-client.crt 17 -rw------- 1 root root 1675 May 12 15:51 front-proxy-client.key 18 -rw------- 1 root root 1679 May 12 15:51 sa.key 19 -rw------- 1 root root 451 May 12 15:51 sa.pub 20 [root@k8s-master pki]# 21 [root@k8s-master pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done 22 ===== apiserver.crt ===== 23 Validity 24 Not Before: May 12 07:51:36 2020 GMT 25 Not After : May 12 07:51:36 2021 GMT 26 Subject: CN=kube-apiserver 27 ===== apiserver-etcd-client.crt ===== 28 Validity 29 Not Before: May 12 07:51:37 2020 GMT 30 Not After : May 12 07:51:38 2021 GMT 31 Subject: O=system:masters, CN=kube-apiserver-etcd-client 32 ===== apiserver-kubelet-client.crt ===== 33 Validity 34 Not Before: May 12 07:51:36 2020 GMT 35 Not After : May 12 07:51:37 2021 GMT 36 Subject: O=system:masters, CN=kube-apiserver-kubelet-client 37 ===== ca.crt ===== 38 Validity 39 Not Before: May 12 07:51:36 2020 GMT 40 Not After : May 10 07:51:36 2030 GMT 41 Subject: CN=kubernetes 42 ===== front-proxy-ca.crt ===== 43 Validity 44 Not Before: May 12 07:51:37 2020 GMT 45 Not After : May 10 07:51:37 2030 GMT 46 Subject: CN=front-proxy-ca 47 ===== front-proxy-client.crt ===== 48 Validity 49 Not Before: May 12 07:51:37 2020 GMT 50 Not After : May 12 07:51:37 2021 GMT 51 Subject: CN=front-proxy-client 52 [root@k8s-master pki]#
由上可见,除了ca根证书,其他证书有效期都是1年。
证书有效时限修改
go环境部署
go语言中文网
https://studygolang.com/
在Linux命令行下载
1 [root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.14.6.linux-amd64.tar.gz 2 [root@k8s-master software]# tar xf go1.14.6.linux-amd64.tar.gz -C /usr/local/ 3 [root@k8s-master software]# vim /etc/profile # 最后面添加如下信息 4 # go语言环境变量 5 export PATH=$PATH:/usr/local/go/bin 6 [root@k8s-master software]# source /etc/profile
Kubernetes源码下载与更改证书策略
当期k8s版本
1 [root@k8s-master software]# kubectl version 2 Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T21:03:42Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"} 3 Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
根据k8s版本下载源码
操作步骤
1 [root@k8s-master software]# wget https://github.com/kubernetes/kubernetes/archive/v1.17.4.tar.gz 2 [root@k8s-master software]# tar xf v1.17.4.tar.gz && cd kubernetes-1.17.4 3 [root@k8s-master kubernetes-1.17.4]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go 4 ……………… 5 func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { 6 // 添加如下行 有效时间 100 年 7 const effectyear = time.Hour * 24 * 365 * 100 8 9 serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) 10 if err != nil { 11 return nil, err 12 } 13 if len(cfg.CommonName) == 0 { 14 return nil, errors.New("must specify a CommonName") 15 } 16 if len(cfg.Usages) == 0 { 17 return nil, errors.New("must specify at least one ExtKeyUsage") 18 } 19 20 certTmpl := x509.Certificate{ 21 Subject: pkix.Name{ 22 CommonName: cfg.CommonName, 23 Organization: cfg.Organization, 24 }, 25 DNSNames: cfg.AltNames.DNSNames, 26 IPAddresses: cfg.AltNames.IPs, 27 SerialNumber: serial, 28 NotBefore: caCert.NotBefore, 29 // NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(), 30 NotAfter: time.Now().Add(effectyear).UTC(), // 修改行 31 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 32 ExtKeyUsage: cfg.Usages, 33 } 34 [root@k8s-master kubernetes-1.17.4]# 35 # 注意路径 36 [root@k8s-master kubernetes-1.17.4]# make WHAT=cmd/kubeadm GOFLAGS=-v 37 # 将更新后的kubeadm拷贝到指定位置 38 [root@k8s-master kubernetes-1.17.4]# cp -a _output/bin/kubeadm /root/kubeadm-new
更新kubeadm并备份原证书
1 # kubeadm更新 2 mv /usr/bin/kubeadm /usr/bin/kubeadm_20200725 3 mv /root/kubeadm-new /usr/bin/kubeadm 4 chmod 755 /usr/bin/kubeadm 5 # 原证书备份 6 cp -a /etc/kubernetes/pki/ /etc/kubernetes/pki_20200725
证书更新
操作如下:
