K8s修改api-server证书为10年

一,查看证书年限

1,查看k8s所有证书
/etc/kubernetes/pki
2,查看证书的年限
一年期的证书
(base) [root@node1 pki]# openssl x509 -in apiserver.crt -text -noout
            Not Before: Nov  8 12:40:23 2022 GMT
            Not After : Nov  8 12:40:23 2023 GMT
十年期的证书
(base) [root@node1 pki]# openssl x509 -in ca.crt -text -noout
            Not Before: Nov  8 12:40:23 2022 GMT
            Not After : Nov  5 12:40:23 2032 GMT
二,调整api-server证书年限为10年
1,浏览器访问以下链接下载go语言环境
https://studygolang.com/dl      linux包
2,解压到/usr/local目录下
tar -xvf go1.19.3.linux-amd64.tar.gz -C /usr/local
3, 配置并刷新环境变量
vim /etc/profile     
export PATH=$PATH:/usr/local/go/bin
source /etc/profile
验证: go version
go version go1.19.3 linux/amd64
4,安装git,使用git进行克隆,
创建一个data目录,切换到data目录下
mkdir -p /data  && /data
克隆
git clone https://github.com/kubernetes/kubernetes.git
如果报错,则设置参数多试几次
git config --global http.postBuffer 100M
5,切换版本
查看当前版本
kubeadm  version
切换版本分支
git checkout -b remotes/origin/release-1.20.4 v1.20.4
###切换到一个新分支 'remotes/origin/release-1.20.4'
如果报错fatal: Not a git repository (or any of the parent directories): .git
则执行git init
6,版本在1.14以后用一下命令创建
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
在里面添加一行
const duration3650d = time.Hour * 24 * 365 * 10
  time.Now().Add(duration3650d).UTC(),
K8s修改api-server证书为10年_第1张图片
7,编译kubeadm
make WHAT=cmd/kubeadm GOFLAGS=-v
8,备份文件
cp _output/bin/kubeadm /root/
mv /usr/bin/kubeadm /usr/bin/kubeadm.bak  
cp  kubeadm /usr/bin/
chmod a+x  /usr/bin/kubeadm
cd /etc/kubernetes/
cp -r ski/ ski.old
9.重新生成证书
cd /~
kubeadmin alpha certs renew all --config=/usr/local/install-k8s/core/kubeadm-config.yaml
Command "all" is deprecated, please use the same command under "kubeadm certs"
W1206 11:33:48.179839     895 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
10,查看证书年限
cd /etc/kubernetes/pki &&  openssl x509 -in apiserver.crt -text -noout
K8s修改api-server证书为10年_第2张图片

你可能感兴趣的:(kubernetes,容器,云原生)