通过脚本将kubeadm安装的k8s证书延期10年

最新推荐文章于 2024-05-23 09:42:22 发布
最新推荐文章于 2024-05-23 09:42:22 发布
阅读量2k 收藏 18
点赞数 5
分类专栏: kubernetes故障排查 文章标签: kubernetes linux ca证书
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/a8138/article/details/117026349
版权

前言

kubernetes 集群证书是各个组件交互的一个凭证,证书过期之后回直接影响到集群的使用,且kubeadm的证书默认有效期是1年,因此证书做延期,我们义不容辞。

检查下当前证书的有效期

[root@k8s-master ]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 19, 2022 02:32 UTC   364d                                    no      
apiserver                  May 19, 2022 02:22 UTC   364d            ca                      no      
apiserver-etcd-client      May 19, 2022 02:22 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   May 19, 2022 02:22 UTC   364d            ca                      no      
controller-manager.conf    May 19, 2022 02:32 UTC   364d                                    no      
etcd-healthcheck-client    May 19, 2022 02:22 UTC   364d            etcd-ca                 no      
etcd-peer                  May 19, 2022 02:22 UTC   364d            etcd-ca                 no      
etcd-server                May 19, 2022 02:22 UTC   364d            etcd-ca                 no      
front-proxy-client         May 19, 2022 02:22 UTC   364d            front-proxy-ca          no      
scheduler.conf             May 19, 2022 02:32 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 13, 2031 09:14 UTC   9y              no      
etcd-ca                 Jan 13, 2031 09:14 UTC   9y              no      
front-proxy-ca          Jan 13, 2031 09:14 UTC   9y              no

捡漏

查阅了很多资料,大部分都是要通过重新编译kubeadm程序更改证书有效期,或者是默认证书一年的情况定时通过kubeadm alpha certs renew all kubeadm init phase kubeconfig all续期。还好有幸捡到此位大佬的干货,对于我这个ca认证玩不明白的,可以说是如获至宝,此处使用大佬的证书脚本进行延期10年,后面为脚本源地址https://github.com/yuyicai/update-kube-cert

对证书延期

该脚本只需要在master节点执行,将更新以下证书和 kubeconfig 配置文件

/etc/kubernetes
├── admin.conf
├── controller-manager.conf
├── scheduler.conf
├── kubelet.conf
└── pki
    ├── apiserver.crt
    ├── apiserver-etcd-client.crt
    ├── apiserver-kubelet-client.crt
    ├── front-proxy-client.crt
    └── etcd
        ├── healthcheck-client.crt
        ├── peer.crt
        └── server.crt

