kubernetes
更改证书时间
1 首先确定自己安装好后k8s集群中使用的kubernetes版本以及go版本
[07:07]:[shutang@phxriskdna028:update-certs]$ sudo kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.20", GitCommit:"1f3e19b7beb1cc0110255668c4238ed63dadb7ad", GitTreeState:"clean", BuildDate:"2021-06-16T12:56:41Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
[07:07]:[shutang@phxriskdna028:update-certs]$
2 下面我们开始下载kubernetes1.18.20.tar.gz包和安装go1.13.15工具
root@es2:/home/shutang/update-cert# wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.18.20.tar.gz && wget https://golang.google.cn/dl/go1.13.15.linux-amd64.tar.gz
root@es2:/home/shutang/update-cert# tar -zxf v1.18.20.tar.gz && tar -zxf go1.13.15.linux-amd64.tar.gz -C /usr/local/
root@es2:/home/shutang/update-cert# cat > /etc/profile.d/go.sh <<eof
export PATH=$PATH:/usr/local/go/bin
eof
root@es2:/home/shutang/update-cert# source /etc/profile.d/go.sh
root@es2:/home/shutang/update-cert# go version
3 使用kubeadm
安装的k8s
,所有的证书都是放在 /etc/kubernetes/pki
这个目录下的,我们可以查看每个证书的时间,会发现ca证书除外,其他组件证书都是默认一年有效期,ca类型的证书的有效期为10年。
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 24, 2023 09:14 UTC 345d no
apiserver Mar 24, 2023 09:14 UTC 345d ca no
apiserver-etcd-client Mar 24, 2023 09:14 UTC 345d etcd-ca no
apiserver-kubelet-client Mar 24, 2023 09:14 UTC 345d ca no
controller-manager.conf Mar 24, 2023 09:14 UTC 345d no
etcd-healthcheck-client Mar 24, 2023 09:14 UTC 345d etcd-ca no
etcd-peer Mar 24, 2023 09:14 UTC 345d etcd-ca no
etcd-server Mar 24, 2023 09:14 UTC 345d etcd-ca no
front-proxy-client Mar 24, 2023 09:14 UTC 345d front-proxy-ca no
scheduler.conf Mar 24, 2023 09:14 UTC 345d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 21, 2032 09:14 UTC 9y no
etcd-ca Mar 21, 2032 09:14 UTC 9y no
front-proxy-ca Mar 21, 2032 09:14 UTC 9y no
4 修改对应的和证书时间有关的常量源码
root@es2:/home/shutang/update-cert# ls
go1.13.15.linux-amd64.tar.gz kubernetes-1.18.20 make-4.3.tar.gz v1.18.20.tar.gz
root@es2:/home/shutang/update-cert# cd kubernetes-1.18.20/
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# ls
api CHANGELOG cmd docs go.sum logo OWNERS plugin staging third_party WORKSPACE
build CHANGELOG.md code-of-conduct.md Godeps hack Makefile OWNERS_ALIASES README.md SUPPORT.md translations
BUILD.bazel cluster CONTRIBUTING.md go.mod LICENSE Makefile.generated_files pkg SECURITY_CONTACTS test vendor
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# cd cmd/kubeadm/app/constants/
root@es2:/home/shutang/update-cert/kubernetes-1.18.20/cmd/kubeadm/app/constants# ls
BUILD constants.go constants_test.go constants_unix.go constants_windows.go
root@es2:/home/shutang/update-cert/kubernetes-1.18.20/cmd/kubeadm/app/constants# vi constants.go
root@es2:/home/shutang/update-cert/kubernetes-1.18.20/cmd/kubeadm/app/constants# cd ../../../../
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# ls
api CHANGELOG cmd docs go.sum logo OWNERS plugin staging third_party WORKSPACE
build CHANGELOG.md code-of-conduct.md Godeps hack Makefile OWNERS_ALIASES README.md SUPPORT.md translations
BUILD.bazel cluster CONTRIBUTING.md go.mod LICENSE Makefile.generated_files pkg SECURITY_CONTACTS test vendor
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# make WHAT=cmd/kubeadm
+++ [0412 07:21:11] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0412 07:21:27] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0412 07:21:42] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0412 07:22:04] Building go targets for linux/amd64:
./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0412 07:22:30] Building go targets for linux/amd64:
./vendor/github.com/go-bindata/go-bindata/go-bindata
warning: ignoring symlink /home/shutang/update-cert/kubernetes-1.18.20/_output/local/go/src/k8s.io/kubernetes
go: warning: "k8s.io/kubernetes/vendor/github.com/go-bindata/go-bindata/..." matched no packages
+++ [0412 07:22:35] Building go targets for linux/amd64:
cmd/kubeadm
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# rm -f /usr/bin/kubeadm
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# cp _output/bin/kubeadm /usr/bin/kubeadm
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# cd /etc/kubernetes/pki
root@es2:/etc/kubernetes/pki# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
root@es2:/etc/kubernetes/pki.old# ls -lah
total 68K
drwxr-xr-x 3 root root 4.0K Apr 12 06:50 .
drwxr-xr-x 6 root root 4.0K Apr 12 06:50 ..
