参考:https://www.cnblogs.com/netonline/archive/2019/07/18/11207765.html
参考:https://www.cnblogs.com/skymyyang/p/11093686.html
centos 7.1
kubernetes 1.16.0
一、下载kubernetes v1.16.3源码,修改关键部分代码的证书生产有效期
github下载源码:https://github.com/kubernetes/kubernetes
到release下载想到的版本源码,这里我下载v1.16.3
解压并修改源代码
tar -xzvf v1.16.2.tar.gz
查看网上的资料主要有两个地方需要修改
vim ./staging/src/k8s.io/client-go/util/cert/cert.go
# 这个方法里面NotAfter: now.Add(duration365d * 10).UTC()
# 默认有效期就是10年,改成100年
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 100).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
vim ./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
# 这个方法里面看到NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
# 参数里面是一个常量kubeadmconstants.CertificateValidity
# 所以这里可以不修改,我去看看源码能不能找到这个常量的赋值位置
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
结果在这里找到kubeadmconstants.CertificateValidity的定义
vim ./cmd/kubeadm/app/constants/constants.go
// 就是这个常量定义CertificateValidity,我改成*100年
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 100
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
源代码改好了,接下来就是编译kubeadm了
二、编译kubeadm
刚开始尝试服务器安装go环境,执行make方法编译,结果各种报错。只能尝试下载容器,在容器里面编译,通过网上找资料,发现官网原来有提供一个k8s.gcr.io/kube-cross的容器用于对代码做编译。
由于我不能翻墙,如果不能翻墙的用户,到https://hub.docker.com搜索 kube-cross关键字,我找了一个版本比较新的mirrorgooglecontainers/kube-cross:v1.12.10-1镜像,v1.12.10-1应该就是镜像里面go环境的版本。
注:在使用mirrorgooglecontainers/kube-cross:v1.12.10-1编译之前,我试过下载一个go版本是v.1.11.x的镜像,编译会报错,大概意思是我下载的kubernetes源码必须用v1.12.x才能编译。
拉取镜像
docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1
# 运行容器,并进入到容器内部
docker run --rm -it -v 你修改源码后的kubernetes根目录:/go/src/k8s.io/kubernetes \
mirrorgooglecontainers/kube-cross:v1.12.10-1 bash
# cd到容器内部的挂载路径,可以ls -al查看一下里面的文件是不是主机挂载目录的源码文件
cd /go/src/k8s.io/kubernetes
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
编译成功后,可以退出容器,能看到挂载路径中已经有编译好的kubeadm
路径./_output/local/bin/linux/amd64/kubeadm
补充:
后面我尝试编译kubernetes-1.17.1 需要go 1.13.4版本
本文中的docker镜像不合用,使用这个
docker pull gcrcontainer/kube-cross:v1.13.5-1
运行+编译
# 运行容器,并进入到容器内部
docker run --rm -it -v 你修改源码后的kubernetes根目录:/go/src/k8s.io/kubernetes gcrcontainer/kube-cross:v1.13.5-1 bash
# cd到容器内部的挂载路径,可以ls -al查看一下里面的文件是不是主机挂载目录的源码文件
cd /go/src/k8s.io/kubernetes
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
三、替换掉正在使用的kubeadm
# 将kubeadm 文件拷贝替换系统中原有kubeadm
cp /usr/bin/kubeadm /usr/bin/kubeadm.bak
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
四、执行命令更新证书
可以先备份证书,证书在/etc/kubernetes/pki,我这里就不备份了
1、检查证书到期时间
kubeadm alpha certs check-expiration
2、续订证书,查看可以使用的参数
kubeadm alpha certs renew --help
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
续订全部证书
kubeadm alpha certs renew all
再次查看证书有效期,全部都100年了
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Oct 02, 2119 08:31 UTC 99y no
apiserver Oct 02, 2119 08:25 UTC 99y no
apiserver-etcd-client Oct 02, 2119 08:25 UTC 99y no
apiserver-kubelet-client Oct 02, 2119 08:25 UTC 99y no
controller-manager.conf Oct 02, 2119 08:25 UTC 99y no
etcd-healthcheck-client Oct 02, 2119 08:25 UTC 99y no
etcd-peer Oct 02, 2119 08:25 UTC 99y no
etcd-server Oct 02, 2119 08:25 UTC 99y no
front-proxy-client Oct 02, 2119 08:25 UTC 99y no
scheduler.conf Oct 02, 2119 08:25 UTC 99y no