[root@k8s-master ]# chmod  +x update-kubeadm-cert.sh 

[root@k8s-master ]# ./update-kubeadm-cert.sh  all
[2021-05-19T13:41:58.207905547+0800]: INFO: backup /etc/kubernetes to /etc/kubernetes.old-20210519
Signature ok
subject=/CN=etcd-server
Getting CA Private Key
[2021-05-19T13:41:58.246820810+0800]: INFO: generated /etc/kubernetes/pki/etcd/server.crt
Signature ok
subject=/CN=etcd-peer
Getting CA Private Key
[2021-05-19T13:41:58.284009861+0800]: INFO: generated /etc/kubernetes/pki/etcd/peer.crt
Signature ok
subject=/O=system:masters/CN=kube-etcd-healthcheck-client
Getting CA Private Key
[2021-05-19T13:41:58.309274517+0800]: INFO: generated /etc/kubernetes/pki/etcd/healthcheck-client.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-etcd-client
Getting CA Private Key
[2021-05-19T13:41:58.341147233+0800]: INFO: generated /etc/kubernetes/pki/apiserver-etcd-client.crt
1d131fa2fae5
[2021-05-19T13:41:58.804074417+0800]: INFO: restarted etcd
Signature ok
subject=/CN=kube-apiserver
Getting CA Private Key
[2021-05-19T13:41:58.908819578+0800]: INFO: generated /etc/kubernetes/pki/apiserver.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-kubelet-client
Getting CA Private Key
[2021-05-19T13:41:58.977676808+0800]: INFO: generated /etc/kubernetes/pki/apiserver-kubelet-client.crt
Signature ok
subject=/CN=system:kube-controller-manager
Getting CA Private Key
[2021-05-19T13:41:59.108761696+0800]: INFO: generated /etc/kubernetes/controller-manager.crt
[2021-05-19T13:41:59.132627523+0800]: INFO: generated new /etc/kubernetes/controller-manager.conf
Signature ok
subject=/CN=system:kube-scheduler
Getting CA Private Key
[2021-05-19T13:41:59.232466354+0800]: INFO: generated /etc/kubernetes/scheduler.crt
[2021-05-19T13:41:59.243551338+0800]: INFO: generated new /etc/kubernetes/scheduler.conf
Signature ok
subject=/O=system:masters/CN=kubernetes-admin
Getting CA Private Key
[2021-05-19T13:41:59.335915735+0800]: INFO: generated /etc/kubernetes/admin.crt
[2021-05-19T13:41:59.344848003+0800]: INFO: generated new /etc/kubernetes/admin.conf
[2021-05-19T13:41:59.371736364+0800]: INFO: copy the admin.conf to ~/.kube/config for kubectl
Signature ok
subject=/O=system:nodes/CN=system:node:k8s-master
Getting CA Private Key
[2021-05-19T13:41:59.465989449+0800]: INFO: generated /etc/kubernetes/kubelet.crt
[2021-05-19T13:41:59.479313708+0800]: INFO: generated new /etc/kubernetes/kubelet.conf
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
[2021-05-19T13:41:59.536852348+0800]: INFO: generated /etc/kubernetes/pki/front-proxy-client.crt
4baa892e89b0
[2021-05-19T13:42:02.121464114+0800]: INFO: restarted kube-apiserver
cc7bd70945c5
[2021-05-19T13:42:02.852348773+0800]: INFO: restarted kube-controller-manager
b5cfc74d4bd9
[2021-05-19T13:42:03.710168773+0800]: INFO: restarted kube-scheduler
[2021-05-19T13:42:03.850652072+0800]: INFO: restarted kubelet

验证

[root@k8s-master ]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 17, 2031 05:41 UTC   9y                                      no      
apiserver                  May 17, 2031 05:41 UTC   9y              ca                      no      
apiserver-etcd-client      May 17, 2031 05:41 UTC   9y              etcd-ca                 no      
apiserver-kubelet-client   May 17, 2031 05:41 UTC   9y              ca                      no      
controller-manager.conf    May 17, 2031 05:41 UTC   9y                                      no      
etcd-healthcheck-client    May 17, 2031 05:41 UTC   9y              etcd-ca                 no      
etcd-peer                  May 17, 2031 05:41 UTC   9y              etcd-ca                 no      
etcd-server                May 17, 2031 05:41 UTC   9y              etcd-ca                 no      
front-proxy-client         May 17, 2031 05:41 UTC   9y              front-proxy-ca          no      
scheduler.conf             May 17, 2031 05:41 UTC   9y                                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 13, 2031 09:14 UTC   9y              no      
etcd-ca                 Jan 13, 2031 09:14 UTC   9y              no      
front-proxy-ca          Jan 13, 2031 09:14 UTC   9y              no      

[root@k8s-master ]# kubectl get pod   //测试证书是否可以正常使用
NAME                                      READY   STATUS    RESTARTS   AGE
configmap-demo-pod                        1/1     Running   30         10d
nfs-client-provisioner-7f8dd584cb-lnb9t   1/1     Running   42         25h
web-5899d78c9-msx8h                       1/1     Running   0          6d3h

失败回滚

脚本会自动备份 /etc/kubernetes 目录到 /etc/kubernetes.old-$(date +%Y%m%d) 目录(备份目录命名示例:kubernetes.old-20210519)

若更新证书失败需要回滚,手动将备份 /etc/kubernetes.old-$(date +%Y%m%d)目录覆盖 /etc/kubernetes 目录

脚本

#!/bin/bash
#脚本转载自https://github.com/yuyicai/update-kube-cert

set -o errexit
set -o pipefail
# set -o xtrace

log::err() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[31mERROR: \033[0m$@\n"
}

log::info() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[32mINFO: \033[0m$@\n"
}

log::warning() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[33mWARNING: \033[0m$@\n"
}

check_file() {
  if [[ ! -r  ${1} ]]; then
    log::err "can not find ${1}"
    exit 1
  fi
}