-rw-r--r-- 1 root root 1.2K Apr 12 06:50 apiserver.crt
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 apiserver-etcd-client.crt
-rw------- 1 root root 1.7K Apr 12 06:50 apiserver-etcd-client.key
-rw------- 1 root root 1.7K Apr 12 06:50 apiserver.key
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 apiserver-kubelet-client.crt
-rw------- 1 root root 1.7K Apr 12 06:50 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 ca.crt
-rw------- 1 root root 1.7K Apr 12 06:50 ca.key
drwxr-xr-x 2 root root 4.0K Apr 12 06:50 etcd
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 front-proxy-ca.crt
-rw------- 1 root root 1.7K Apr 12 06:50 front-proxy-ca.key
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 front-proxy-client.crt
-rw------- 1 root root 1.7K Apr 12 06:50 front-proxy-client.key
-rw------- 1 root root 1.7K Apr 12 06:50 sa.key
-rw------- 1 root root 451 Apr 12 06:50 sa.pub
root@es2:/etc/kubernetes/pki# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
root@es2:/etc/kubernetes/pki# ls -lah
total 68K
drwxr-xr-x 3 root root 4.0K Mar 24 02:14 .
drwxr-xr-x 6 root root 4.0K Apr 12 06:50 ..
-rw-r--r-- 1 root root 1.2K Apr 12 07:28 apiserver.crt
-rw-r--r-- 1 root root 1.1K Apr 12 07:28 apiserver-etcd-client.crt
-rw------- 1 root root 1.7K Apr 12 07:28 apiserver-etcd-client.key
-rw------- 1 root root 1.7K Apr 12 07:28 apiserver.key
-rw-r--r-- 1 root root 1.1K Apr 12 07:28 apiserver-kubelet-client.crt
-rw------- 1 root root 1.7K Apr 12 07:28 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1.1K Mar 24 02:14 ca.crt
-rw------- 1 root root 1.7K Mar 24 02:14 ca.key
drwxr-xr-x 2 root root 4.0K Mar 24 02:14 etcd
-rw-r--r-- 1 root root 1.1K Mar 24 02:14 front-proxy-ca.crt
-rw------- 1 root root 1.7K Mar 24 02:14 front-proxy-ca.key
-rw-r--r-- 1 root root 1.1K Apr 12 07:28 front-proxy-client.crt
-rw------- 1 root root 1.7K Apr 12 07:28 front-proxy-client.key
-rw------- 1 root root 1.7K Mar 24 02:14 sa.key
-rw------- 1 root root 451 Mar 24 02:14 sa.pub
root@es2:/etc/kubernetes/pki# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 09, 2032 14:28 UTC 9y no
apiserver Apr 09, 2032 14:28 UTC 9y ca no
apiserver-etcd-client Apr 09, 2032 14:28 UTC 9y etcd-ca no
apiserver-kubelet-client Apr 09, 2032 14:28 UTC 9y ca no
controller-manager.conf Apr 09, 2032 14:28 UTC 9y no
etcd-healthcheck-client Apr 09, 2032 14:28 UTC 9y etcd-ca no
etcd-peer Apr 09, 2032 14:28 UTC 9y etcd-ca no
etcd-server Apr 09, 2032 14:28 UTC 9y etcd-ca no
front-proxy-client Apr 09, 2032 14:28 UTC 9y front-proxy-ca no
scheduler.conf Apr 09, 2032 14:28 UTC 9y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 21, 2032 09:14 UTC 9y no
etcd-ca Mar 21, 2032 09:14 UTC 9y no
front-proxy-ca Mar 21, 2032 09:14 UTC 9y no
root@es2:/etc/kubernetes/pki# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.20", GitCommit:"1f3e19b7beb1cc0110255668c4238ed63dadb7ad", GitTreeState:"archive", BuildDate:"2022-04-12T14:22:35Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
如果该篇文章对您有一点点帮助,请点个赞👍吧!