k8sv1.18.x版本更改证书时间

觅食的蛇

已于 2022-04-12 23:09:38 修改

阅读量869

点赞数 2

分类专栏： kubernetes 文章标签： kubernetes

于 2021-01-22 09:12:17 首次发布

本文链接：https://blog.csdn.net/weixin_48505120/article/details/112977113

版权

kubernetes 专栏收录该内容

11 篇文章 0 订阅

订阅专栏

`kubernetes`更改证书时间

1 首先确定自己安装好后k8s集群中使用的kubernetes版本以及go版本

[07:07]:[shutang@phxriskdna028:update-certs]$ sudo kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.20", GitCommit:"1f3e19b7beb1cc0110255668c4238ed63dadb7ad", GitTreeState:"clean", BuildDate:"2021-06-16T12:56:41Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
[07:07]:[shutang@phxriskdna028:update-certs]$

2 下面我们开始下载kubernetes1.18.20.tar.gz包和安装go1.13.15工具

root@es2:/home/shutang/update-cert# wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.18.20.tar.gz && wget https://golang.google.cn/dl/go1.13.15.linux-amd64.tar.gz

root@es2:/home/shutang/update-cert# tar -zxf v1.18.20.tar.gz && tar -zxf go1.13.15.linux-amd64.tar.gz -C /usr/local/


root@es2:/home/shutang/update-cert# cat > /etc/profile.d/go.sh <<eof
export PATH=$PATH:/usr/local/go/bin
eof
root@es2:/home/shutang/update-cert# source /etc/profile.d/go.sh
root@es2:/home/shutang/update-cert# go version

3 使用`kubeadm`安装的`k8s`，所有的证书都是放在 `/etc/kubernetes/pki`这个目录下的，我们可以查看每个证书的时间，会发现ca证书除外，其他组件证书都是默认一年有效期，ca类型的证书的有效期为10年。

root@es2:/home/shutang/update-cert/kubernetes-1.18.20# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 24, 2023 09:14 UTC   345d                                    no
apiserver                  Mar 24, 2023 09:14 UTC   345d            ca                      no
apiserver-etcd-client      Mar 24, 2023 09:14 UTC   345d            etcd-ca                 no
apiserver-kubelet-client   Mar 24, 2023 09:14 UTC   345d            ca                      no
controller-manager.conf    Mar 24, 2023 09:14 UTC   345d                                    no
etcd-healthcheck-client    Mar 24, 2023 09:14 UTC   345d            etcd-ca                 no
etcd-peer                  Mar 24, 2023 09:14 UTC   345d            etcd-ca                 no
etcd-server                Mar 24, 2023 09:14 UTC   345d            etcd-ca                 no
front-proxy-client         Mar 24, 2023 09:14 UTC   345d            front-proxy-ca          no
scheduler.conf             Mar 24, 2023 09:14 UTC   345d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 21, 2032 09:14 UTC   9y              no
etcd-ca                 Mar 21, 2032 09:14 UTC   9y              no
front-proxy-ca          Mar 21, 2032 09:14 UTC   9y              no

