证书可用年限修改
[root@k8s-master pki]# pwd
/etc/kubernetes/pki
当前系统中所有的证书:
[root@k8s-master pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6240184568644574489 (0x569996cda2ef1d19)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Nov 24 04:13:28 2020 GMT
Not After : Nov 24 04:13:29 2021 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a4:e4:45:4e:6b:31:9b:87:bf:c0:e1:05:85:de:
1e:82:34:a2:95:a2:a2:cc:69:32:71:c1:39:be:0d:
5b:17:08:4b:d9:16:e5:b7:dd:c8:e8:7f:14:06:75:
3f:63:35:2b:50:04:84:5f:00:cb:c1:80:e0:9a:ec:
5d:6f:54:f2:fd:99:44:7e:96:26:87:8d:ea:1b:cd:
ef:8d:93:2f:71:fa:35:36:1d:7e:2a:be:5f:d0:3c:
50:c2:f3:ab:76:e8:5d:83:14:06:68:6e:b2:67:6e:
6b:e7:47:a5:80:c1:1c:15:c9:2f:2f:fb:81:03:1d:
cd:f5:55:d7:35:57:e9:60:60:14:30:d7:92:c1:73:
27:0e:1f:aa:13:45:54:78:e3:11:80:59:9c:cf:84:
d1:cc:4e:7e:f7:7e:23:74:0a:ff:31:62:19:77:06:
57:c5:91:e9:6c:e6:f2:31:66:64:00:bc:7d:0f:39:
6e:2a:7f:a7:7b:20:fc:5e:e0:41:03:a5:f3:3b:56:
73:68:4d:63:5b:27:b6:a2:dc:9b:41:e6:bb:e9:53:
8e:29:ce:c5:f2:46:70:a4:84:81:5a:bb:42:91:1b:
4b:1d:61:b9:a7:4a:95:78:a5:a3:44:bb:ed:3d:15:
20:6e:68:af:2f:92:6c:64:c1:3c:25:27:04:44:0a:
7a:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:k8s-master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:10.10.21.8
Signature Algorithm: sha256WithRSAEncryption
3f:4c:21:0b:a6:98:71:f8:18:07:07:07:c9:f5:0b:51:6f:29:
9f:35:dc:4a:da:62:55:a6:1b:2e:85:3e:22:b8:f8:83:cf:5e:
a1:17:e3:b6:4e:c9:29:7e:b1:62:18:41:92:cc:8a:b4:9c:3d:
d2:2d:84:27:d1:c9:61:cf:cb:15:03:30:fa:42:98:3a:a0:07:
b1:8e:ff:1e:d1:f9:f7:75:a6:d2:3d:c4:60:18:d9:f2:5a:9f:
e8:26:d0:c8:94:31:40:ed:a3:28:ab:30:b4:be:88:fc:a3:4c:
47:bf:7f:59:8c:0b:c3:ed:bd:e9:2d:67:27:b7:2e:e2:c6:03:
cc:74:2b:07:17:91:18:b2:e2:d5:0c:e6:a5:58:95:7a:5f:f2:
82:5b:5b:b3:c8:8f:50:f4:3e:ef:d1:cc:73:16:c0:5d:1e:83:
b9:38:fd:83:ab:e5:bd:f3:ea:7e:79:a5:1d:eb:49:b8:08:a1:
a8:cf:88:b2:9b:45:82:74:92:fd:02:ae:c9:49:b4:e5:74:fc:
d9:33:af:ba:f3:5b:d5:9e:f7:7d:c9:ff:e3:72:0e:83:41:4c:
22:fb:07:49:a6:e5:bc:df:3c:ff:6c:05:94:59:31:a3:e7:d3:
3d:8b:27:6c:3f:7e:4f:78:d6:ab:7b:bd:79:83:e7:77:b7:ef:
6f:ee:d8:2d
[root@k8s-master pki]# mkdir /data
下载到/data
[root@k8s-master data]# tar -zxvf go1.15.6.linux-amd64.tar.gz -C /usr/local/
[root@k8s-master data]# ls /usr/local/go
api CONTRIBUTING.md favicon.ico misc README.md src
AUTHORS CONTRIBUTORS lib PATENTS robots.txt test
bin doc LICENSE pkg SECURITY.md VERSION
[root@k8s-master data]# vi /etc/profile
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master data]# source /etc/profile
[root@k8s-master pki]# go version
go version go1.15.6 linux/amd64
下载源码
[root@k8s-master pki]# cd /data
[root@k8s-master data]# git clone https://github.com/kubernetes/kubernetes.git
[root@k8s-master data]# cd kubernetes
[root@k8s-master kubernetes]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
[root@k8s-master kubernetes]# git checkout -b remotes/origin/release-1.15.1 v1.15.1
Checking out files: 100% (19533/19533), done.
Switched to a new branch 'remotes/origin/release-1.15.1'
修改 Kubeadm 源码包更新证书策略
vi staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前
vi cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今
[root@k8s-master kubernetes]# vi cmd/kubeadm/app/util/pkiutil/pki_helpers.go
修改如下
const duration3650d = time.Hour 24 365 * 10
NotAfter: time.Now().Add(duration3650d).UTC(),
[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v
有报错,最后选择go1.12.9.linux-amd64.tar.gz
删除原来的go
[root@k8s-master data]# rm -rf /usr/local/go
下载go1.12.9.linux-amd64.tar.gz到/data
[root@k8s-master data]# tar -zxvf go1.12.9.linux-amd64.tar.gz -C /usr/local/
[root@k8s-master data]# ls /usr/local/go
api CONTRIBUTING.md favicon.ico misc README.md src
AUTHORS CONTRIBUTORS lib PATENTS robots.txt test
bin doc LICENSE pkg SECURITY.md VERSION
[root@k8s-master data]# vi /etc/profile
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master data]# source /etc/profile
[root@k8s-master data]# go version
go version go1.12.9 linux/amd64
[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v
没有报错就是成功了。
[root@k8s-master kubernetes]# cp _output/bin/kubeadm /root/
更新 kubeadm
[root@k8s-master kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old
[root@k8s-master kubernetes]# cd
[root@k8s-master ~]# pwd
/root
[root@k8s-master ~]# cp kubeadm /usr/bin/
cp: overwrite ‘/usr/bin/kubeadm’? y
[root@k8s-master ~]# chmod a+x /usr/bin/kubeadm
更新各节点证书至 Master 节点
[root@k8s-master ~]# cd /etc/kubernetes/
[root@k8s-master kubernetes]# cp -r pki/ pki.old
[root@k8s-master kubernetes]# cd
[root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/kubeadm-config.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@k8s-master ~]# cd /etc/kubernetes/pki
[root@k8s-master pki]# ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key
[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout | grep Not
Not Before: Nov 24 04:13:28 2020 GMT
Not After : Dec 12 07:59:15 2030 GMT
证书时间已经是10年。