# get x509v3 subject alternative name from the old certificate
cert::get_subject_alt_name() {
  local cert=${1}.crt
  check_file "${cert}"
  local alt_name=$(openssl x509 -text -noout -in ${cert} | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')
  printf "${alt_name}\n"
}

# get subject from the old certificate
cert::get_subj() {
  local cert=${1}.crt
  check_file "${cert}"
  local subj=$(openssl x509 -text -noout -in ${cert}  | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')
  printf "${subj}\n"
}

cert::backup_file() {
  local file=${1}
  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then
    cp -rp ${file} ${file}.old-$(date +%Y%m%d)
    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"
  else
    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"
  fi
}

# generate certificate whit client, server or peer
# Args:
#   $1 (the name of certificate)
#   $2 (the type of certificate, must be one of client, server, peer)
#   $3 (the subject of certificates)
#   $4 (the validity of certificates) (days)
#   $5 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)
cert::gen_cert() {
  local cert_name=${1}
  local cert_type=${2}
  local subj=${3}
  local cert_days=${4}
  local alt_name=${5}
  local cert=${cert_name}.crt
  local key=${cert_name}.key
  local csr=${cert_name}.csr
  local csr_conf="distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n"

  check_file "${key}"
  check_file "${cert}"

  # backup certificate when certificate not in ${kubeconf_arr[@]}
  # kubeconf_arr=("controller-manager.crt" "scheduler.crt" "admin.crt" "kubelet.crt")
  # if [[ ! "${kubeconf_arr[@]}" =~ "${cert##*/}" ]]; then
  #   cert::backup_file "${cert}"
  # fi

  case "${cert_type}" in
    client)
      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \
        -config <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -out ${csr}
      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \
        -extfile <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -days ${cert_days} -out ${cert}
      log::info "generated ${cert}"
    ;;
    server)
      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \
        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}
      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \
        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}
      log::info "generated ${cert}"
    ;;
    peer)
      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \
        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}
      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \
        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}
      log::info "generated ${cert}"
    ;;
    *)
      log::err "unknow, unsupported etcd certs type: ${cert_type}, supported type: client, server, peer"
      exit 1
  esac

  rm -f ${csr}
}

cert::update_kubeconf() {
  local cert_name=${1}
  local kubeconf_file=${cert_name}.conf
  local cert=${cert_name}.crt
  local key=${cert_name}.key

  # generate  certificate
  check_file ${kubeconf_file}
  # get the key from the old kubeconf
  grep "client-key-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${key}
  # get the old certificate from the old kubeconf
  grep "client-certificate-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${cert}
  # get subject from the old certificate
  local subj=$(cert::get_subj ${cert_name})
  cert::gen_cert "${cert_name}" "client" "${subj}" "${CAER_DAYS}"
  # get certificate base64 code
  local cert_base64=$(base64 -w 0 ${cert})

  # backup kubeconf
  # cert::backup_file "${kubeconf_file}"

  # set certificate base64 code to kubeconf
  sed -i 's/client-certificate-data:.*/client-certificate-data: '${cert_base64}'/g' ${kubeconf_file}

  log::info "generated new ${kubeconf_file}"
  rm -f ${cert}
  rm -f ${key}

  # set config for kubectl
  if [[ ${cert_name##*/} == "admin" ]]; then
    mkdir -p ~/.kube
    cp -fp ${kubeconf_file} ~/.kube/config
    log::info "copy the admin.conf to ~/.kube/config for kubectl"
  fi
}

cert::update_etcd_cert() {
  PKI_PATH=${KUBE_PATH}/pki/etcd
  CA_CERT=${PKI_PATH}/ca.crt
  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"
  check_file "${CA_KEY}"

  # generate etcd server certificate
  # /etc/kubernetes/pki/etcd/server
  CART_NAME=${PKI_PATH}/server
  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})
  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-server" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd peer certificate
  # /etc/kubernetes/pki/etcd/peer
  CART_NAME=${PKI_PATH}/peer
  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})
  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-peer" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd healthcheck-client certificate
  # /etc/kubernetes/pki/etcd/healthcheck-client
  CART_NAME=${PKI_PATH}/healthcheck-client
  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-etcd-healthcheck-client" "${CAER_DAYS}"

