k8sv1.18.x更改證書(shū)時(shí)間

使用kubeadm安裝的k8s,所有的證書(shū)都是放在 /etc/kubernetes/pki這個(gè)目錄下的,我們可以查看每個(gè)證書(shū)的時(shí)間,會(huì)發(fā)現(xiàn)ca證書(shū)除外,其他組件證書(shū)都是默認(rèn)一年有效期,ca類型的證書(shū)的有效期為10年。

root@k8smaster1:~# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 15, 2021 09:27 UTC   337d                                    no      
apiserver                  Dec 15, 2021 09:27 UTC   337d            ca                      no      
apiserver-etcd-client      Dec 15, 2021 09:27 UTC   337d            etcd-ca                 no      
apiserver-kubelet-client   Dec 15, 2021 09:27 UTC   337d            ca                      no      
controller-manager.conf    Dec 15, 2021 09:27 UTC   337d                                    no      
etcd-healthcheck-client    Dec 15, 2021 09:27 UTC   337d            etcd-ca                 no      
etcd-peer                  Dec 15, 2021 09:27 UTC   337d            etcd-ca                 no      
etcd-server                Dec 15, 2021 09:27 UTC   337d            etcd-ca                 no      
front-proxy-client         Dec 15, 2021 09:27 UTC   337d            front-proxy-ca          no      
scheduler.conf             Dec 15, 2021 09:27 UTC   337d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 13, 2030 09:27 UTC   9y              no      
etcd-ca                 Dec 13, 2030 09:27 UTC   9y              no      
front-proxy-ca          Dec 13, 2030 09:27 UTC   9y              no

服務(wù)器的k8smaster1上需要安裝兩個(gè)工具gitgo (這里就省略了)

下載對(duì)應(yīng)的源碼版本

cd /usr/local/src/
git clone -b v1.18.5 --depth=1 https://github.com/kubernetes/kubernetes.git
cd kubernetes
# 修改  cmd/kubeadm/app/constans/constans.go 文件
# 找到 CertificateValidity = time.Hour * 24 * 365, 修改為下面一行內(nèi)容
CertificateValidity = time.Hour * 24 * 365 * 10


# 編譯kubeadm
cd /usr/local/src/kubernetes/
root@k8smaster1:/usr/local/src/kubernetes# make WHAT=cmd/kubeadm
+++ [0112 17:59:21] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0112 17:59:39] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0112 17:59:53] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0112 18:00:19] Building go targets for linux/amd64:
    ./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0112 18:00:41] Building go targets for linux/amd64:
    ./vendor/github.com/go-bindata/go-bindata/go-bindata
warning: ignoring symlink /usr/local/src/kubernetes/_output/local/go/src/k8s.io/kubernetes
go: warning: "k8s.io/kubernetes/vendor/github.com/go-bindata/go-bindata/..." matched no packages
+++ [0112 18:00:42] Building go targets for linux/amd64:
    cmd/kubeadm
    
# 編譯完生成_output目錄
# 備份之前的kubeadm,然后用新的
root@k8smaster1:/usr/local/src/kubernetes# mv /usr/bin/kubeadm /usr/bin/kubeadm.old
root@k8smaster1:/usr/local/src/kubernetes# cp _output/bin/kubeadm /usr/bin/kubeadm

# 備份之前的證書(shū),重新生成證書(shū)
root@k8smaster1:/usr/local/src/kubernetes# cp -rf /etc/kubernetes/pki/  /etc/kubernetes/pki.old
root@k8smaster1:/usr/local/src/kubernetes# cd /etc/kubernetes/
root@k8smaster1:/etc/kubernetes# ls
admin.conf  controller-manager.conf  kubelet.conf  manifests  pki  pki.old  scheduler.conf
root@k8smaster1:/etc/kubernetes# cd pki
root@k8smaster1:/etc/kubernetes/pki# ls
apiserver.crt              apiserver-etcd-client.key  apiserver-kubelet-client.crt  ca.crt  etcd                front-proxy-ca.key      front-proxy-client.key  sa.pub
apiserver-etcd-client.crt  apiserver.key              apiserver-kubelet-client.key  ca.key  front-proxy-ca.crt  front-proxy-client.crt  sa.key


root@k8smaster1:/etc/kubernetes/pki# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

# 再次查看組件中的證書(shū)有效時(shí)間,已經(jīng)為10年了
root@k8smaster1:/etc/kubernetes/pki# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 10, 2031 10:10 UTC   9y                                      no      
apiserver                  Jan 10, 2031 10:10 UTC   9y              ca                      no      
apiserver-etcd-client      Jan 10, 2031 10:10 UTC   9y              etcd-ca                 no      
apiserver-kubelet-client   Jan 10, 2031 10:10 UTC   9y              ca                      no      
controller-manager.conf    Jan 10, 2031 10:10 UTC   9y                                      no      
etcd-healthcheck-client    Jan 10, 2031 10:10 UTC   9y              etcd-ca                 no      
etcd-peer                  Jan 10, 2031 10:10 UTC   9y              etcd-ca                 no      
etcd-server                Jan 10, 2031 10:10 UTC   9y              etcd-ca                 no      
front-proxy-client         Jan 10, 2031 10:10 UTC   9y              front-proxy-ca          no      
scheduler.conf             Jan 10, 2031 10:10 UTC   9y                                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 13, 2030 09:27 UTC   9y              no      
etcd-ca                 Dec 13, 2030 09:27 UTC   9y              no      
front-proxy-ca          Dec 13, 2030 09:27 UTC   9y              no
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 目錄:1、證書(shū)過(guò)期時(shí)間查詢2、證書(shū)過(guò)期處理2.1、客戶端kubelet證書(shū)自動(dòng)續(xù)期2.2、重新生成默認(rèn)一年時(shí)長(zhǎng)證書(shū)...
    Feel_狗煥閱讀 13,784評(píng)論 0 4
  • 歡迎轉(zhuǎn)載,轉(zhuǎn)載請(qǐng)標(biāo)明原文地址:http://www.itdecent.cn/p/3de558d8b57a 一、環(huán)...
    LazzMan閱讀 6,853評(píng)論 2 2
  • 虛擬機(jī): VMware Workstation Pro 15 Linux 版本:CentOS Linux rele...
    andrewkk閱讀 3,524評(píng)論 2 0
  • 久違的晴天,家長(zhǎng)會(huì)。 家長(zhǎng)大會(huì)開(kāi)好到教室時(shí),離放學(xué)已經(jīng)沒(méi)多少時(shí)間了。班主任說(shuō)已經(jīng)安排了三個(gè)家長(zhǎng)分享經(jīng)驗(yàn)。 放學(xué)鈴聲...
    飄雪兒5閱讀 7,818評(píng)論 16 22
  • 今天感恩節(jié)哎,感謝一直在我身邊的親朋好友。感恩相遇!感恩不離不棄。 中午開(kāi)了第一次的黨會(huì),身份的轉(zhuǎn)變要...
    余生動(dòng)聽(tīng)閱讀 10,835評(píng)論 0 11

友情鏈接更多精彩內(nèi)容