前言:
首先,先看看minikube这样的开发或者测试使用的kubernetes集群的证书时间:
[root@node3 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 04, 2023 12:07 UTC 363d ca no
apiserver Dec 03, 2025 12:02 UTC 2y ca no
apiserver-etcd-client Dec 04, 2023 12:07 UTC 363d etcd-ca no
apiserver-kubelet-client Dec 04, 2023 12:07 UTC 363d ca no
controller-manager.conf Dec 04, 2023 13:00 UTC 363d ca no
etcd-healthcheck-client Dec 04, 2023 12:07 UTC 363d etcd-ca no
etcd-peer Dec 04, 2023 12:07 UTC 363d etcd-ca no
etcd-server Dec 04, 2023 12:07 UTC 363d etcd-ca no
front-proxy-client Dec 04, 2023 12:07 UTC 363d front-proxy-ca no
scheduler.conf Dec 04, 2023 13:00 UTC 363d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 01, 2032 12:02 UTC 9y no
etcd-ca Dec 01, 2032 12:07 UTC 9y no
front-proxy-ca Dec 01, 2032 12:07 UTC 9y no
OK,我们可以看到,这些证书的时间大部分都是一年期的。对于minikube这样的集群,无所谓喽,集群本来就是测试性质的,大不了重新部署了,也是非常快的,但,在生产环境下,我们追求的是稳定高效,当然可以使用kubeadm certs renew all来续订证书,但是证书更新了那些服务如果要重启就很麻烦,并且如果不是一个集群的证书要续订,而是有N个集群的证书续订,那可就有得忙了。
因此,我们在生产环境部署集群的时候,如果提前就把证书的时间修改为10年或者更长的100年,会规避掉一些麻烦,也算是提前解决一个可能会对生产造成影响的问题。
那么,如何在部署阶段就修改证书的时间呢?
其实也比较简单,在部署前就利用kubernetes的源码编译出一个新的kubeadm即可了。
实操:
工具原材料:
1,kubernetes的源码
2,go语言环境
目标:
假设生产环境使用的kubernetes版本是1.23.12版本,通过go语言环境,利用kubernetes-1.23.12的源码,重新编译出一个新的kubeadm程序,在kubeadm init 初始化前,用新的kubeadm替换原有的kubeadm,使得kubernetes的证书期限是100年。
一,
go语言环境的安装部署
首先申明,其它版本的编译安装没有试过,反正1.23.12版本的kubernetes需要go-1.17版本以上,否则不能正常编译,会报错:
[root@node4 kubernetes-1.23.12]# make all WHAT=cmd/kubeadm GOFLAGS=-v
Detected go version: go version go1.16.12 linux/amd64.
Kubernetes requires go1.17.0 or greater.
Please install go1.17.0 or later.
!!! [1205 23:21:50] Call tree:
!!! [1205 23:21:50] 1: hack/run-in-gopath.sh:31 kube::golang::setup_env(...)
Detected go version: go version go1.16.12 linux/amd64.
Kubernetes requires go1.17.0 or greater.
Please install go1.17.0 or later.
!!! [1205 23:21:50] Call tree:
!!! [1205 23:21:50] 1: /root/kubernetes-1.23.12/hack/lib/golang.sh:794 kube::golang::setup_env(...)
!!! [1205 23:21:50] 2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [1205 23:21:50] Call tree:
!!! [1205 23:21:50] 1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
make[1]: *** [_output/bin/prerelease-lifecycle-gen] Error 1
make: *** [generated_files] Error 2
因此,go语言版本选择的是1.17.1,部署步骤如下;
1,
下载go语言安装包
wget https://studygolang.com/dl/golang/go1.17.1.linux-amd64.tar.gz2,
解压,解压后的文件移动到/usr/local/目录下:
tar zxf go1.17.1.linux-amd64.tar.gz
mv go /usr/local/3,
设置环境变量并激活变量
编辑/etc/profile 文件,在末尾添加如下内容:
export GOROOT=/usr/local/go
export PATH=$PATH:/usr/local/go/bin
export GOPATH=/go激活环境变量:
source /etc/profile4,
验证go语言环境
[root@node3 ~]# go version
go version go1.17.1 linux/amd64
二,
下载kubernetes-1.23.12源码
https://codeload.github.com/kubernetes/kubernetes/zip/refs/tags/v1.23.12
下载下来的文件上传到服务器解压后,进入解压目录:
[root@node3 kubernetes-1.23.12]# pwd
/root/kubernetes-1.23.12
[root@node3 kubernetes-1.23.12]# ls
api CHANGELOG cluster code-of-conduct.md docs go.sum LICENSE logo Makefile.generated_files OWNERS pkg README.md staging test vendor
build CHANGELOG.md cmd CONTRIBUTING.md go.mod hack LICENSES Makefile _output OWNERS_ALIASES plugin SECURITY_CONTACTS SUPPORT.md third_party
三,
修改源码的证书相关文件(两个文件):
vim cmd/kubeadm/app/constants/constants.go以关键字time.Hour 搜索,修改成如下(加个100,原来是只有time.Hour * 24 * 365):
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100
vim staging/src/k8s.io/client-go/util/cert/cert.go以关键字KeyUsageDigitalSignatur 搜索,修改成如下(10改成100,原来是now.Add(duration365d * 10)):
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 100).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
以上修改请务必以关键字准确定位。
四,
重新编译kubeadm
make all WHAT=cmd/kubeadm GOFLAGS=-v输出如下:
k8s.io/kubernetes/vendor/github.com/spf13/pflag
k8s.io/kubernetes/hack/make-rules/helpers/go2make
+++ [1205 23:50:42] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
> non-static build: k8s.io/kubernetes/./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
k8s.io/kubernetes/vendor/golang.org/x/mod/semver
