Kubernetes kubeadm 管理证书之续签证书

如何使用kubeadm管理证书？ - 云计算 - 亿速云

各个证书的过期时间

/etc/kubernetes/pki/apiserver.crt                #1年有效期
/etc/kubernetes/pki/front-proxy-ca.crt           #10年有效期
/etc/kubernetes/pki/ca.crt                       #10年有效期
/etc/kubernetes/pki/apiserver-etcd-client.crt    #1年有效期
/etc/kubernetes/pki/front-proxy-client.crt       #1年有效期
/etc/kubernetes/pki/etcd/server.crt              #1年有效期
/etc/kubernetes/pki/etcd/ca.crt                  #10年有效期
/etc/kubernetes/pki/etcd/peer.crt                #1年有效期
/etc/kubernetes/pki/etcd/healthcheck-client.crt  #1年有效期
/etc/kubernetes/pki/apiserver-kubelet-client.crt #1年有效期

可用于检查证书过期时间：

# 方法1
kubeadm alpha certs check-expiration
# 方法2
openssl x509 -noout -dates -in /etc/kubernetes/pki/apiserver.crt
kubeadm alpha certs 命令详解：
Available Commands:
  certificate-key  生成证书和key
  check-expiration  检测证书过期时间
  renew            续订Kubernetes集群的证书

  kubeadm alpha certs命令仅支持v1.15及其以上的版本。

手动续订apiserver的证书-apiserver.crt

[root@master-63 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 22, 2021 15:26 UTC   327d                                    no      
apiserver                  May 22, 2021 15:26 UTC   327d            ca                      no      
apiserver-etcd-client      May 22, 2021 15:26 UTC   327d            etcd-ca                 no      
apiserver-kubelet-client   May 22, 2021 15:26 UTC   327d            ca                      no      
controller-manager.conf    May 22, 2021 15:26 UTC   327d                                    no      
etcd-healthcheck-client    May 22, 2021 15:26 UTC   327d            etcd-ca                 no      
etcd-peer                  May 22, 2021 15:26 UTC   327d            etcd-ca                 no      
etcd-server                May 22, 2021 15:26 UTC   327d            etcd-ca                 no      
front-proxy-client         May 22, 2021 15:26 UTC   327d            front-proxy-ca          no      
scheduler.conf             May 22, 2021 15:26 UTC   327d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      May 20, 2030 15:26 UTC   9y              no      
etcd-ca                 May 20, 2030 15:26 UTC   9y              no      
front-proxy-ca          May 20, 2030 15:26 UTC   9y              no      

当前 apiserver.crt 到期时间是 May 22, 2021 15:26 UTC 剩余327天

执行renew更新：

[root@master-63 ~]# kubeadm  alpha certs renew apiserver
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate for serving the Kubernetes API renewed

 重启kubelet会自动重新创建核心组件

systemctl restart kubelet

验证：

apiserver证书到期时间发生了变化， 不过不是顺延一年， 而是 从你 执行renew成功的时间开始续签一年。

如果要将所有证书续签一年，则执行：

[root@k8s-master ~]# kubeadm  alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 30, 2024 09:10 UTC   364d                                    no      
apiserver                  Jun 30, 2024 09:10 UTC   364d            ca                      no      
apiserver-etcd-client      Jun 30, 2024 09:10 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jun 30, 2024 09:10 UTC   364d            ca                      no      
controller-manager.conf    Jun 30, 2024 09:10 UTC   364d                                    no      
etcd-healthcheck-client    Jun 30, 2024 09:10 UTC   364d            etcd-ca                 no      
etcd-peer                  Jun 30, 2024 09:10 UTC   364d            etcd-ca                 no      
etcd-server                Jun 30, 2024 09:10 UTC   364d            etcd-ca                 no      
front-proxy-client         Jun 30, 2024 09:10 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jun 30, 2024 09:10 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 20, 2032 07:17 UTC   9y              no      
etcd-ca                 Oct 20, 2032 07:17 UTC   9y              no      
front-proxy-ca          Oct 20, 2032 07:17 UTC   9y              no      

查看全部估清了

以上结束了.

使用外部CA续订证书
1.生成CSR和私钥：

kubeadm alpha certs renew apiserver --csr-only  --csr-dir /tmp/apiserver.csr
--csr-only：仅生成CSR。
--csr-dir：生成的CSR和私钥文件保存在哪里，默认保存在/etc/kubernetes/pki

 2.查看CSR和私钥：
命令输出结果中提供了CSR和私钥。

root@k8s-master:~# ls /tmp/apiserver.csr/
apiserver.csr  apiserver.key

3. 使用该私钥到CA上请求签发证书。

将颁发的证书及私钥复制到PKI目录/etc/kubernetes/pki中。
参考链接

https://kubernetes.io/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/