  # generate apiserver-etcd-client certificate
  # /etc/kubernetes/pki/apiserver-etcd-client
  check_file "${CA_CERT}"
  check_file "${CA_KEY}"
  PKI_PATH=${KUBE_PATH}/pki
  CART_NAME=${PKI_PATH}/apiserver-etcd-client
  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-etcd-client" "${CAER_DAYS}"

  # restart etcd
  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted etcd"
}

cert::update_master_cert() {
  PKI_PATH=${KUBE_PATH}/pki
  CA_CERT=${PKI_PATH}/ca.crt
  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"
  check_file "${CA_KEY}"

  # generate apiserver server certificate
  # /etc/kubernetes/pki/apiserver
  CART_NAME=${PKI_PATH}/apiserver
  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})
  cert::gen_cert "${CART_NAME}" "server" "/CN=kube-apiserver" "${CAER_DAYS}" "${subject_alt_name}"

  # generate apiserver-kubelet-client certificate
  # /etc/kubernetes/pki/apiserver-kubelet-client
  CART_NAME=${PKI_PATH}/apiserver-kubelet-client
  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-kubelet-client" "${CAER_DAYS}"

  # generate kubeconf for controller-manager,scheduler,kubectl and kubelet
  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf
  cert::update_kubeconf "${KUBE_PATH}/controller-manager"
  cert::update_kubeconf "${KUBE_PATH}/scheduler"
  cert::update_kubeconf "${KUBE_PATH}/admin"
  # check kubelet.conf
  # https://github.com/kubernetes/kubeadm/issues/1753
  set +e
  grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf > /dev/null 2>&1
  kubelet_cert_auto_update=$?
  set -e
  if [[ "$kubelet_cert_auto_update" == "0" ]]; then
    log::warning "does not need to update kubelet.conf"
  else
    cert::update_kubeconf "${KUBE_PATH}/kubelet"
  fi

  # generate front-proxy-client certificate
  # use front-proxy-client ca
  CA_CERT=${PKI_PATH}/front-proxy-ca.crt
  CA_KEY=${PKI_PATH}/front-proxy-ca.key
  check_file "${CA_CERT}"
  check_file "${CA_KEY}"
  CART_NAME=${PKI_PATH}/front-proxy-client
  cert::gen_cert "${CART_NAME}" "client" "/CN=front-proxy-client" "${CAER_DAYS}"

  # restart apiserve, controller-manager, scheduler and kubelet
  docker ps | awk '/k8s_kube-apiserver/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted kube-apiserver"
  docker ps | awk '/k8s_kube-controller-manager/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted kube-controller-manager"
  docker ps | awk '/k8s_kube-scheduler/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted kube-scheduler"
  systemctl restart kubelet
  log::info "restarted kubelet"
}

main() {
  local node_tpye=$1
  
  KUBE_PATH=/etc/kubernetes
  CAER_DAYS=3650

  # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)
  cert::backup_file "${KUBE_PATH}"

  case ${node_tpye} in
    etcd)
	  # update etcd certificates
      cert::update_etcd_cert
    ;;
    master)
	  # update master certificates and kubeconf
      cert::update_master_cert
    ;;
    all)
      # update etcd certificates
      cert::update_etcd_cert
      # update master certificates and kubeconf
      cert::update_master_cert
    ;;
    *)
      log::err "unknow, unsupported certs type: ${cert_type}, supported type: all, etcd, master"
      printf "Documentation: https://github.com/yuyicai/update-kube-cert
  example:
    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf
      /etc/kubernetes
      ├── admin.conf
      ├── controller-manager.conf
      ├── scheduler.conf
      ├── kubelet.conf
      └── pki
          ├── apiserver.crt
          ├── apiserver-etcd-client.crt
          ├── apiserver-kubelet-client.crt
          ├── front-proxy-client.crt
          └── etcd
              ├── healthcheck-client.crt
              ├── peer.crt
              └── server.crt
    '\033[32m./update-kubeadm-cert.sh etcd\033[0m' update only etcd certificates
      /etc/kubernetes
      └── pki
          ├── apiserver-etcd-client.crt
          └── etcd
              ├── healthcheck-client.crt
              ├── peer.crt
              └── server.crt
    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf
      /etc/kubernetes
      ├── admin.conf
      ├── controller-manager.conf
      ├── scheduler.conf
      ├── kubelet.conf
      └── pki
          ├── apiserver.crt
          ├── apiserver-kubelet-client.crt
          └── front-proxy-client.crt
"
      exit 1
    esac
}

main "$@"

