我们一起学习如何修改 Kubernetes 的证书可用时限吧!
使用过的朋友肯定知道,Kubernetes 默认的证书有效期只有 1 年,因此需要每年手动更新一次节点上面的证书,显然这对我们实际生产环境来说是很不友好的;因此我们要对 Kubernetes 的 SSL 证书有效期进行修改。如下给出了具体的方法,但是有可能到你开始使用的时候,已经不再试用。
- [0] 查看当前证书有效期
# 证书存放在: /etc/kubernetes/pki 目录下
$ ls -lh /etc/kubernetes/pki
-rw-r--r-- 1 root root 1212 May 19 14:01 apiserver.crt
-rw-r--r-- 1 root root 1090 May 19 14:01 apiserver-etcd-client.crt
-rw------- 1 root root 1679 May 19 14:01 apiserver-etcd-client.key
-rw------- 1 root root 1675 May 19 14:01 apiserver.key
-rw-r--r-- 1 root root 1099 May 19 14:01 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 May 19 14:01 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 May 17 2020 ca.crt
-rw------- 1 root root 1679 May 17 2020 ca.key
drwxr-xr-x 2 root root 4096 May 17 2020 etcd/
-rw-r--r-- 1 root root 1038 May 17 2020 front-proxy-ca.crt
-rw------- 1 root root 1679 May 17 2020 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 May 19 14:01 front-proxy-client.crt
-rw------- 1 root root 1675 May 19 14:01 front-proxy-client.key
-rw------- 1 root root 1675 May 17 2020 sa.key
-rw------- 1 root root 451 May 17 2020 sa.pub
# 查看有效期
$ for i in $(ls *.crt); do
echo "===== $i =====";
openssl x509 -in $i -text -noout | grep -A 3 'Validity'; done
# 除了ca根证书外其他证书有效期都是1年
===== apiserver.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: CN = kube-apiserver
===== apiserver-etcd-client.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: O = system:masters, CN = kube-apiserver-etcd-client
===== apiserver-kubelet-client.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: O = system:masters, CN = kube-apiserver-kubelet-client
===== ca.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 10 07:51:36 2029 GMT
Subject: CN = kubernetes
===== front-proxy-ca.crt =====
Validity
Not Before: May 12 07:51:36 2019 GMT
Not After : May 10 07:51:36 2029 GMT
Subject: CN = front-proxy-ca
===== front-proxy-client.crt =====
Validity
Not Before: May 12 07:51:36 2020 GMT
Not After : May 12 07:51:36 2021 GMT
Subject: CN = front-proxy-client
- [1] Go 环境部署
# 安装Go语言 $ wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz $ tar -zxvf go1.12.1.linux-amd64.tar.gz -C /usr/local # 加入到系统配置中 $ vi /etc/profile export PATH=$PATH:/usr/local/go/bin source /etc/profile
- [2] 下载 K8S 源码
# 创建并下载代码 $ cd /data && mkdir -pv k8s_src $ git clone https://github.com/kubernetes/kubernetes.git $ git checkout -b remotes/origin/release-1.15.1 v1.15.
- [3] 修改 Kubeadm 源码包更新证书策略
# kubeadm1.14版本之前
$ vim staging/src/k8s.io/client-go/util/cert/cert.go
# kubeadm1.14至今的版本
$ vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
# 添加如下对应内容
type CertConfig struct {
certutil.Config
const duration365d = time.Hour * 24 * 365
NotAfter: time.Now().Add(duration365d).UTC()
PublicKeyAlgorithm x509.PublicKeyAlgorithm
}
$ make WHAT=cmd/kubeadm GOFLAGS=-v
$ cp _output/bin/kubeadm /root/kubeadm-new
- [4] 更新 kubeadm 工具
# 将kubeadm进行替换 $ cp /usr/bin/kubeadm /usr/bin/kubeadm.old $ cp /root/kubeadm-new /usr/bin/kubeadm $ chmod a+x /usr/bin/kubeadm
- [5] 更新各节点证书至 Master 节点
# 备份证书 $ cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old # 更新证书 $ cd /etc/kubernetes/pki $ kubeadm alpha certs renew all --config=/root/kubeadm-config.yaml $ openssl x509 -in apiserver.crt -text -noout | grep Not
- [6] HA 集群其余 Master 节点证书更新
#!/bin/bash
masterNode="192.168.66.20 192.168.66.21"
# for host in ${masterNode}; do
# scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
"${USER}"@$host:/etc/kubernetes/pki/
# scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/etc/kubernetes/pki/etcd
# scp /etc/kubernetes/admin.conf "root"@$host:/etc/kubernetes/
# done
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
"${USER}"@$host:/root/pki/
scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/root/etcd
scp /etc/kubernetes/admin.conf "root"@$host:/root/kubernetes/
done
