使用 kubeadm 部署的 K8S 集群中,apiserver 证书的默认可用年限只有一年。如果直接用在生产环境,当证书过期后会造成 K8S 集群瘫痪,从而影响现网业务。
1,查看 K8S 集群所有证书存放位置
ls /etc/kubernetes/pki/
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
2,查看 apiserver 证书信息,默认可用年限只有一年
cd /etc/kubernetes/pki/
openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1295513766016577226 (0x11fa96e8010beeca)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: May 27 00:57:34 2021 GMT
Not After : May 27 00:57:34 2022 GMT
3,查看 ca 证书信息,默认可用年限为10年
openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: May 27 00:57:34 2021 GMT
Not After : May 25 00:57:34 2031 GMT
4,修改证书可用年限
1、go 环境部署
登陆 https://studygolang.com/dl ,下载 Linux 版本的 Go 安装包,如:go1.16.5.linux-amd64.tar.gz
//上传 go1.12.9.linux-amd64.tar.gz 到 master 节点的 /opt 目录中
tar zxvf go1.12.9.linux-amd64.tar.gz -C /usr/local/
//设置 go 软件程序的环境变量
echo 'export PATH=/usr/local/go/bin:$PATH' >> /etc/profile
source /etc/profile
//查看 go 的版本
go version
go version go1.12.9 linux/amd64
2、下载源码
mkdir /data
cd /data
//克隆代码
#在 master 节点上生成密钥对认证文件
ssh-keygen -t rsa
#复制公钥文件内容到github中,用于ssh克隆 https://github.com/settings/keys
cat /root/.ssh/id_rsa.pub
#在 master 节点上克隆
git clone git@github.com:kubernetes/kubernetes.git
//查看当前版本
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
//切换分支
cd kubernetes/
git checkout -b remotes/origin/release-1.15.1 v1.15.1
3、修改 Kubeadm 源码包更新证书策略
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
......
//NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config,key crypto.Signer,caCert *x509.certificate,caKey crypto.Signcate, error) {
const duration10years = time.Hour * 24 * 365 * 10 #定义常量duration10years为10年时间
serial,err := cryptorand.Int(cryptorand.Reader,new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg. CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName:cfg. CommonName ,
0rganization : cfg.0rganization ,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(duration10years).UTC(), #修改证书可用年限
KeyUsage: x509.KeyUsageKeyEncipherment │ x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
......
//编译 kubeadm
make WHAT=cmd/kubeadm GOFLAGS=-v
//获取新编译出的kubeadm文件
cp _output/bin/kubeadm /root/kubeadm-new
5,更新kubeadm
//将原 kubeadm 进行备份
cp /usr/bin/kubeadm /usr/bin/kubeadm.old
//将 kubeadm 进行替换
cp /root/kubeadm-new /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
6,更新个节点证书到master
//将原证书进行备份
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
//生成新证书
kubeadm alpha certs renew all --config=/opt/kubeadm-config.yaml
//查看 apiserver 证书信息
cd /etc/kubernetes/pki
openssl x509 -in apiserver.crt -text -noout | grep Not
HA集群其余 mater 节点证书更新
//将新生成的证书复制到其他 mater 节点上进行更新
#!/bin/bash
masterNode="192.168.80.14 192.168.80.15"
for host in ${masterNode}
do
scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}" root@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} root@$host:/etc/kubernetes/pki/etcd/
scp /etc/kubernetes/admin.conf root@$host:/etc/kubernetes/
done