发表: 2026-06-05|更新: 2026-06-05|分类: rke2
|字数总计: 845|阅读时长: 4分钟|阅读量:128492
本文永久链接: https://www.xtplayer.cn/rke2/extend-the-rke2-certificate-to-a-period-of-10-years/
在使用 RKE2 搭建生产环境时,大家或许遇到过证书有效期过短的问题。默认情况下,RKE2 中的系统证书有效期为 12 个月,临近过期后在服务重启时会自动轮换。然而,在实际部署中,我们常常希望将证书有效期设置得更长,避免频繁运维。
开发工具
本文将介绍如何在 RKE2 初始安装阶段 或 已有集群中 ,通过配置环境变量 CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS,将证书有效期延长至 5 年、甚至 10 年,让你的集群更"省心"。
注意:
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS的最大值为 3650(即 10 年),因为 RKE2 内部 CA 的最大有效期也是 10 年。
初始安装集群设置证书有效期
Step 1:配置环境变量
在安装 每个 RKE2 Server(Control-plane/etcd)节点 时,添加如下环境变量:
bash
cat << EOF > /etc/default/rke2-server
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOF该配置会将 RKE2 所有关键组件(如 kube-apiserver、etcd、kubelet 等)的证书有效期设置为 10 年。
Step 2:安装并启动 RKE2
bash
curl -sfL https://get.rke2.io | sh -
systemctl start rke2-server.serviceStep 3:验证证书有效期
bash
rke2 certificate check执行结果:
软件
bash
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] client-rke2-controller.crt: certificate system:rke2-controller (ClientAuth) is ok, expires at 2035-07-01T07:07:52Z
INFO[0000] client-rke2-controller.crt: certificate rke2-client-ca@1751526470 (CertSign) is ok, expires at 2035-07-01T07:07:50Z
INFO[0000] client-admin.crt: certificate system:admin (ClientAuth) is ok, expires at 2035-07-01T07:07:50Z
INFO[0000] client-admin.crt: certificate rke2-client-ca@1751526470 (CertSign) is ok, expires at 2035-07-01T07:07:50Z
INFO[0000] client-auth-proxy.crt: certificate system:auth-proxy (ClientAuth) is ok, expires at
...
...
...
INFO[0000] client-supervisor.crt: certificate system:rke2-supervisor (ClientAuth) is ok, expires at 2035-07-01T07:07:50Z
INFO[0000] client-supervisor.crt: certificate rke2-client-ca@1751526470 (CertSign) is ok, expires at 2035-07-01T07:07:50Z
INFO[0000] client-kube-proxy.crt: certificate system:kube-proxy (ClientAuth) is ok, expires at 2035-07-01T07:07:52Z
INFO[0000] client-kube-proxy.crt: certificate rke2-client-ca@1751526470 (CertSign) is ok, expires at 2035-07-01T07:07:50Z你将看到所有证书的过期时间已延长至 2035 年。
已部署集群中修改证书有效期
Step 1:停止服务
bash
systemctl stop rke2-server.serviceStep 2:配置环境变量
bash
cat << EOF > /etc/default/rke2-server
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOFStep 3:执行证书轮换
bash
rke2 certificate rotateStep 4:重启服务
bash
systemctl start rke2-server.serviceStep 5:验证证书有效期
bash
rke2 certificate check执行结果:
计算机服务器
bash
root@ip-172-31-16-225:~# rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] client-kube-apiserver.crt: certificate system:apiserver (ClientAuth) is ok, expires at 2035-07-01T07:33:54Z
INFO[0000] client-kube-apiserver.crt: certificate rke2-client-ca@1751527477 (CertSign) is ok, expires at 2035-07-01T07:24:37Z
INFO[0000] serving-kube-apiserver.crt: certificate kube-apiserver (ServerAuth) is ok, expires at 2035-07-01T07:33:54Z
INFO[0000] serving-kube-apiserver.crt: certificate rke2-server-ca@1751527477 (CertSign) is ok, expires at 2035-07-01T07:24:37Z
INFO[0000] client-auth-proxy.crt: certificate system:auth-proxy (ClientAuth) is ok, expires at 2035-07-01T07:33:54Z
...
...
...
INFO[0000] client-kube-proxy.crt: certificate rke2-client-ca@1751527477 (CertSign) is ok, expires at 2035-07-01T07:24:37Z
INFO[0000] client-kubelet.crt: certificate system:node:ip-172-31-16-225 (ClientAuth) is ok, expires at 2035-07-01T07:33:56Z
INFO[0000] client-kubelet.crt: certificate rke2-client-ca@1751527477 (CertSign) is ok, expires at 2035-07-01T07:24:37Z
INFO[0000] serving-kubelet.crt: certificate ip-172-31-16-225 (ServerAuth) is ok, expires at 2035-07-01T07:33:55Z
INFO[0000] serving-kubelet.crt: certificate rke2-server-ca@1751527477 (CertSign) is ok, expires at 2035-07-01T07:24:37Z确认所有证书的有效期已更新。
Step 6:在其他 Control-plane/etcd 节点重复 Step 1 ~ 5 的操作
确保整个集群的证书一致更新。