signature=480ed9b4309c4160d73ee6155654c6c4,k8s证书可用年限修改

证书可用年限修改

[root@k8s-master pki]# pwd

/etc/kubernetes/pki

当前系统中所有的证书：

[root@k8s-master pki]# ls

apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key

apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key

apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub

[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 6240184568644574489 (0x569996cda2ef1d19)

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN=kubernetes

Validity

Not Before: Nov 24 04:13:28 2020 GMT

Not After : Nov 24 04:13:29 2021 GMT

Subject: CN=kube-apiserver

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a4:e4:45:4e:6b:31:9b:87:bf:c0:e1:05:85:de:

1e:82:34:a2:95:a2:a2:cc:69:32:71:c1:39:be:0d:

5b:17:08:4b:d9:16:e5:b7:dd:c8:e8:7f:14:06:75:

3f:63:35:2b:50:04:84:5f:00:cb:c1:80:e0:9a:ec:

5d:6f:54:f2:fd:99:44:7e:96:26:87:8d:ea:1b:cd:

ef:8d:93:2f:71:fa:35:36:1d:7e:2a:be:5f:d0:3c:

50:c2:f3:ab:76:e8:5d:83:14:06:68:6e:b2:67:6e:

6b:e7:47:a5:80:c1:1c:15:c9:2f:2f:fb:81:03:1d:

cd:f5:55:d7:35:57:e9:60:60:14:30:d7:92:c1:73:

27:0e:1f:aa:13:45:54:78:e3:11:80:59:9c:cf:84:

d1:cc:4e:7e:f7:7e:23:74:0a:ff:31:62:19:77:06:

57:c5:91:e9:6c:e6:f2:31:66:64:00:bc:7d:0f:39:

6e:2a:7f:a7:7b:20:fc:5e:e0:41:03:a5:f3:3b:56:

73:68:4d:63:5b:27:b6:a2:dc:9b:41:e6:bb:e9:53:

8e:29:ce:c5:f2:46:70:a4:84:81:5a:bb:42:91:1b:

4b:1d:61:b9:a7:4a:95:78:a5:a3:44:bb:ed:3d:15:

20:6e:68:af:2f:92:6c:64:c1:3c:25:27:04:44:0a:

7a:19

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Alternative Name:

DNS:k8s-master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:10.10.21.8

Signature Algorithm: sha256WithRSAEncryption

3f:4c:21:0b:a6:98:71:f8:18:07:07:07:c9:f5:0b:51:6f:29:

9f:35:dc:4a:da:62:55:a6:1b:2e:85:3e:22:b8:f8:83:cf:5e:

a1:17:e3:b6:4e:c9:29:7e:b1:62:18:41:92:cc:8a:b4:9c:3d:

d2:2d:84:27:d1:c9:61:cf:cb:15:03:30:fa:42:98:3a:a0:07:

b1:8e:ff:1e:d1:f9:f7:75:a6:d2:3d:c4:60:18:d9:f2:5a:9f:

e8:26:d0:c8:94:31:40:ed:a3:28:ab:30:b4:be:88:fc:a3:4c:

47:bf:7f:59:8c:0b:c3:ed:bd:e9:2d:67:27:b7:2e:e2:c6:03:

cc:74:2b:07:17:91:18:b2:e2:d5:0c:e6:a5:58:95:7a:5f:f2:

82:5b:5b:b3:c8:8f:50:f4:3e:ef:d1:cc:73:16:c0:5d:1e:83:

b9:38:fd:83:ab:e5:bd:f3:ea:7e:79:a5:1d:eb:49:b8:08:a1:

a8:cf:88:b2:9b:45:82:74:92:fd:02:ae:c9:49:b4:e5:74:fc:

d9:33:af:ba:f3:5b:d5:9e:f7:7d:c9:ff:e3:72:0e:83:41:4c:

22:fb:07:49:a6:e5:bc:df:3c:ff:6c:05:94:59:31:a3:e7:d3:

3d:8b:27:6c:3f:7e:4f:78:d6:ab:7b:bd:79:83:e7:77:b7:ef:

6f:ee:d8:2d

[root@k8s-master pki]# mkdir /data

下载到/data

[root@k8s-master data]# tar -zxvf go1.15.6.linux-amd64.tar.gz -C /usr/local/

[root@k8s-master data]# ls /usr/local/go

api CONTRIBUTING.md favicon.ico misc README.md src

AUTHORS CONTRIBUTORS lib PATENTS robots.txt test

bin doc LICENSE pkg SECURITY.md VERSION

[root@k8s-master data]# vi /etc/profile

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master data]# source /etc/profile

[root@k8s-master pki]# go version

go version go1.15.6 linux/amd64

下载源码

[root@k8s-master pki]# cd /data

[root@k8s-master data]# git clone https://github.com/kubernetes/kubernetes.git

[root@k8s-master data]# cd kubernetes

[root@k8s-master kubernetes]# kubeadm version

kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

[root@k8s-master kubernetes]# git checkout -b remotes/origin/release-1.15.1 v1.15.1

Checking out files: 100% (19533/19533), done.

Switched to a new branch 'remotes/origin/release-1.15.1'

修改 Kubeadm 源码包更新证书策略

vi staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前

vi cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今

[root@k8s-master kubernetes]# vi cmd/kubeadm/app/util/pkiutil/pki_helpers.go

修改如下

const duration3650d = time.Hour 24 365 * 10

NotAfter: time.Now().Add(duration3650d).UTC(),

[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v

有报错，最后选择go1.12.9.linux-amd64.tar.gz

删除原来的go

[root@k8s-master data]# rm -rf /usr/local/go

下载go1.12.9.linux-amd64.tar.gz到/data

[root@k8s-master data]# tar -zxvf go1.12.9.linux-amd64.tar.gz -C /usr/local/

[root@k8s-master data]# ls /usr/local/go

api CONTRIBUTING.md favicon.ico misc README.md src

AUTHORS CONTRIBUTORS lib PATENTS robots.txt test

bin doc LICENSE pkg SECURITY.md VERSION

[root@k8s-master data]# vi /etc/profile

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master data]# source /etc/profile

[root@k8s-master data]# go version

go version go1.12.9 linux/amd64

[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v

没有报错就是成功了。

[root@k8s-master kubernetes]# cp _output/bin/kubeadm /root/

更新 kubeadm

[root@k8s-master kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old

[root@k8s-master kubernetes]# cd

[root@k8s-master ~]# pwd

/root

[root@k8s-master ~]# cp kubeadm /usr/bin/

cp: overwrite ‘/usr/bin/kubeadm’? y

[root@k8s-master ~]# chmod a+x /usr/bin/kubeadm

更新各节点证书至 Master 节点

[root@k8s-master ~]# cd /etc/kubernetes/

[root@k8s-master kubernetes]# cp -r pki/ pki.old

[root@k8s-master kubernetes]# cd

[root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/kubeadm-config.yaml

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healtcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

[root@k8s-master ~]# cd /etc/kubernetes/pki

[root@k8s-master pki]# ls

apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub

apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key

[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout | grep Not

Not Before: Nov 24 04:13:28 2020 GMT

Not After : Dec 12 07:59:15 2030 GMT

证书时间已经是10年。