作者:温恭凯364092 | 来源:互联网 | 2023-09-24 20:38
一、背景k8s默认证书有效时间是1年,证书过期后就不能执行相关命令进行管理,如下图: 二、查看证书有效时间可以看出RESIDUAL的显示结果是invalid,表示过期[root@m
一、背景
k8s默认证书有效时间是1年,证书过期后就不能执行相关命令进行管理,如下图:
二、查看证书有效时间
可以看出RESIDUAL的显示结果是invalid,表示过期
[root@master pki]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 28, 2021 08:24 UTC ca no
apiserver Dec 28, 2021 08:24 UTC ca no
apiserver-etcd-client Dec 28, 2021 08:24 UTC etcd-ca no
apiserver-kubelet-client Dec 28, 2021 08:24 UTC ca no
controller-manager.conf Dec 28, 2021 08:24 UTC ca no
etcd-healthcheck-client Dec 28, 2021 08:24 UTC etcd-ca no
etcd-peer Dec 28, 2021 08:24 UTC etcd-ca no
etcd-server Dec 28, 2021 08:24 UTC etcd-ca no
front-proxy-client Dec 28, 2021 08:24 UTC front-proxy-ca no
scheduler.conf Dec 28, 2021 08:24 UTC ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 20, 2031 07:18 UTC 9y no
etcd-ca Dec 20, 2031 07:18 UTC 9y no
front-proxy-ca Dec 20, 2031 07:18 UTC 9y no
三、解决方案
修改源码重新生成
官方默认证书都是一年,我就以生成证书有效期为10年为例
现在机器上安装go环境,这个过程就省略了,度娘下很简单
1、查看当前环境安装的看k8s版本
2、下载源码
github上下载看k8s的源码,版本是第一步查询的版本,过程略
3、修改代码
我的版本是1.23.1版本,修改/opt/kubernetes/cmd/kubeadm/app/util/pkiutil/pki_helpers.go文件,我的大概在653行,有可能不同版本地方不一样,可以通过kubeadmconstants.CertificateValidity关键词搜索定位
注释掉notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
在上面添加:
const year10 = time.Hour * 24 * 365 * 10
notAfter := time.Now().Add(year10).UTC()
4、重新编译
make WHAT=cmd/kubeadm GOFLAGS=-v
会在/opt/kubernetes/_output/bin 下生成kubeadm命令
5、备份原来的kubeadm和证书文件,避免出错还原
cp /usr/bin/kubeadm /usr/bin/kubeadm_bak
cp -r /etc/kubernetes/pki /etc/kubernetes/pki_bak
6、拷贝kubeadm到/usr/bin/下
[root@master bin]# pwd
/opt/kubernetes-master/_output/bin
[root@master bin]#
[root@master bin]#
[root@master bin]# ll
total 79136
-rwxr-xr-x 1 root root 6295552 Dec 28 16:58 conversion-gen
-rwxr-xr-x 1 root root 6021120 Dec 28 16:58 deepcopy-gen
-rwxr-xr-x 1 root root 6029312 Dec 28 16:58 defaulter-gen
-rwxr-xr-x 1 root root 3376703 Dec 28 16:58 go2make
-rwxr-xr-x 1 root root 45187072 Dec 28 17:00 kubeadm
-rwxr-xr-x 1 root root 8126464 Dec 28 16:58 openapi-gen
-rwxr-xr-x 1 root root 5996544 Dec 28 16:58 prerelease-lifecycle-gen
[root@master bin]#
[root@master bin]# cp kubeadm /usr/bin/
cp: overwrite ‘/usr/bin/kubeadm’? y
7、重新生成证书
[root@master bin]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
8、重启相关服务
[root@master bin]# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
3af36fb43da0
6ff7681f2556
91eaaacf2664
b886b4e5f623
9、确认证书时间
这里图上看是9年有肯能是时间取整了的原因
可以使用基本管理命令了
京公网安备 11010802041100号