k8s各组件非常依赖证书
而默认情况下ca证书是十年,而其他证书都只有一年
Kubernetes中的如果证书过期了,会导致集群中的许多组件无法正常通信,从而影响整个集群的功能。
所以在生产环境下,这是非常大的坑
查看证书有效期
方法一
cd /etc/kubernetes/pki
for i in $(ls *.crt); do echo "====================== $i ========"; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
====================== apiserver.crt ========
Validity
Not Before: Jul 23 10:14:59 2023 GMT
Not After : Jul 22 10:14:59 2024 GMT
Subject: CN = kube-apiserver
====================== apiserver-etcd-client.crt ========
Validity
Not Before: Jul 23 10:14:59 2023 GMT
Not After : Jul 22 10:15:00 2024 GMT
Subject: O = system:masters, CN = kube-apiserver-etcd-client
====================== apiserver-kubelet-client.crt ========
Validity
Not Before: Jul 23 10:14:59 2023 GMT
Not After : Jul 22 10:14:59 2024 GMT
Subject: O = system:masters, CN = kube-apiserver-kubelet-client
====================== ca.crt ========
Validity
Not Before: Jul 23 10:14:59 2023 GMT
Not After : Jul 20 10:14:59 2033 GMT
Subject: CN = kubernetes
====================== front-proxy-ca.crt ========
Validity
Not Before: Jul 23 10:14:59 2023 GMT
Not After : Jul 20 10:14:59 2033 GMT
Subject: CN = front-proxy-ca
====================== front-proxy-client.crt ========
Validity
Not Before: Jul 23 10:14:59 2023 GMT
Not After : Jul 22 10:14:59 2024 GMT
Subject: CN = front-proxy-client
方法二
kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 22, 2024 10:15 UTC 364d ca no
apiserver Jul 22, 2024 10:14 UTC 364d ca no
apiserver-etcd-client Jul 22, 2024 10:15 UTC 364d etcd-ca no
apiserver-kubelet-client Jul 22, 2024 10:14 UTC 364d ca no
controller-manager.conf Jul 22, 2024 10:15 UTC 364d ca no
etcd-healthcheck-client Jul 22, 2024 10:15 UTC 364d etcd-ca no
etcd-peer Jul 22, 2024 10:15 UTC 364d etcd-ca no
etcd-server Jul 22, 2024 10:14 UTC 364d etcd-ca no
front-proxy-client Jul 22, 2024 10:14 UTC 364d front-proxy-ca no
scheduler.conf Jul 22, 2024 10:15 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jul 20, 2033 10:14 UTC 9y no
etcd-ca Jul 20, 2033 10:14 UTC 9y no
front-proxy-ca Jul 20, 2033 10:14 UTC 9y no
证书有效期修改方法
安装go环境
下载
安装
tar xf go1.20.6.linux-amd64.tar.gz -C /usr/local/
添加环境变量
echo "export PATH=$PATH:/usr/local/go/bin" >>/etc/profile
source /etc/profile
验证
go version
go version go1.20.6 linux/amd64
Kubernetes源码下载
官方的github上下载 https://github.com/kubernetes/kubernetes/releases
查看版本
kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.4", GitCommit:"fa3d7990104d7c1f16943a67f11b154b71f6a132", GitTreeState:"clean", BuildDate:"2023-07-19T12:20:54Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
下载
可以看到,我上面的版本是1.27.4
解压
tar xf kubernetes-1.27.4.tar.gz
cd kubernetes-1.27.4/
修改源文件
修改 constants.go 文件
vim cmd/kubeadm/app/constants/constants.go
....
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
//CertificateValidity = time.Hour * 24 * 365
// 将1年改成100年
CertificateValidity = time.Hour * 24 * 365*100
...
修改cert.go文件
vim staging/src/k8s.io/client-go/util/cert/cert.go
.....
//NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 100).UTC(),
.....
编译源代码
make WHAT=cmd/kubeadm GOFLAGS=-v
等待编译完成
编译完后查看结果,就可以看到生成的kubeadm二进文件
ll _output/bin/
总用量 46M
-rwxr-xr-x 1 root root 46M 7月 23 18:40 kubeadm
替换旧文件
更换kubeadm
备份原文件
cp /usr/bin/kubeadm /usr/bin/kubeadm.bak
替换
cp _output/bin/kubeadm /usr/bin/
备份证书
cd /etc/kubernetes
cp -R pki pki.bak
更新所有证书
kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
需要更具体是重启服务,这里选择直接重启主机
查看证书
重启后查看新的证书,看结果除了ca以外的证书都变100年了,这是因为ca证书是不会被更新的,所以还是保持10年,不过对于一般的生产环境,十年绝对是够了
kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 29, 2123 08:08 UTC 99y ca no
apiserver Jun 29, 2123 08:08 UTC 99y ca no
apiserver-etcd-client Jun 29, 2123 08:08 UTC 99y etcd-ca no
apiserver-kubelet-client Jun 29, 2123 08:08 UTC 99y ca no
controller-manager.conf Jun 29, 2123 08:08 UTC 99y ca no
etcd-healthcheck-client Jun 29, 2123 08:08 UTC 99y etcd-ca no
etcd-peer Jun 29, 2123 08:08 UTC 99y etcd-ca no
etcd-server Jun 29, 2123 08:08 UTC 99y etcd-ca no
front-proxy-client Jun 29, 2123 08:08 UTC 99y front-proxy-ca no
scheduler.conf Jun 29, 2123 08:08 UTC 99y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 29, 2033 07:47 UTC 9y no
etcd-ca Jun 29, 2033 07:47 UTC 9y no
front-proxy-ca Jun 29, 2033 07:47 UTC 9y no
如果有其他master,就直接把编译好的kubeadm文件,从第一台更新过的scp过去,然后按上面步骤,重新生成新的证书文件就可以了。更新过需要重启一下服务或者服务器。
这就是修改过程
补充
如果希望根证书也100年,重新生成ca证书太麻烦了,而且问题太多,服务会挂掉,所以不建议生产环境下更换ca证书
这边的方法是部署k8s的时候就直接让证书100年,也就不存在后面的问题了
编译源文件
同上面一样,最后编译完,获得kubeadm二进制文件
直接在安装完kubelet kubeadm kubectl 之后,就直接将编译好的文件替换掉kubeadm
cp _output/bin/kubeadm /usr/bin/
同样也要复制到其他节点上,无论master还是work
之后的操作就是正常部署就好了,而部署完了,证书就全都变成100年了
kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 29, 2123 08:08 UTC 99y ca no
apiserver Jun 29, 2123 08:08 UTC 99y ca no
apiserver-etcd-client Jun 29, 2123 08:08 UTC 99y etcd-ca no
apiserver-kubelet-client Jun 29, 2123 08:08 UTC 99y ca no
controller-manager.conf Jun 29, 2123 08:08 UTC 99y ca no
etcd-healthcheck-client Jun 29, 2123 08:08 UTC 99y etcd-ca no
etcd-peer Jun 29, 2123 08:08 UTC 99y etcd-ca no
etcd-server Jun 29, 2123 08:08 UTC 99y etcd-ca no
front-proxy-client Jun 29, 2123 08:08 UTC 99y front-proxy-ca no
scheduler.conf Jun 29, 2123 08:08 UTC 99y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 29, 2123 08:08 UTC 99y no
etcd-ca Jun 29, 2123 08:08 UTC 99y no
front-proxy-ca Jun 29, 2123 08:08 UTC 99y no