k8s.io/kubernetes/vendor/golang.org/x/sys/execabs
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/label
k8s.io/kubernetes/vendor/golang.org/x/xerrors/internal
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/keys
k8s.io/kubernetes/vendor/golang.org/x/xerrors
k8s.io/kubernetes/vendor/golang.org/x/mod/module
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/core
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gocommand
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typeparams
k8s.io/kubernetes/vendor/golang.org/x/tools/go/ast/astutil
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/fastwalk
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gopathwalk
k8s.io/kubernetes/vendor/k8s.io/gengo/types
k8s.io/kubernetes/vendor/k8s.io/gengo/namer
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/imports
k8s.io/kubernetes/vendor/github.com/go-logr/logr
k8s.io/kubernetes/vendor/k8s.io/klog/v2
k8s.io/kubernetes/vendor/k8s.io/gengo/parser
k8s.io/kubernetes/vendor/k8s.io/gengo/examples/set-gen/sets
k8s.io/kubernetes/vendor/golang.org/x/tools/imports
k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/gcimporter
k8s.io/kubernetes/vendor/k8s.io/gengo/generator
k8s.io/kubernetes/vendor/k8s.io/gengo/args
k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators
k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/args
k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/packagesdriver
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/packagesinternal
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typesinternal
k8s.io/kubernetes/vendor/golang.org/x/tools/go/gcexportdata
k8s.io/kubernetes/vendor/golang.org/x/tools/go/packages
k8s.io/kubernetes/vendor/k8s.io/code-generator/pkg/util
k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
Generating prerelease lifecycle code for 28 targets
+++ [1205 23:50:52] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/deepcopy-gen
后面的略略略
这个编译还是比较快的,等编译完成后,echo $? 看看有没有报错,如果是0,表示编译完成了。
那么,编译出的kubeadm在 _output/bin 目录下:
/root/kubernetes-1.23.12/_output/bin
[root@node4 bin]# ll
total 79020
-rwxr-xr-x 1 root root 6270976 Dec 5 23:51 conversion-gen
-rwxr-xr-x 1 root root 5996544 Dec 5 23:50 deepcopy-gen
-rwxr-xr-x 1 root root 6000640 Dec 5 23:51 defaulter-gen
-rwxr-xr-x 1 root root 3375951 Dec 5 23:50 go2make
-rwxr-xr-x 1 root root 45191168 Dec 5 23:56 kubeadm
-rwxr-xr-x 1 root root 8114176 Dec 5 23:52 openapi-gen
-rwxr-xr-x 1 root root 5963776 Dec 5 23:50 prerelease-lifecycle-gen
五,
测试编程出来的kubeadm 初始化集群,集群的证书是否变为了100年
将以上生成的kubeadm文件拷贝到一个新的服务器上,随便怎么拷贝吧,scp也好,直接lsrzs也可以。
添加yum源,安装kubeadm:
cat >/etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF安装命令:
yum install kubeadm-1.23.12 kubelet-1.23.12 kubectl-1.23.12 -y安装完毕后,将原来的kubeadm备份一哈;
cp /usr/bin/kubeadm{,.bak}将新的kubeadm拷贝到/usr/bin/下:
cp -f kubeadm /usr/bin/因为是测试性质,因此,随便初始化一下:
kubeadm init \
--image-repository registry.aliyuncs.com/google_containers \
--apiserver-advertise-address=192.168.217.24 \
--service-cidr=10.96.0.0/16 \
--pod-network-cidr=10.244.0.0/16 \
--kubernetes-version=1.23.12等待初始化完成后,再次查看证书期限:
[root@node4 yum.repos.d]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 11, 2122 14:48 UTC 99y ca no
apiserver Nov 11, 2122 14:48 UTC 99y ca no
apiserver-etcd-client Nov 11, 2122 14:48 UTC 99y etcd-ca no
apiserver-kubelet-client Nov 11, 2122 14:48 UTC 99y ca no
controller-manager.conf Nov 11, 2122 14:48 UTC 99y ca no
etcd-healthcheck-client Nov 11, 2122 14:48 UTC 99y etcd-ca no
etcd-peer Nov 11, 2122 14:48 UTC 99y etcd-ca no
etcd-server Nov 11, 2122 14:48 UTC 99y etcd-ca no
front-proxy-client Nov 11, 2122 14:48 UTC 99y front-proxy-ca no
scheduler.conf Nov 11, 2122 14:48 UTC 99y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 11, 2122 14:48 UTC 99y no
etcd-ca Nov 11, 2122 14:48 UTC 99y no
front-proxy-ca Nov 11, 2122 14:48 UTC 99y no
OK,证书的过期时间都是100年了,说明前面的编译工作是有效果的,可行的。
如果是在生产上,在也不用担心证书过期的问题了,也算是提前解决了一个暴雷问题。
扫一扫
1146
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