4 修改对应的和证书时间有关的常量源码

root@es2:/home/shutang/update-cert# ls
go1.13.15.linux-amd64.tar.gz  kubernetes-1.18.20  make-4.3.tar.gz  v1.18.20.tar.gz
root@es2:/home/shutang/update-cert# cd kubernetes-1.18.20/
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# ls
api          CHANGELOG     cmd                 docs    go.sum   logo                      OWNERS          plugin             staging     third_party   WORKSPACE
build        CHANGELOG.md  code-of-conduct.md  Godeps  hack     Makefile                  OWNERS_ALIASES  README.md          SUPPORT.md  translations
BUILD.bazel  cluster       CONTRIBUTING.md     go.mod  LICENSE  Makefile.generated_files  pkg             SECURITY_CONTACTS  test        vendor
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# cd cmd/kubeadm/app/constants/
root@es2:/home/shutang/update-cert/kubernetes-1.18.20/cmd/kubeadm/app/constants# ls
BUILD  constants.go  constants_test.go  constants_unix.go  constants_windows.go
root@es2:/home/shutang/update-cert/kubernetes-1.18.20/cmd/kubeadm/app/constants# vi constants.go
root@es2:/home/shutang/update-cert/kubernetes-1.18.20/cmd/kubeadm/app/constants# cd ../../../../
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# ls
api          CHANGELOG     cmd                 docs    go.sum   logo                      OWNERS          plugin             staging     third_party   WORKSPACE
build        CHANGELOG.md  code-of-conduct.md  Godeps  hack     Makefile                  OWNERS_ALIASES  README.md          SUPPORT.md  translations
BUILD.bazel  cluster       CONTRIBUTING.md     go.mod  LICENSE  Makefile.generated_files  pkg             SECURITY_CONTACTS  test        vendor
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# make WHAT=cmd/kubeadm
+++ [0412 07:21:11] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0412 07:21:27] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0412 07:21:42] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0412 07:22:04] Building go targets for linux/amd64:
    ./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0412 07:22:30] Building go targets for linux/amd64:
    ./vendor/github.com/go-bindata/go-bindata/go-bindata
warning: ignoring symlink /home/shutang/update-cert/kubernetes-1.18.20/_output/local/go/src/k8s.io/kubernetes
go: warning: "k8s.io/kubernetes/vendor/github.com/go-bindata/go-bindata/..." matched no packages
+++ [0412 07:22:35] Building go targets for linux/amd64:
    cmd/kubeadm
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# rm -f /usr/bin/kubeadm
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# cp _output/bin/kubeadm /usr/bin/kubeadm
root@es2:/home/shutang/update-cert/kubernetes-1.18.20# cd /etc/kubernetes/pki
root@es2:/etc/kubernetes/pki# ls
apiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.key
apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.key
apiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub
root@es2:/etc/kubernetes/pki.old# ls -lah
total 68K
drwxr-xr-x 3 root root 4.0K Apr 12 06:50 .
drwxr-xr-x 6 root root 4.0K Apr 12 06:50 ..
-rw-r--r-- 1 root root 1.2K Apr 12 06:50 apiserver.crt
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 apiserver-etcd-client.crt
-rw------- 1 root root 1.7K Apr 12 06:50 apiserver-etcd-client.key
-rw------- 1 root root 1.7K Apr 12 06:50 apiserver.key
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 apiserver-kubelet-client.crt
-rw------- 1 root root 1.7K Apr 12 06:50 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 ca.crt
-rw------- 1 root root 1.7K Apr 12 06:50 ca.key
drwxr-xr-x 2 root root 4.0K Apr 12 06:50 etcd
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 front-proxy-ca.crt
-rw------- 1 root root 1.7K Apr 12 06:50 front-proxy-ca.key
-rw-r--r-- 1 root root 1.1K Apr 12 06:50 front-proxy-client.crt
-rw------- 1 root root 1.7K Apr 12 06:50 front-proxy-client.key
-rw------- 1 root root 1.7K Apr 12 06:50 sa.key
-rw------- 1 root root  451 Apr 12 06:50 sa.pub
root@es2:/etc/kubernetes/pki# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
root@es2:/etc/kubernetes/pki# ls -lah
total 68K
drwxr-xr-x 3 root root 4.0K Mar 24 02:14 .
drwxr-xr-x 6 root root 4.0K Apr 12 06:50 ..
-rw-r--r-- 1 root root 1.2K Apr 12 07:28 apiserver.crt
-rw-r--r-- 1 root root 1.1K Apr 12 07:28 apiserver-etcd-client.crt
-rw------- 1 root root 1.7K Apr 12 07:28 apiserver-etcd-client.key
-rw------- 1 root root 1.7K Apr 12 07:28 apiserver.key
-rw-r--r-- 1 root root 1.1K Apr 12 07:28 apiserver-kubelet-client.crt
-rw------- 1 root root 1.7K Apr 12 07:28 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1.1K Mar 24 02:14 ca.crt
-rw------- 1 root root 1.7K Mar 24 02:14 ca.key
drwxr-xr-x 2 root root 4.0K Mar 24 02:14 etcd
-rw-r--r-- 1 root root 1.1K Mar 24 02:14 front-proxy-ca.crt
-rw------- 1 root root 1.7K Mar 24 02:14 front-proxy-ca.key
-rw-r--r-- 1 root root 1.1K Apr 12 07:28 front-proxy-client.crt
-rw------- 1 root root 1.7K Apr 12 07:28 front-proxy-client.key
-rw------- 1 root root 1.7K Mar 24 02:14 sa.key
-rw------- 1 root root  451 Mar 24 02:14 sa.pub
root@es2:/etc/kubernetes/pki# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 09, 2032 14:28 UTC   9y                                      no
apiserver                  Apr 09, 2032 14:28 UTC   9y              ca                      no
apiserver-etcd-client      Apr 09, 2032 14:28 UTC   9y              etcd-ca                 no
apiserver-kubelet-client   Apr 09, 2032 14:28 UTC   9y              ca                      no
controller-manager.conf    Apr 09, 2032 14:28 UTC   9y                                      no
etcd-healthcheck-client    Apr 09, 2032 14:28 UTC   9y              etcd-ca                 no
etcd-peer                  Apr 09, 2032 14:28 UTC   9y              etcd-ca                 no
etcd-server                Apr 09, 2032 14:28 UTC   9y              etcd-ca                 no
front-proxy-client         Apr 09, 2032 14:28 UTC   9y              front-proxy-ca          no
scheduler.conf             Apr 09, 2032 14:28 UTC   9y                                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 21, 2032 09:14 UTC   9y              no
etcd-ca                 Mar 21, 2032 09:14 UTC   9y              no
front-proxy-ca          Mar 21, 2032 09:14 UTC   9y              no
root@es2:/etc/kubernetes/pki# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.20", GitCommit:"1f3e19b7beb1cc0110255668c4238ed63dadb7ad", GitTreeState:"archive", BuildDate:"2022-04-12T14:22:35Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}