k8s证书可用年限的修改
证书可用时间
查看当前集群使用证书的时间
[root@k8s-master01 kibana]# cd /etc/kubernetes/pki
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
...
...
Validity
Not Before: Apr 27 01:19:41 2021 GMT
Not After : Apr 27 01:19:41 2022 GMT
....
...
可用年限一年
[root@k8s-master01 pki]# openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Apr 27 01:19:41 2021 GMT
Not After : Apr 25 01:19:41 2031 GMT
可用年限一年
当集群更新的时候,证书也会自动更新
如果能保证集群每年都更新,就不需要考虑证书年限的问题
集群证书年限的修改思路
1.部署一个go语言环境
2.把kubenetes的代码克隆下来
3.修改证书策略
4.编译kubeadm文件
5.更新kubeadm文件(记得备份)
5.生成证书
6.更换证书(更换之前记得备份)
7.查看新证书的年限
go 环境部署
(版本不要下载最新的否则编译会报错)
[root@k8s-master01 ~]# mkdir /data
[root@k8s-master01 data]# wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz
[root@k8s-master01 data]# tar -xf go1.12.7.linux-amd64.tar.gz -C /usr/local/
[root@k8s-master01 data]# vim /etc/profile
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master01 data]# source /etc/profile
[root@k8s-master01 data]# go version
go version go1.12.7 linux/amd64
克隆k8s的项目(需要一段时间)下载半天只为修改个时间
[root@k8s-master01 data]# git clone https://github.com/kubernetes/kubernetes.git
查看kubeadm版本
[root@k8s-master01 data]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
切换到当前的版本
[root@k8s-master01 data]# cd kubernetes/
[root@k8s-master01 kubernetes]# git checkout -b remotes/origin/release-1.15.1 v1.15.1
切换到一个新分支 'remotes/origin/release-1.15.1'
修改 Kubeadm 源码包更新证书策略
staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前
cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今
[root@k8s-master01 kubernetes]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
const duration365d = time.Hour * 24 * 365 * 10 #新增一个常量,这个意思是1个小时*24*365*10=10年
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(), #改为time.Now().Add(duration365d).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
编译kubeadm
[root@k8s-master01 kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v
[root@k8s-master01 kubernetes]# cp _output/bin/kubeadm /root/kubeadm-new
更新 kubeadm(更新之前记得先备份)
将 kubeadm 进行替换
[root@k8s-master01 ~]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old
[root@k8s-master01 ~]# cp /root/kubeadm-new /usr/bin/kubeadm
cp:是否覆盖"/usr/bin/kubeadm"? y
[root@k8s-master01 ~]# chmod +x /usr/bin/kubeadm
备份pki目录
[root@k8s-master01 kubernetes]# cp -r pki pki.old
生成证书文件(这个config文件是初始化集群时候的配置)
[root@k8s-master01 ~]# kubeadm alpha certs renew all --config=/usr/local/install-k8s/core/kubeadm-config.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
查看证书的年限
[root@k8s-master01 ~]# cd /etc/kubernetes/pki
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3637387775685121508 (0x327a98e9080f55e4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Apr 27 01:19:41 2021 GMT
Not After : Apr 25 08:45:34 2031 GMT
年限10年
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3637387775685121508 (0x327a98e9080f55e4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Apr 27 01:19:41 2021 GMT
Not After : Apr 25 08:45:34 2031 GMT
更新各节点证书
集群其余节点证书更新
[root@k8s-node01 pki]# scp [email protected]:/etc/kubernetes/pki/ca.crt ./
[root@k8s-node02 pki]# scp [email protected]:/etc/kubernetes/pki/ca.crt ./
也可以通过脚本方式
#!/bin/bash
masterNode="10.14.2.151 10.14.2.152"
#for host in ${masterNode}; do
#
"${USER}"@$host:/etc/kubernetes/pki/
#
#
scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/etc/kubernetes/pki/etcd
scp /etc/kubernetes/admin.conf "root"@$host:/etc/kubernetes/
#done
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
"${USER}"@$host:/root/pki/
scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/root/etcd
scp /etc/kubernetes/admin.conf "root"@$host:/root/kubernetes/
done
到这里证书可用年限就修改完成了