1 # 证书更新 2 [root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/k8s_install/kubeadm-config.yaml 3 # 查看新证书有效期 4 [root@k8s-master ~]# cd /etc/kubernetes/pki 5 [root@k8s-master pki]# ll 6 total 56 7 -rw-r--r-- 1 root root 1224 Jul 25 18:44 apiserver.crt 8 -rw-r--r-- 1 root root 1094 Jul 25 18:44 apiserver-etcd-client.crt 9 -rw------- 1 root root 1675 Jul 25 18:44 apiserver-etcd-client.key 10 -rw------- 1 root root 1679 Jul 25 18:44 apiserver.key 11 -rw-r--r-- 1 root root 1103 Jul 25 18:44 apiserver-kubelet-client.crt 12 -rw------- 1 root root 1679 Jul 25 18:44 apiserver-kubelet-client.key 13 -rw-r--r-- 1 root root 1025 May 12 15:51 ca.crt 14 -rw------- 1 root root 1675 May 12 15:51 ca.key 15 drwxr-xr-x 2 root root 162 May 12 15:51 etcd 16 -rw-r--r-- 1 root root 1038 May 12 15:51 front-proxy-ca.crt 17 -rw------- 1 root root 1675 May 12 15:51 front-proxy-ca.key 18 -rw-r--r-- 1 root root 1058 Jul 25 18:44 front-proxy-client.crt 19 -rw------- 1 root root 1679 Jul 25 18:44 front-proxy-client.key 20 -rw------- 1 root root 1679 May 12 15:51 sa.key 21 -rw------- 1 root root 451 May 12 15:51 sa.pub 22 [root@k8s-master pki]# 23 [root@k8s-master pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done 24 ===== apiserver.crt ===== 25 Validity 26 Not Before: May 12 07:51:36 2020 GMT 27 Not After : Jul 1 10:44:20 2120 GMT 28 Subject: CN=kube-apiserver 29 ===== apiserver-etcd-client.crt ===== 30 Validity 31 Not Before: May 12 07:51:37 2020 GMT 32 Not After : Jul 1 10:44:20 2120 GMT 33 Subject: O=system:masters, CN=kube-apiserver-etcd-client 34 ===== apiserver-kubelet-client.crt ===== 35 Validity 36 Not Before: May 12 07:51:36 2020 GMT 37 Not After : Jul 1 10:44:20 2120 GMT 38 Subject: O=system:masters, CN=kube-apiserver-kubelet-client 39 ===== ca.crt ===== 40 Validity 41 Not Before: May 12 07:51:36 2020 GMT 42 Not After : May 10 07:51:36 2030 GMT 43 Subject: CN=kubernetes 44 ===== front-proxy-ca.crt ===== 45 Validity 46 Not Before: May 12 07:51:37 2020 GMT 47 Not After : May 10 07:51:37 2030 GMT 48 Subject: CN=front-proxy-ca 49 ===== front-proxy-client.crt ===== 50 Validity 51 Not Before: May 12 07:51:37 2020 GMT 52 Not After : Jul 1 10:44:22 2120 GMT 53 Subject: CN=front-proxy-client
由上可见,除了CA根证书,其他证书有效期已经改为 100 年。
kubeadm-config.yaml文件参见如下
1 [root@k8s-master k8s_install]# pwd 2 /root/k8s_install 3 [root@k8s-master k8s_install]# kubeadm config print init-defaults > kubeadm-config.yaml 4 # 做了适当修改 5 [root@k8s-master k8s_install]# cat kubeadm-config.yaml 6 apiVersion: kubeadm.k8s.io/v1beta2 7 bootstrapTokens: 8 - groups: 9 - system:bootstrappers:kubeadm:default-node-token 10 token: abcdef.0123456789abcdef 11 ttl: 24h0m0s 12 usages: 13 - signing 14 - authentication 15 kind: InitConfiguration 16 localAPIEndpoint: 17 # 改为本机内网IP 18 advertiseAddress: 172.16.1.110 19 bindPort: 6443 20 nodeRegistration: 21 criSocket: /var/run/dockershim.sock 22 name: k8s-master 23 taints: 24 - effect: NoSchedule 25 key: node-role.kubernetes.io/master 26 --- 27 apiServer: 28 timeoutForControlPlane: 4m0s 29 apiVersion: kubeadm.k8s.io/v1beta2 30 certificatesDir: /etc/kubernetes/pki 31 clusterName: kubernetes 32 controllerManager: {} 33 dns: 34 type: CoreDNS 35 etcd: 36 local: 37 dataDir: /var/lib/etcd 38 imageRepository: k8s.gcr.io 39 kind: ClusterConfiguration 40 # 本次部署的版本为 v1.17.4 41 kubernetesVersion: v1.17.4 42 networking: 43 dnsDomain: cluster.local 44 # 添加如下行,指定pod网络的IP地址范围,因为flannel 就是这个网段 45 podSubnet: 10.244.0.0/16 46 # 默认值即可,无需改变。服务VIP使用可选的IP地址范围。默认10.96.0.0/12 47 serviceSubnet: 10.96.0.0/12 48 scheduler: {} 49 --- 50 # 添加如下配置段,调度方式从默认改为ipvs方式【如果上面初始化没有做ipvs,那么这段就不需要】 51 apiVersion: kubeproxy.config.k8s.io/v1alpha1 52 kind: KubeProxyConfiguration 53 featureGates: 54 SupportIPVSProxyMode: true 55 mode: ipvs
相关阅读
1、基于kubeadm快速部署kubernetes K8S V1.17.4集群-无坑完整版
完毕!
———END———
如果觉得不错就关注下呗 (-^O^-) !
