一、为什么要修改 kubeadm 证书时间
Kubernetes 官方提供了 kubeadm 工具安装 kubernetes 集群,使用这个工具安装集群非常便捷,使部署和升级 Kubernetes 变得简单起来。
不过该工具有点坑的就是,使用其安装的 kubernetes 集群的大部分证书有效期只有一年,需要在证书过期前,使用更新操作更新集群,使证书的有效期再续一年。如果忘记这个操作,那么在使用过程中证书到期将导致集群不可用,应用无法访问,急急忙忙解决也需要半天时间,这个问题是致命的。
不过实际情况下,在现网环境中大部分人追求稳定,一般不会大改 Kubernetes 版本,所以解决 kubeadm 集群证书有效期只有一年的最好办法就是重新编译 kubeadm 源码,将里面的 1 年有效期修改为 10 年或者 100 年,也不会影响使用 kubeadm 后续的升级,所以修改源码能很好的规避这个证书过期风险。
二、如何查看 kubernetes 证书过期时间
在执行修改 Kubeadm 源码且重新编译之前,我们先通观察下使用的官方的 Kubeadm 工具初始化的 Kubernetes 集群,观察在默认情况下证书过期时间,执行的命令如下:
$ kubeadm alpha certs check-expiration然后可以看到输出的过期时间如下:CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Aug 14, 2022 03:15 UTC 364d noapiserver Aug 14, 2022 03:15 UTC 364d ca noapiserver-etcd-client Aug 14, 2022 03:15 UTC 364d etcd-ca noapiserver-kubelet-client Aug 14, 2022 03:15 UTC 364d ca nocontroller-manager.conf Aug 14, 2022 03:15 UTC 364d noetcd-healthcheck-client Aug 14, 2022 03:15 UTC 364d etcd-ca noetcd-peer Aug 14, 2022 03:15 UTC 364d etcd-ca noetcd-server Aug 14, 2022 03:15 UTC 364d etcd-ca nofront-proxy-client Aug 14, 2022 03:15 UTC 364d front-proxy-ca noscheduler.conf Aug 14, 2022 03:15 UTC 364d noCERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Aug 14, 2031 03:15 UTC 9y noetcd-ca Aug 14, 2031 03:15 UTC 9y nofront-proxy-ca Aug 14, 2031 03:15 UTC 9y no
从上面可以了解到,默认情况下 ETCD 证书有效期是 10 年时间,其它证书有效期为 1 年时间,所以如果我们安装集群时没有修改证书过期时间,那么默认 1 年后可能会出现证书过期集群不可用的问题,所以接下来我们进入修改 kubeadm 源码过程。
三、修改 kubeadm 源码并重新编译
3.1 安装 Golang 等编译源码的环境包
由于 Kubeadm 是 Go 语言编写的,所以我们提前安装好编译 Kubeadm 源码的工具,操作过程按下面执行即可:
(1) 安装编译工具
$ yum install -y gcc make rsync jq
(2) 下载并配置 Golang 环境
## 下载 golang 1.15.15$ wget https://dl.google.com/go/go1.15.15.linux-amd64.tar.gz## 解压并放置在一个目录中$ tar zxvf go1.15.15.linux-amd64.tar.gz -C /usr/local## 编辑 /etc/profile 文件,添加 Go 环境配置内容$ vi /etc/profileexport GOROOT=/usr/local/goexport GOPATH=/usr/local/gopathexport PATH=$PATH:$GOROOT/bin## 使配置生效$ source /etc/profile## 测试 Go 命令是否配置成功,成功则显示如下$ go versiongo version go1.15.15 linux/amd64
3.2 下载 kubernetes 源码
下载 Kubernetes 源码,然后切换到指定版本,操作的命令如下:
## 下的 kubernetes 源码$ git clone https://github.com/kubernetes/kubernetes.git## 进入 Kubernetes 目录$ cd kubernetes## 切换 Kubernetes 版本$ git checkout v1.20.9
3.3 修改 kubeadm 源码中证书过期时间
接下来我们修改 Kubernetes 代码中与 kubeadm 证书有效期相关的源码,操作的命令如下:
(1) 修改 constants.go 文件,操作如下:
$ vim cmd/kubeadm/app/constants/constants.go########### 后面追加个 * 100 (注掉部分为源代码,后面跟着的是修改后的代码)#const duration365d = time.Hour * 24 * 365const duration365d = time.Hour * 24 * 365 * 100// Config contains the basic fields required for creating a certificatetype Config struct { CommonName string Organization []string AltNames AltNames Usages []x509.ExtKeyUsage}
(2) 修改 cert.go 文件,操作如下:
$ vim staging/src/k8s.io/client-go/util/cert/cert.go########### 修改10年为100年(注掉部分为源代码,后面跟着的是修改后的代码)#NotAfter: now.Add(duration365d * 10).UTC(),NotAfter: now.Add(duration365d * 100).UTC(),KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,BasicConstraintsValid: true,IsCA: true,......
