kubernetes叢集證書期限修改
1檢視證書截止時間
檢視證書截止時間,該命令顯示 /etc/kubernetes/pki 資料夾中的客戶端證書以及 kubeadm 使用的 KUBECONFIG 檔案中嵌入的客戶端證書的到期時間/剩餘時間。
新版本命令:kubeadm certs check-expiration
舊版命令:kubeadm alpha certs check-expiration
[root@k8s-master01 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 09, 2025 17:44 UTC 312d ca no
apiserver May 09, 2025 17:44 UTC 312d ca no
apiserver-etcd-client May 09, 2025 17:44 UTC 312d etcd-ca no
apiserver-kubelet-client May 09, 2025 17:44 UTC 312d ca no
controller-manager.conf May 09, 2025 17:44 UTC 312d ca no
etcd-healthcheck-client May 09, 2025 17:44 UTC 312d etcd-ca no
etcd-peer May 09, 2025 17:44 UTC 312d etcd-ca no
etcd-server May 09, 2025 17:44 UTC 312d etcd-ca no
front-proxy-client May 09, 2025 17:44 UTC 312d front-proxy-ca no
scheduler.conf May 09, 2025 17:44 UTC 312d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 07, 2034 17:44 UTC 9y no
etcd-ca May 07, 2034 17:44 UTC 9y no
front-proxy-ca May 07, 2034 17:44 UTC 9y no2 命令renew使用
renew:Renew certificates for a Kubernetes cluster(更新 Kubernetes 叢集的證書,注:不涉及 CA 根證書)。使用的 renew 命令,來進行重新生成叢集證書。
檢視重新生成證書下有哪些命令:
#kubeadm certs renew -h
[root@k8s-master01 ~]# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm certs renew [flags]
kubeadm certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file (no effect when -logtostderr=true)
--log-file-max-size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
-v, --v Level number for the log level verbosity
Use "kubeadm certs renew [command] --help" for more information about a command.
[root@k8s-master01 ~]# 2.1 重要引數說明
all: 更新所有可用證書,一般可以直接使用這個更新所有。
apiserver: 單獨更新服務 Kubernetes API 的證書,相當於針對單個元件進行生成。
apiserver-etcd-client: 更新 apiserver 用來訪問 etcd 的證書。
其它都類似。
2.2 備份舊證書檔案目錄
主節點上操作,生成新的證書之前最好備份一下資料:
cp -rp /var/lib/etcd /var/lib/etcd.bak
cp -rp /etc/kubernetes /etc/kubernetes.bak3 配置1年期限證書
以下命令是批次生成1年期的新證書,需要在所有主節點上執行。
#kubeadm certs renew all注意:這種自動更新所有證書後,為期也只是1年。
此時所有證書都已重新生成,在 /etc/kubernetes/ 目錄下的相關檔案都會被更新。
/etc/kubernetes/admin.conf
/etc/kubernetes/controller-manager.conf
/etc/kubernetes/scheduler.conf 警告: 如果你執行了一個 HA 叢集,這個命令需要在所有主節點節點上執行。
說明: certs renew 使用現有的證書作為屬性 (Common Name、Organization、SAN 等) 的權威來源, 而不是 kubeadm-config ConfigMap 。強烈建議使它們保持同步。
3.1 檢視1年證書
再次檢視證書時間就延續了一年:
#kubeadm certs check-expiration最後重啟服務即可。
4 配置50年期限證書
下面我們裡生成50年的證書,證書有效期修改方法。
4.1 部署go環境
4.1.2 解壓安裝包
上傳並解壓安裝包,執行一下命令:
cd /root/
wget https://studygolang.com/dl/golang/go1.22.4.linux-amd64.tar.gz
tar zxf go1.22.4.linux-amd64.tar.gz -C /usr/local/4.1.3 配置環境變數
echo "export PATH=$PATH:/usr/local/go/bin" >> .bash_profile
source .bash_profile4.1.4 驗證GO環境
# go version
[root@k8s-master01 ~]# go version
go version go1.22.4 linux/amd64
[root@k8s-master01 ~]#5 Kubernetes原始碼下載
首先檢視一下k8s的版本,原始碼要下載跟你當前系統對應的版本,所以我這邊下載 v1.28.2就可以。
5.1 上傳並解壓檔案
cd /root/
unzip -q kubernetes-v1.28.2.zip5.2 修改原始碼檔案
證書的有效期是需要修改兩個檔案 constants.go 和 cert.go。
5.3 修改配置constants.go
修改查詢 CertificateValidity 欄位:
cd /root/kubernetes-v1.28.2
vim ./cmd/kubeadm/app/constants/constants.go
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm
CertificateBackdate = time.Minute * 5
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 50
// DefaultCertificateDir defines default certificate directory
