跳转至

Kubeadm部署集群证书更新

注意注意,一定要在证书到期前提前更换

本文未在生产环境进行过使用,请严格测试后使用

我这里的集群是1.8.5版本,其他版本需要修改的文件可能稍有不同,请自行到官网查询相关文档

重新编译kubeadm

配置go语言编译环境

参考官网相关文档

下载kubuernetes对应版本源码

GitHub地址:https://github.com/kubernetes/kubernetes

修改对应文件

V1.8.5版本是修改 cmd/kubeadm/app/constants/constants.go文件中49行内容

- CertificateValidity = time.Hour * 24 * 365 
+ CertificateValidity = time.Hour * 24 * 365 * 10

-对应的是修改之前的内容

+对应的是修改之后的内容

重新编译文件

make WHAT=cmd/kubeadm GOFLAGS=-v

新生成的文件在_output/bin/目录下

覆盖原来的kubeadm程序

cp /usr/bin/kubeadm /usr/bin/kubeadm.bak
cp _output/bin/kubeadm /usr/bin/kubeadm 

证书更新

查看证书时间

首先查看证书的时间,可以看到我的证书还有364天才会到期,这里我只是做测试,生产使用请慎重,注意新版本的ca证书已经默认是10年了。

[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 05, 2021 03:06 UTC   364                                      no      
apiserver                  Jul 05, 2021 03:06 UTC   364              ca                      no      
apiserver-etcd-client      Jul 05, 2021 03:06 UTC   364              etcd-ca                 no      
apiserver-kubelet-client   Jul 05, 2021 03:06 UTC   364              ca                      no      
controller-manager.conf    Jul 05, 2021 03:06 UTC   364                                      no      
etcd-healthcheck-client    Jul 05, 2021 03:06 UTC   364              etcd-ca                 no      
etcd-peer                  Jul 05, 2021 03:06 UTC   364              etcd-ca                 no      
etcd-server                Jul 05, 2021 03:06 UTC   364              etcd-ca                 no      
front-proxy-client         Jul 05, 2021 03:06 UTC   364              front-proxy-ca          no      
scheduler.conf             Jul 05, 2021 03:06 UTC   364                                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 05, 2030 02:25 UTC   9y              no      
etcd-ca                 Jul 05, 2030 02:25 UTC   9y              no      
front-proxy-ca          Jul 05, 2030 02:25 UTC   9y              no      

备份证书

[root@k8s-master kubernetes]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak

重新生成证书

[root@k8s-master kubernetes]# kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

再次查看证书时间

[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 05, 2030 03:06 UTC   9y                                      no      
apiserver                  Jul 05, 2030 03:06 UTC   9y              ca                      no      
apiserver-etcd-client      Jul 05, 2030 03:06 UTC   9y              etcd-ca                 no      
apiserver-kubelet-client   Jul 05, 2030 03:06 UTC   9y              ca                      no      
controller-manager.conf    Jul 05, 2030 03:06 UTC   9y                                      no      
etcd-healthcheck-client    Jul 05, 2030 03:06 UTC   9y              etcd-ca                 no      
etcd-peer                  Jul 05, 2030 03:06 UTC   9y              etcd-ca                 no      
etcd-server                Jul 05, 2030 03:06 UTC   9y              etcd-ca                 no      
front-proxy-client         Jul 05, 2030 03:06 UTC   9y              front-proxy-ca          no      
scheduler.conf             Jul 05, 2030 03:06 UTC   9y                                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 05, 2030 02:25 UTC   9y              no      
etcd-ca                 Jul 05, 2030 02:25 UTC   9y              no      
front-proxy-ca          Jul 05, 2030 02:25 UTC   9y              no      
[root@k8s-master ~]# 

应用证书

[root@k8s-master ~]# kubeadm upgrade apply --certificate-renewal v1.18.5