请启用 Javascript 以查看内容

kubeadm 更新证书

 ·   ·  ☕ 3 分钟  ·  ✍ CNSRE

文章链接

安装 go 语言环境

Golang 官网下载地址:golang官网
打开官网下载地址选择对应的系统版本, 复制下载链接
这里我选择的是
go1.16.5.linux-amd64.tar.gz
cnsre运维博客|Linux系统运维|自动化运维|云计算|运维监控

下载解压

下载安装包

1
wget https://dl.google.com/go/go1.16.5.linux-amd64.tar.gz

解压到/usr/loacl目录下

1
tar -C /usr/local -zxvf  go1.16.5.linux-amd64.tar.gz

添加环境变量

添加/usr/loacl/go/bin 目录到 PATH 变量中。添加到 /etc/profile

1
2
3
4
5
6
vim /etc/profile
# 在最后一行添加
export GOROOT=/usr/local/go
export PATH=$PATH:$GOROOT/bin
# 保存退出后source一下
source /etc/profile

验证

执行go version,如果现实版本号,则Go环境安装成功。

1
2
[root@master ~]# go version
go version go1.16.5 linux/amd64

查看当前的证书时间

执行命令 查看当前证书时间

1
kubeadm alpha certs check-expiration

cnsre运维博客|Linux系统运维|自动化运维|云计算|运维监控

下载源码

打开github kubernetes 选择对应的版本下载
下载并解压
因为我是 v1.20.6 版本所以下载对应的

1
2
wget  https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.20.6.zip
unzip  v1.20.6.zip

修改 constants.go 文件
vim cmd/kubeadm/app/constants/constants.go 找到 CertificateValidity ,修改如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
cd kubernetes-1.20.6
vim cmd/kubeadm/app/constants/constants.go
....
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100  #  修改此内容
....

编译 kubeadm

1
make WHAT=cmd/kubeadm

返回如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
[root@master kubernetes-1.20.6]# make WHAT=cmd/kubeadm

+++ [0624 10:59:21] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
+++ [0624 10:59:25] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0624 10:59:33] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0624 10:59:44] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0624 11:00:04] Building go targets for linux/amd64:
    ./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0624 11:00:19] Building go targets for linux/amd64:
    ./vendor/github.com/go-bindata/go-bindata/go-bindata
+++ [0624 11:00:20] Building go targets for linux/amd64:
    cmd/kubeadm

编译完生成如下目录和二进制文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
[root@master kubernetes-1.20.6]#  ll _output/bin/
总用量 75680
-rwxr-xr-x. 1 root root  5943296 6月  24 10:59 conversion-gen
-rwxr-xr-x. 1 root root  5689344 6月  24 10:59 deepcopy-gen
-rwxr-xr-x. 1 root root  5709824 6月  24 10:59 defaulter-gen
-rwxr-xr-x. 1 root root  3555111 6月  24 10:59 go2make
-rwxr-xr-x. 1 root root  1966080 6月  24 11:00 go-bindata
-rwxr-xr-x. 1 root root 39325696 6月  24 11:01 kubeadm
-rwxr-xr-x. 1 root root  9650176 6月  24 11:00 openapi-gen
-rwxr-xr-x. 1 root root  5656576 6月  24 10:59 prerelease-lifecycle-gen

备份文件

备份 kubeadm 和证书文件

1
2
cp /usr/bin/kubeadm{,.bak20210624}
cp -r /etc/kubernetes/pki{,.bak20210624}

查看备份文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[root@master kubernetes-1.20.6]# ll /usr/bin/kubeadm*
-rwxr-xr-x. 1 root root 39325696 6月  24 11:05 /usr/bin/kubeadm
-rwxr-xr-x. 1 root root 39210880 6月  24 11:02 /usr/bin/kubeadm.bak20210624