DefaultCertificateDir = "pki"
----------------
#預設是1年,CertificateValidity的後面加個50就是50年。5.4 修改配置cert.go
修改查詢第一個 duration365d 欄位:
const duration365d = time.Hour * 24 * 365 * 50
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil {
return nil, err
}
serial = new(big.Int).Add(serial, big.NewInt(1))
notBefore := now.UTC()
if !cfg.NotBefore.IsZero() {
notBefore = cfg.NotBefore.UTC()
}
tmpl := x509.Certificate{
SerialNumber: serial,
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: notBefore,
NotAfter: now.Add(duration365d).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
------------------
#修改 duration365d 欄位,預設是1年,修改成50。5.5 編譯原始碼檔案
cd /root/kubernetes-v1.28.2
make WHAT=cmd/kubeadm GOFLAGS=-v5.5.1 編譯過程
[root@k8s-master01 kubernetes-v1.28.2]# make WHAT=cmd/kubeadm GOFLAGS=-v
go version go1.20.8 linux/amd64
+++ [0702 03:08:31] Building go targets for linux/amd64
k8s.io/kubernetes/cmd/kubeadm (static)
internal/goarch
encoding
internal/unsafeheader
internal/abi
internal/cpu
internal/coverage/rtcov
internal/goexperiment
internal/bytealg
internal/goos
.....
#確認編譯是否有錯提示,為 0 表示編譯沒有報錯。
[root@k8s-master01 kubernetes-v1.28.2]# echo $?
0
[root@k8s-master01 kubernetes-v1.28.2]# 5.5.2 檢查編譯結果
編譯完後檢視結果,就可以看到生成的kubeadm二進檔案。
[root@k8s-master01 kubernetes-v1.28.2]# ls -l /root/kubernetes-v1.28.2/_output/bin/
total 49612
-rwxr-xr-x 1 root root 50802688 Jul 2 03:22 kubeadm
[root@k8s-master01 kubernetes-v1.28.2]# 6 替換kubeadm
下面準備把新的kubeadm替換舊的,所以需要把舊的備份一下,記住有多臺master都需要備份一下。
#備份
mv /usr/bin/kubeadm /usr/bin/kubeadm_20240702bak
#替換
cp /root/kubernetes-v1.28.2/_output/bin/kubeadm /usr/bin/7 證書更新
記住如有多臺master都需要執行重新整理。
#kubeadm certs renew all
[root@k8s-master01 ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
[root@k8s-master01 ~]# echo $?
0
[root@k8s-master01 ~]#8 重啟伺服器節點master
#kubectl -n kube-system get cm kubeadm-config -o yaml
[root@k8s-master01 ~]# kubectl -n kube-system get cm kubeadm-config -o yaml
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.k8s.io
kind: ClusterConfiguration
kubernetesVersion: v1.28.2
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
kind: ConfigMap
metadata:
creationTimestamp: "2024-05-09T17:44:43Z"
name: kubeadm-config
namespace: kube-system
resourceVersion: "234"
uid: fa84e3b1-a1f6-4e26-9b33-77c8c2218d70
[root@k8s-master01 ~]# 重啟後檢視新的證書,看結果除了ca以外的證書都變50年了。
9 檢視證書
[root@k8s-master01 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 19, 2074 19:38 UTC 49y ca no
apiserver Jun 19, 2074 19:38 UTC 49y ca no
apiserver-etcd-client Jun 19, 2074 19:38 UTC 49y etcd-ca no
apiserver-kubelet-client Jun 19, 2074 19:38 UTC 49y ca no
controller-manager.conf Jun 19, 2074 19:38 UTC 49y ca no
etcd-healthcheck-client Jun 19, 2074 19:38 UTC 49y etcd-ca no
etcd-peer Jun 19, 2074 19:38 UTC 49y etcd-ca no
etcd-server Jun 19, 2074 19:38 UTC 49y etcd-ca no
front-proxy-client Jun 19, 2074 19:38 UTC 49y front-proxy-ca no
scheduler.conf Jun 19, 2074 19:38 UTC 49y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 07, 2034 17:44 UTC 9y no
etcd-ca May 07, 2034 17:44 UTC 9y no
front-proxy-ca May 07, 2034 17:44 UTC 9y no
[root@k8s-master01 ~]# 同理其他臺的master,只需要把kubeadm檔案,從第一臺更新過的scp過去,然後按上面步驟,重新生成新的證書檔案就可以了。記住更新過需要重啟一下服務或者伺服器。到此,證書期限更新完成。