证书专题
第一节 证书基本信息
基本信息查询命令
[root@k8s-master01 conf.d]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 30, 2123 02:22 UTC 99y ca no
apiserver Jun 30, 2123 02:22 UTC 99y ca no
apiserver-etcd-client Jun 30, 2123 02:22 UTC 99y etcd-ca no
apiserver-kubelet-client Jun 30, 2123 02:22 UTC 99y ca no
controller-manager.conf Jun 30, 2123 02:22 UTC 99y ca no
etcd-healthcheck-client Jun 30, 2123 02:22 UTC 99y etcd-ca no
etcd-peer Jun 30, 2123 02:22 UTC 99y etcd-ca no
etcd-server Jun 30, 2123 02:22 UTC 99y etcd-ca no
front-proxy-client Jun 30, 2123 02:22 UTC 99y front-proxy-ca no
scheduler.conf Jun 30, 2123 02:22 UTC 99y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 24, 2033 15:55 UTC 9y no
etcd-ca Jun 24, 2033 15:55 UTC 9y no
front-proxy-ca Jun 24, 2033 15:55 UTC 9y no
命令执行:
第二节 证书制作
制作步骤
# 第一步,查看目前证书的过期时间期限
kubeadm certs check-expiration
# 第二步,下载go,配置环境
go version
# 第三步,下载对应kuberntes的版本
git clone http://github.com/kubernetes/
# 第四步,修改文件
vim staging/src/k8s.io/client-go/util/cert/cert.go
vim cmd/kubeadm/app/constants/constants.go
# 第五步,重新编译
make WHAT=cmd/kubeadm GOFLAGS=-v
# 第六步,备份原来的PKI,然后替换
mv /etc/kubernetes/pki /etc/kubernetes/pki_bak
# 第七步,刷新证书,查看新的时间期限
kubeadm certs renew all
# openssl & cfssl
再次验证机器
- 重启所在节点的服务器
- 重新在cmd终端执行检查命令