k8s集群证书过期1.19.7

zhanglu

https://www.cnblogs.com/hukey/p/16600243.html

zhanglu

k8s集群证书过期两种处理方式

1. 是一年续期

2. 更改一个超长时间：最长100年：源码编译kubeadm

3. 获取源码

wget https://github.com/kubernetes/kubernetes/archive/v1.19.7.tar.gz
tar -zxvf v1.19.7.tar.gz
mv kubernetes-1.19.7 kubernetes
cd kubernetes

2. 修改CA为100年

vim ./staging/src/k8s.io/client-go/util/cert/cert.go

func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
    now := time.Now()
    tmpl := x509.Certificate{
        SerialNumber: new(big.Int).SetInt64(0),
        Subject: pkix.Name{
            CommonName:   cfg.CommonName,
            Organization: cfg.Organization,
        },
        NotBefore:             now.UTC(),
        NotAfter:              now.Add(duration365d * 100).UTC(),  # 这里10修改为100

vim ./cmd/kubeadm/app/constants/constants.go

const (
    // KubernetesDir is the directory Kubernetes owns for storing various configuration files
    KubernetesDir = "/etc/kubernetes"
    // ManifestsSubDirName defines directory name to store manifests
    ManifestsSubDirName = "manifests"
    // TempDirForKubeadm defines temporary directory for kubeadm
    // should be joined with KubernetesDir.
    TempDirForKubeadm = "tmp"

    // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
    CertificateValidity = time.Hour * 24 * 365 * 100	# 这里乘以 100 年

3. 本地编译
   apt install -y gcc make jq rsync

4. 安装go环境
   cat ./build/build-image/cross/VERSION
   v1.15.5-1
   下载go，上传到 master节点
   wget https://dl.google.com/go/go1.15.1.linux-amd64.tar.gz

tar xf go1.15.Linux-amd64.tar.gz -C /usr/local/

# 编辑/etc/profile文件添加如下：
vim /etc/profile

export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin


source /etc/profile

5. 编译kubeadm

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

#编译完产物在 _output/bin/kubeadm 目录下，
#其中bin是使用了软连接
#真实路径是_output/local/bin/Linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/Linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm

6. 更新证书

查看证书到期时间：

kubeadm alpha certs check-expiration
续订全部证书：
kubeadm alpha certs renew all

kubeadm alpha certs check-expiration

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 25, 2121 10:00 UTC   99y                                     no      
apiserver                  Jul 25, 2121 10:00 UTC   99y             ca                      no      
apiserver-etcd-client      Jul 25, 2121 10:00 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Jul 25, 2121 10:00 UTC   99y             ca                      no      
controller-manager.conf    Jul 25, 2121 10:00 UTC   99y                                     no      
etcd-healthcheck-client    Jul 25, 2121 10:00 UTC   99y             etcd-ca                 no      
etcd-peer                  Jul 25, 2121 10:00 UTC   99y             etcd-ca                 no      
etcd-server                Jul 25, 2121 10:00 UTC   99y             etcd-ca                 no      
front-proxy-client         Jul 25, 2121 10:00 UTC   99y             front-proxy-ca          no      
scheduler.conf             Jul 25, 2121 10:00 UTC   99y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 25, 2121 10:00 UTC   99y             no      
etcd-ca                 Jul 25, 2121 10:00 UTC   99y             no      
front-proxy-ca          Jul 25, 2121 10:00 UTC   99y             no

如果集群证书已经过期，在上面的基础继续如下步骤：

docker restart `docker ps | grep etcd | awk '{print $1}'`
docker restart `docker ps | grep kube-apiserver | awk '{print $1}'`
docker restart `docker ps | grep kube-controller | awk '{print $1}'`
docker restart `docker ps | grep kube-scheduler | awk '{print $1}'`

更新 kubeconfig 文件

root@k8s-master(10.0.0.11)~>kubeadm init phase kubeconfig all 

I0818 15:48:50.617013    3929 version.go:252] remote version is much newer: v1.24.4; falling back to: stable-1.19
W0818 15:48:52.891141    3929 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

覆盖原admin文件

mv $HOME/.kube/config $HOME/.kube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

zhanglu

kubeadm 证书时间100年