如需延期更长的时间只需要调整脚本内CAER_DAYS=3650 的值就可以了

注意:需要说明的是上面的列表中没有包含 kubelet,因为 kubeadm 将 kubelet 配置为自动更新证书。

参考链接:https://github.com/yuyicai/update-kube-cert

甄能忽悠
关注
  • 5
    点赞
  • 18
    收藏
    觉得还不错? 一键收藏
  • 7
    评论
专栏目录
k8s证书延长为10kubeadm安装k8s1.18.12)
qq_37181884的博客
07-19 753
1、在github上下载对应的源码包,并上传到linux中 2、配置go的基础环境(k8s1.18.12需要go1.13以上的版本) 我用的go1.15 需求配置go1.15.11.linux-amd64.tar.gz 配置环境变量 3、修改配置文件的证书时间 找到CertificateValidity这个关键字,默认是1,我已修改为10 保存文件 注意:由于ca证书默认是10,所以不用修改 如要修改,位置在/root/kubernetes-1.18.12...
k8s证书更新至10有效期
Emerson的博客
08-08 118
脚本转载自https://github.com/yuyicai/update-kube-cert。执行命令:bash update-kubeadm-cert.sh master。
Kubernetes集群证书过期解决办法
GGB_GG的博客
02-20 1854
K8S在过期之前,使用kubeadm alpha phase里的certs和kubeconfig命令,同时配合kubelet证书自动轮换机制来解决这个问题(具体操作可以百度搜索),这里介绍证书已经过期的解决方法,以下延长证书过期的方法适合kubernetes1.14、1.15、1.16、1.17、1.18版本。并不会更新 kubelet 证书kubelet.conf 文件里面写的客户端证书),因为 kubelet 证书是默认开启自动轮回更新的,但是在执行。,没有自动更新 slave 节点。
k8s证书修改为10文件
06-13
k8s证书修改为10文件
kubeadm初始化k8s证书过期解决方案
最新发布
JIAWAP的专栏
05-23 245
本文主要介绍kubenertes通过kubeadm初始化过程中所涉及到的证书面临过期时如何通过延期来解决的方法。
k8s相关证书的更新
weixin_42323738的博客
03-13 1113
k8s证书更新
云原生 | Kubernetes集群快速升级及延长证书过期时间至10
WeiyiGeek 唯一极客IT知识分享
07-22 562
欢迎关注「专注等知识分享设为每天带你到再到!作者主页:[ https://www.weiyigeek.top ]博客:[ https://blog.weiyigeek.top ]关注回复【】加入【】答疑交流群0x01 针对K8S的v1.23.x版本集群快速升级处理实践0x02 针对部署的K8S集群证书过期时间延长实践操作0x01 针对K8S的v1.23.x版本集群快速升级处理实践。
三种监控 Kubernetes 集群证书过期方案
easylife206的专栏
12-01 971
公众号关注「奇妙的 Linux 世界」设为「星标」,每天带你玩转 Linux !前言Kubernetes 中大量用到了证书, 比如 ca证书、以及 kubelet、apiserver、proxy、etcd等组件,还有 kubeconfig 文件。如果证书过期,轻则无法登录 Kubernetes 集群,重则整个集群异常。为了解决证书过期的问题,一般有以下几种方式:1.大幅延长证书有效期,短则 10...
kubeadm证书过期问题
qq_23191379的博客
04-07 887
脚本用于处理已过期或者即将过期的 kubernetes 集群证书脚本适用于所有 k8s 版本集群证书更新(使用 kubeadm 初始化的集群) kubeadm 生成的证书有效期为 1 ,该脚本可将 kubeadm 生成的证书有效期更新为 10 脚本只处理 master 节点上的证书,node 节点的 kubelet 证书默认自动轮换更新,无需关心过期问题,只需关心 master 节点上的证书即可 1. 使用说明 该脚本仅需要在 master 节点执行,无需在 node 节点执行 若没有 e
k8s 证书延期脚本k8s 证书延期脚本
11-27
k8s 证书延期脚本k8s 证书延期脚本k8s 证书延期脚本k8s 证书延期脚本
k8s离线文件包 Ubuntu 使用Kubeadm 离线安装k8s
10-12
k8s离线文件包 Ubuntu 使用Kubeadm 离线安装k8s 参考连接 https://blog.csdn.net/u010952056/article/details/127276191?spm=1001.2014.3001.5501
shell脚本安装k8s
10-08
