前言
操作系统: centos7.9 x86_64
kubernetes: 1.18.13
安装方式: kubeadm
一、证书过期集群现象
1、使用k8s集群时报错如下
[root@k8s-master]# kubectl get nodes
The connection to the server <master>:6443 was refused - did you specify the right host or port?
2、kubelet日志报错
#查看kubelet状态,打印出如下报错
[root@k8smaster01 ~]# systemctl status kubelet
part of the existing bootstrap client certificate in /etc/kubernetes/kubelet.conf is expired: 2023-12-16 12:17:35 +0000 UTC
二、golang编译源码kubeadm,证书时间100年
1.检查证书时间
[root@k8smaster01 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 16, 2023 12:17 UTC <invalid> no
apiserver Dec 16, 2032 12:17 UTC <invalid> ca no
apiserver-kubelet-client Dec 16, 2032 12:17 UTC <invalid> ca no
controller-manager.conf Dec 16, 2032 12:17 UTC <invalid> no
front-proxy-client Dec 16, 2032 12:17 UTC <invalid> front-proxy-ca no
scheduler.conf Dec 16, 2032 12:17 UTC <invalid> no
2.下载对应的kubernetes版本源码至服务器
[root@k8smaster01 ~]# wget https://github.com/kubernetes/kubernetes/zip/refs/tags/v1.18.13
3、服务器安装golang
[root@k8smaster01 ~]# wget https://studygolang.com/dl/golang/go1.19.2.linux-amd64.tar.gz
[root@k8smaster01 ~]# tar zxf go1.19.2.linux-amd64.tar.gz -C /usr/local/
[root@k8smaster01 ~]# vim /etc/profile
export GOROOT=/usr/local/go
export PATH=$PATH:/usr/local/go/bin
export GOPATH=/go
[root@k8smaster01 ~]# source /etc/profile
#执行测试
[root@k8smaster01 ~]# go version 会返回对应的go版本信息代表安装成功
4、编译kubeadm文件
1、解压下载好的k8s源码包
[root@k8smaster01 ~]# unzip kubernetes-1.18.13\(1\).zip
2、进入到解压后的k8s目录下,修改cmd/kubeadm/app/constants/constants.go文件
[root@k8smaster01 ~]# cd kubernetes-1.18.13/
[root@k8smaster01 ~]# vim cmd/kubeadm/app/constants/constants.go
#搜索CertificateValidity
#修改证书时间 :CertificateValidity = time.Hour * 24 * 365 * 100
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100 #修改此处
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
)
3、接着修改staging/src/k8s.io/client-go/util/cert/cert.go文件
[root@k8smaster01 ~]# vim staging/src/k8s.io/client-go/util/cert/cert.go
#搜索KeyUsageDigitalSignatur
#修改 :NotAfter: now.Add(duration365d * 100).UTC(),
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 100).UTC(), #修改此处
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
上述3步骤完成后,接着使用golang进行kubeadm源码编译
[root@k8smaster01 ~]# go env -w GOPROXY=https://goproxy.cn,direct #go设置国内代理
[root@k8smaster01 ~]# go env -w GOSUMDB="sum.golang.google.cn" #go设置国内代理
[root@k8smaster01 ~]# cd kubernetes-1.18.13/ # 进入kubeadm源码目录
[root@k8smaster01 ~]# make all WHAT=cmd/kubeadm GOFLAGS=-v #执行编译操作
#执行完成后,会在_output/bin/目录下生成编译好的kubeadm文件,至此准备工作就绪,开始更新证书
三、更新证书
1、替换/usr/bin/kubeadm 文件
[root@k8smaster01 ~]# ll /usr/bin/kubeadm #确认原kubeadm文件的权限及属主属组
[root@k8smaster01 ~]# mv /usr/bin/kubeadm /opt/kubeadm_bak #备份原kubeadm
[root@k8smaster01 ~]# cp -p kubernetes-1.18.13/_output/bin/kubeadm /usr/bin/kubeadm #拷贝编译好的kubeadm至此处
[root@k8smaster01 ~]# ll /usr/bin/kubeadm #确认新的kubeadm文件的权限及属主属组是否与旧文件一致
2、执行更新证书命令
[root@k8smaster01 ~]# kubeadm alpha certs renew all
3、更新当前master节点配置文件
[root@k8smaster01 ~]# cp /etc/kubernetes/admin.conf /root/.kube/config
4、备份apiserver、controller manager、schedule配置文件
[root@k8smaster01 ~]# cp -r /etc/kubernetes/manifests/ /etc/kubernetes/manifests-bak
5、重启apiserver、controller manager、schedule
查看apiserver、controller manager、schedule pod,等待当前节点相关pod删除后,还原配置文件
[root@k8smaster01 ~]# mv /etc/kubernetes/manifests/kube-*.yaml /etc/kubernetes/
[root@k8smaster01 ~]# cp /etc/kubernetes/kube-*.yaml /etc/kubernetes/manifests/
再次查看apiserver、controller manager、schedule相关的静态pod是否成功启动
[root@k8smaster01 ~]# kubectl get pods -n kube-system -o wide |grep kube-apiserver
[root@k8smaster01 ~]# kubectl get pods -n kube-system -o wide |grep kube-controller-manager
[root@k8smaster01 ~]# kubectl get pods -n kube-system -o wide |grep kube-scheduler
6、再次检查当前master节点的集群证书时间是否已更新
[root@k8smaster01 ~]# kubeadm alpha certs check-expiration