Kubernetes Update Cert 100 Year
Kubernetes Update Cert 100 Year
Kubernetes 中大量用到了证书, 比如 ca证书、以及 kubelet、apiserver、proxy、etcd等组件,还有 kubeconfig 文件。
如果证书过期,轻则无法登录 Kubernetes 集群,重则整个集群异常。
为了解决证书过期的问题,一般有以下几种方式:
1.大幅延长证书有效期,短则 10年,长则 100 年;
2.证书快过期是自动轮换,如 Rancher 的 K3s,RKE2 就采用这种方式;
3.增加证书过期的监控,便于提早发现证书过期问题并人工介入
获取源码
通过github
bash
#拉取github代码
git clone https://github.com/kubernetes/kubernetes.git
#切换到使用的kubernetes版本
git checkout -b remotes/origin/release-1.20 v1.20.15
下载源码
bash
wget https://github.com/kubernetes/kubernetes/archive/v1.25.5.tar.gz
tar -zxvf kubernetes-1.25.5.tar.gz
mv kubernetes-1.25.5 kubernetes
cd kubernetes
修改证书默认事件
vim staging/src/k8s.io/client-go/util/cert/cert.go
bash
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
//NotAfter: now.Add(duration365d * 10).UTC(),
#//update cert time.
NotAfter: now.Add(duration365d * 100).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
vim cmd/kubeadm/app/constants/constants.go
bash
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
#// update this CertificateValidity
CertificateValidity = time.Hour * 24 * 365 * 100
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
}
编译
本机编译
安装依赖
bash
yum install gcc make -y && yum install rsync jq -y
安装Golang环境
bash
#查看需要的goLang版本
[root@master kubernetes]# cat ./build/build-image/cross/VERSION
v1.25.0-go1.19.4-bullseye.0
#下载
wget https://dl.google.com/go/go1.19.4.linux-amd64.tar.gz
#解压到指定目录
tar zxvf go1.19.4.linux-amd64.tar.gz -C /usr/local
#临时生效
export PATH=$PATH:/usr/local/go/bin
#查看
go version
编译
bash
make all WHAT=cmd/kubeadm GOFLAGS=-v
更新kubeamd
bash
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
续订证书
bash
[root@master kubernetes]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
查看证书时间
bash
[root@master kubernetes]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 06, 2122 05:58 UTC 99y ca no
apiserver Nov 06, 2122 05:58 UTC 99y ca no
apiserver-etcd-client Nov 06, 2122 05:58 UTC 99y etcd-ca no
apiserver-kubelet-client Nov 06, 2122 05:58 UTC 99y ca no
controller-manager.conf Nov 06, 2122 05:58 UTC 99y ca no
etcd-healthcheck-client Nov 06, 2122 05:58 UTC 99y etcd-ca no
etcd-peer Nov 06, 2122 05:58 UTC 99y etcd-ca no
etcd-server Nov 06, 2122 05:58 UTC 99y etcd-ca no
front-proxy-client Nov 06, 2122 05:58 UTC 99y front-proxy-ca no
scheduler.conf Nov 06, 2122 05:58 UTC 99y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 03, 2032 07:37 UTC 9y no
etcd-ca Nov 03, 2032 07:37 UTC 9y no
front-proxy-ca Nov 03, 2032 07:37 UTC 9y no
注意
正常执行完成过后,出现etcd证书9y的情况,需要在初始化是使用编译后的kubeadm