3.4 执行 kubeadm 编译
使用 make 命令编译 kubeadm, 执行的命令如下:
$ make all WHAT=cmd/kubeadm GOFLAGS=-v
编译成功后的 kubeadm 会放到当前目录中的 ./_output/local/bin/linux/amd64/ 目录中,我们进入到该文件下,查看是否有对应的文件。
## 进入$ cd ./_output/local/bin/linux/amd64/## 查看文件列表$ ls -l-rwxr-xr-x 10:03 conversion-gen-rwxr-xr-x 10:03 deepcopy-gen-rwxr-xr-x 10:03 defaulter-gen-rwxr-xr-x 10:03 go2make-rwxr-xr-x 10:04 go-bindata-rwxr-xr-x 10:04 kubeadm-rwxr-xr-x 10:47 kubectl-rwxr-xr-x 10:34 kubelet-rwxr-xr-x 10:04 openapi-gen-rwxr-xr-x 10:03 prerelease-lifecycle-gen
四、续签证书
4.1 备份数据
kubectl -n kube-system get cm kubeadm-config -o yaml > kubeadm-config.yaml$ cp -rp /etc/kubernetes /root/kubernetes_$(date +%F)$ ls /etc/kubernetes_2024-08-25/admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
4.2 续签证书
$ kubeadm alpha certs check-expiration[check-expiration] Reading configuration from the cluster...[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Feb 17, 2025 02:26 UTC 175d no apiserver Feb 17, 2025 02:26 UTC 175d ca no apiserver-etcd-client Feb 17, 2025 02:26 UTC 175d etcd-ca no apiserver-kubelet-client Feb 17, 2025 02:26 UTC 175d ca no controller-manager.conf Feb 17, 2025 02:26 UTC 175d no etcd-healthcheck-client Feb 17, 2025 02:26 UTC 175d etcd-ca no etcd-peer Feb 17, 2025 02:26 UTC 175d etcd-ca no etcd-server Feb 17, 2025 02:26 UTC 175d etcd-ca no front-proxy-client Feb 17, 2025 02:26 UTC 175d front-proxy-ca no scheduler.conf Feb 17, 2025 02:26 UTC 175d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Feb 06, 2033 02:38 UTC 8y no etcd-ca Feb 06, 2033 02:38 UTC 8y no front-proxy-ca Feb 06, 2033 02:38 UTC 8y no
./kubeadm alpha certs renew all
$ mv $HOME/.kube/config $HOME/.kube/config.old$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config$ chown $(id -u):$(id -g) $HOME/.kube/config
$ kubeadm alpha certs check-expiration[check-expiration] Reading configuration from the cluster...[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Aug 01, 2124 02:58 UTC 99y no apiserver Aug 01, 2124 02:58 UTC 99y ca no apiserver-etcd-client Aug 01, 2124 02:58 UTC 99y etcd-ca no apiserver-kubelet-client Aug 01, 2124 02:58 UTC 99y ca no controller-manager.conf Aug 01, 2124 02:58 UTC 99y no etcd-healthcheck-client Aug 01, 2124 02:58 UTC 99y etcd-ca no etcd-peer Aug 01, 2124 02:58 UTC 99y etcd-ca no etcd-server Aug 01, 2124 02:58 UTC 99y etcd-ca no front-proxy-client Aug 01, 2124 02:58 UTC 99y front-proxy-ca no scheduler.conf Aug 01, 2124 02:58 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Feb 06, 2033 02:38 UTC 8y no etcd-ca Feb 06, 2033 02:38 UTC 8y no front-proxy-ca Feb 06, 2033 02:38 UTC 8y no
完成后重启 kube-api server、kube-controller、kube-scheduler、etcd 这 4 个容器即可,我们可以查看 apiserver 的证书的有效期来验证是否更新成功:
$ echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddatenotAfter=Aug 1 02:58:33 2124 GMT
可以看到现在的有效期是100年以后,证明已经更新成功。
$ for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;do openssl x509 -in $item -text -noout| grep Not;echo ======================$item===============;done Not Before: Feb 9 02:38:42 2023 GMT Not After : Feb 6 02:38:42 2033 GMT======================/etc/kubernetes/pki/front-proxy-ca.crt=============== Not Before: Feb 9 02:38:43 2023 GMT Not After : Aug 1 02:58:33 2124 GMT======================/etc/kubernetes/pki/apiserver-etcd-client.crt=============== Not Before: Feb 9 02:38:41 2023 GMT Not After : Feb 6 02:38:41 2033 GMT======================/etc/kubernetes/pki/ca.crt=============== Not Before: Feb 9 02:38:41 2023 GMT Not After : Aug 1 02:58:34 2124 GMT======================/etc/kubernetes/pki/apiserver-kubelet-client.crt=============== Not Before: Feb 9 02:38:41 2023 GMT Not After : Aug 1 02:58:33 2124 GMT======================/etc/kubernetes/pki/apiserver.crt=============== Not Before: Feb 9 02:38:42 2023 GMT Not After : Aug 1 02:58:36 2124 GMT======================/etc/kubernetes/pki/front-proxy-client.crt=============== Not Before: Feb 9 02:38:43 2023 GMT Not After : Aug 1 02:58:36 2124 GMT======================/etc/kubernetes/pki/etcd/server.crt=============== Not Before: Feb 9 02:38:43 2023 GMT Not After : Aug 1 02:58:35 2124 GMT======================/etc/kubernetes/pki/etcd/peer.crt=============== Not Before: Feb 9 02:38:43 2023 GMT Not After : Feb 6 02:38:43 2033 GMT======================/etc/kubernetes/pki/etcd/ca.crt=============== Not Before: Feb 9 02:38:43 2023 GMT Not After : Aug 1 02:58:34 2124 GMT======================/etc/kubernetes/pki/etcd/healthcheck-client.crt===============
- 高可用k8s master节点需要将以下证书拷贝至其他master节点并重启 kube-api server、kube-controller、kube-scheduler、etcd 4 个容器。
cp /root/etc/kubernetes/pki/ca.* /etc/kubernetes/pki/cp /root/etc/kubernetes/pki/sa.* /etc/kubernetes/pki/cp /root/etc/kubernetes/pki/front-proxy-ca.* /etc/kubernetes/pki/cp /root/etc/kubernetes/admin.conf /etc/kubernetes/admin.confcp /etc/kubernetes/admin.conf /root/.kube/config
部分转载至 http://www.mydlq.club/article/118/
经验首页