shell脚本安装k8s,通过编写脚本,来实现k8s安装,减少了一步一步安装的麻烦。相当于一键安装
k8s-auto-kubernetes/k8s一键安装
12-15
kubernetes/k8s自动安装程序,版本对应:v1.18.2,linux环境 使用kubeadm安装,改程序若环境不符合要求,是不能一键安装的,需按照程序指示分布安装,该程序是为了搭建测试环境时,简化繁琐的配置时所用,不能用作...
kubeadm方式部署的k8s修改证书
奈斯菟咪踢呦
06-14 1545
kubeadm方式部署的k8s修改证书
k8s- kubernetes证书过期替换之kubeadm命令 certs renew all方式
liuyij3430448的博客
04-27 5741
**k8s集群之间的访问会使用到证书,如果使用kubeadm搭建的集群,默认CA证书的有效期为10,其他组件访问证书的有效期为1。如果过期后没有更新证书可能会引起k8s集群的不可用**
K8s修改api-server证书10
m0_45426059的博客
12-06 502
api-server如何修改证书
kubeadm修改证书有效期
屈帅波的技术博客
09-20 2708
如果更新k8s版本会默认更新证书 检查证书有效期(一部分10一部分1) openssl x509 -in apiserver.crt -text -noout 1、go 环境部署 https://studygolang.com/dl wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz tar -zxvf go1.12.1.l...
修改k8s证书可用时限
wwe978284618的博客
12-27 434
1、go 环境部署 wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz tar -zxvf go1.12.1.linux-amd64.tar.gz -C /usr/local vi /etc/profile export PATH=$PATH:/usr/local/go/bin source /etc/profile 2、下载源码 c...
Kubernetes 证书可用限修改
hunheidaode的博客
07-01 238
证书可用限修改 [root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout 先下载kubeadm的源码,针对apiserver一证书分发的函数进行修改,由1改为10。(需要go语言的环境) go中文社区 1.go语言环境 [root@k8s-master01 data]# tar -zxvf go1.15.2.linux-amd64.tar.gz -C /usr/local [root@k8s-master
k8s自动化安装脚本(kubeadm-1.26.3)
09-03
k8s自动化安装脚本(kubeadm-1.26.3)是用于自动化部署和配置Kubernetes集群的工具。它提供了一种简单快速的方式来安装和设置Kubernetes的各个组件,包括kubelet、kube-proxy、kube-controller-manager和kube-scheduler等。 使用kubeadm-1.26.3脚本可以实现以下功能: 1. 初始化Master节点:通过执行`kubeadm init`命令,kubeadm-1.26.3将自动初始化Master节点,并生成用于其他节点加入集群的令牌。 2. 加入Worker节点:通过执行`kubeadm join`命令,kubeadm-1.26.3可以将Worker节点快速地加入到Kubernetes集群中。 3. 网络配置:kubeadm-1.26.3支持多种网络插件,如Flannel、Calico等。可以通过参数设置选择合适的网络插件,并自动配置网络。 4. TLS证书管理:kubeadm-1.26.3自动生成并分发TLS证书,用于安全地通信和认证集群中的各个组件。 5. 容器运行时配置:kubeadm-1.26.3可以根据配置自动安装和配置Docker或者其他容器运行时,确保集群中的容器能够正常运行。 6. 控制平面组件部署:kubeadm-1.26.3负责自动部署和配置kube-controller-manager、kube-scheduler等控制平面组件,确保集群正常运行。 7. 扩展功能:kubeadm-1.26.3还支持其他功能,如升级Kubernetes版本、附加额外的Pod网络等。 总的来说,kubeadm-1.26.3提供了一种简单灵活的方式来自动化部署和配置Kubernetes集群。它大大简化了Kubernetes安装和配置过程,使得用户可以更专注于应用的开发和部署。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 7
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值