[root@master kubernetes-1.20.6 ll /etc/kubernetes/pki*
/etc/kubernetes/pki:
总用量 56
-rw-r--r--. 1 root root 1289 6月  24 11:05 apiserver.crt
-rw-r--r--. 1 root root 1139 6月  24 11:05 apiserver-etcd-client.crt
-rw-------. 1 root root 1675 6月  24 11:05 apiserver-etcd-client.key
-rw-------. 1 root root 1679 6月  24 11:05 apiserver.key
-rw-r--r--. 1 root root 1147 6月  24 11:05 apiserver-kubelet-client.crt
-rw-------. 1 root root 1675 6月  24 11:05 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1066 6月  22 15:01 ca.crt
-rw-------. 1 root root 1675 6月  22 15:01 ca.key
drwxr-xr-x. 2 root root  162 6月  22 15:01 etcd
-rwxr-xr-x. 1 root root 1078 6月  22 15:01 front-proxy-ca.crt
-rw-------. 1 root root 1675 6月  22 15:01 front-proxy-ca.key
-rw-r--r--. 1 root root 1103 6月  24 11:05 front-proxy-client.crt
-rw-------. 1 root root 1679 6月  24 11:05 front-proxy-client.key
-rw-------. 1 root root 1675 6月  22 15:01 sa.key
-rw-------. 1 root root  451 6月  22 15:01 sa.pub

/etc/kubernetes/pki.bak20210624:
总用量 56
-rw-r--r--. 1 root root 1289 6月  24 11:04 apiserver.crt
-rw-r--r--. 1 root root 1135 6月  24 11:04 apiserver-etcd-client.crt
-rw-------. 1 root root 1675 6月  24 11:04 apiserver-etcd-client.key
-rw-------. 1 root root 1679 6月  24 11:04 apiserver.key
-rw-r--r--. 1 root root 1143 6月  24 11:04 apiserver-kubelet-client.crt
-rw-------. 1 root root 1675 6月  24 11:04 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1066 6月  24 11:04 ca.crt
-rw-------. 1 root root 1675 6月  24 11:04 ca.key
drwxr-xr-x. 2 root root  162 6月  24 11:04 etcd
-rwxr-xr-x. 1 root root 1078 6月  24 11:04 front-proxy-ca.crt
-rw-------. 1 root root 1675 6月  24 11:04 front-proxy-ca.key
-rw-r--r--. 1 root root 1103 6月  24 11:04 front-proxy-client.crt
-rw-------. 1 root root 1679 6月  24 11:04 front-proxy-client.key
-rw-------. 1 root root 1675 6月  24 11:04 sa.key
-rw-------. 1 root root  451 6月  24 11:04 sa.pub

替换 kubeadm

将新生成的 kubeadm 进行替换

1
cp _output/bin/kubeadm /usr/bin/kubeadm

生成新的证书

1
2
cd /etc/kubernetes/pki
kubeadm alpha certs renew all

返回内容

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
[root@master pki]# kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

cnsre运维博客|Linux系统运维|自动化运维|云计算|运维监控

验证结果

到这里,证书就替换完成了。接下来验证下证书时间是否延长。

1
kubeadm alpha certs check-expiration

返回信息

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
[root@master pki]# kubeadm alpha certs check-expiration
Command "check-expiration" is deprecated, please use the same command under "kubeadm certs"
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 31, 2121 03:05 UTC   99y                                     no      
apiserver                  May 31, 2121 03:05 UTC   99y             ca                      no      
apiserver-etcd-client      May 31, 2121 03:05 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   May 31, 2121 03:05 UTC   99y             ca                      no      
controller-manager.conf    May 31, 2121 03:05 UTC   99y                                     no      
etcd-healthcheck-client    May 31, 2121 03:05 UTC   99y             etcd-ca                 no      
etcd-peer                  May 31, 2121 03:05 UTC   99y             etcd-ca                 no      
etcd-server                May 31, 2121 03:05 UTC   99y             etcd-ca                 no      
front-proxy-client         May 31, 2121 03:05 UTC   99y             front-proxy-ca          no      
scheduler.conf             May 31, 2121 03:05 UTC   99y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 20, 2031 07:01 UTC   9y              no      
etcd-ca                 Jun 20, 2031 07:01 UTC   9y              no      
front-proxy-ca          Jun 20, 2031 07:01 UTC   9y              no      

查看 node 状态

1
2
3
4
[root@master pki]#  kubectl get node
NAME     STATUS   ROLES                  AGE   VERSION
master   Ready    control-plane,master   44h   v1.20.6
node1    Ready    <none>                 43h   v1.20.6

文章链接

分享

CNSRE
作者
CNSRE
一个📚学习中的👨‍💻SRE运维工程师🚀🚀🚀


目录