证书可用年限修改
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
先下载kubeadm的源码,针对apiserver一年年限证书分发的函数进行修改,由1年改为10年。(需要go语言的环境)
1.go语言环境
[root@k8s-master01 data]# tar -zxvf go1.16.5.linux-amd64.tar.gz -C /usr/local
[root@k8s-master01 data]# vim /etc/profile
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master01 data]# source /etc/profile
[root@k8s-master01 data]# go version
- 1
- 2
- 3
- 4
- 5
2.下载kubernetes源码
[root@k8s-master01 data]# git clone https://github.com/kubernetes/kubernetes.git
[root@k8s-master01 data]# cd kubernetes
[root@k8s-master01 kubernetes]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.21.2",
[root@k8s-master01 kubernetes]# git checkout -b remotes/origin/release-1.21.2 v1.21.2
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
3.修改Kubeadm源码包更新证书策略
[root@k8s-master01 kubernetes]# vim staging/src/k8s.io/client-go/util/cert/cert.go
# kubeadm 1.14 版本之前
vi cmd/kubeadm/app/constants/constants.go
# kubeadm 1.21.2 至今
// NewSignedCert {
const duration365d = time.Hour * 24 * 365 * 100
NotAfter: time.Now().Add(duration365d).UTC(),
}
[root@k8s-master01 kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v
[root@k8s-master01 kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old
[root@k8s-master01 kubernetes]# cp _output/bin/kubeadm /usr/bin/kubeadm
[root@k8s-master01 kubernetes]# chmod a+x /usr/bin/kubeadm
[root@k8s-master01 kubernetes]# cd /etc/kubernetes/
[root@k8s-master01 kubernetes]# cp -r pki /pki.old
新证书生成
[root@k8s-master01 ~]# kubeadm certs renew all --config=/root/kubeadm_init/kubeadm-config.yaml
--config是当初安装k8s集群的yaml文件
[root@k8s-master01 ~]# cd /etc/kubernetes/pki
查看证书年限
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
查看kubeadm-config.yaml位置
[root@k8s-master-01 pki]# cd /etc/kubernetes/pki/
openssl x509 -in apiserver.crt -text -noout
k8sv1.19.10版本:
需要加alpha命令才行
kubeadm alpha certs renew all --config=/root/kubeadm_init/kubeadm-config.yaml
查看全部证书过期时间也需要加alpha
kubeadm alpha certs check-expiration