K8S修改kubeadm更新证书有效期
前言:
Kubenetes默认初始化生成的ca证书有效期为10年,其他证书有效期为1年,这样每年都需要更新证书要么一些服务就会不可用,比如apiserver。
★准备工作★
查看kubeadm和go的版本号
在安装kubeadm命令初始化master节点上查看
root@master:~# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.6", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", GitTreeState:"clean"
, BuildDate:"2022-04-14T08:48:05Z", GoVersion:"go1.17.9", Compiler:"gc", Platform:"linux/amd64"}
上面可以看出我的版本号为v1.23.6,go版本为1.17.9
获取Kubenetes源码
1.通过网址下载对应的安装包
k8s地址:https://github.com/kubernetes/kubernetes/releases
wget https://github.com/kubernetes/kubernetes/archive/v1.23.0.tar.gz
tar -zxvf kubernetes-1.23.0.tar.gz
cd kubernetes-1.23.0
2.通过git命令拉取切换到特定版本
git clone https://github.com/kubernetes/kubernetes.git
cd kubernetes
git checkout -b remotes/origin/release-1.23.6 v1.23.6
3.安装go语言环境
go version
---------------------------------
go version go1.21.0 darwin/amd64
注意:我这里是用mac进行操作
修改代码重新编译生成kubeadm命令
1.修改CA证书有效期
默认CA证书的有效期为10年
修改项目目录下staging/src/k8s.io/client-go/util/cert/cert.go文件
const duration365d = time.Hour * 24 * 365
................
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
................
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 20).UTC(),
................
}
2.修改其他证书有效期
其他证书有效期默认为1年
修改项目目录下cmd/kubeadm/app/constants/constants.go文件
package constants
import (
................
)
const (
................
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 3650
)
3.检查重新编译打包
使用git命令检查修改内容
git diff
---------------------------------
diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go
index c2b8f6e64be..d176ee1d4a5 100644
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@@ -47,7 +47,7 @@ const (
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
- CertificateValidity = time.Hour * 24 * 365
+ CertificateValidity = time.Hour * 24 * 3650
// DefaultCertificateDir defines default certificate directory
DefaultCertificateDir = "pki"
diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go
index 75143ec0717..2e1ec52446c 100644
--- a/staging/src/k8s.io/client-go/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/util/cert/cert.go
@@ -65,7 +65,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
- NotAfter: now.Add(duration365d * 10).UTC(),
+ NotAfter: now.Add(duration365d * 20).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
检查无误之后开始打包
注意:因为我是用mac打包的所以要指定KUBE_BUILD_PLATFORMS参数,否则会打包成mac端命令
make all WHAT=cmd/kubeadm GOFLAGS=-v KUBE_BUILD_PLATFORMS=linux/amd64
生成的命令在当前目录的_output/bin/目录下
ll _output/bin/
-----------------------
total 179224
-rwxr-xr-x 1 mac staff 7.0M 4 23 14:46 conversion-gen
-rwxr-xr-x 1 mac staff 6.6M 4 23 14:46 deepcopy-gen
-rwxr-xr-x 1 mac staff 6.6M 4 23 14:46 defaulter-gen
-rwxr-xr-x 1 mac staff 3.5M 4 23 14:46 go2make
-rwxr-xr-x 1 mac staff 48M 4 23 14:48 kubeadm
-rwxr-xr-x 1 mac staff 9.0M 4 23 14:47 openapi-gen
-rwxr-xr-x 1 mac staff 6.6M 4 23 14:46 prerelease-lifecycle-gen
该目录只是一个链接文件,实际的目录为_output/local/bin/linux/amd64/
ll _output/local/bin/linux/amd64/
-rwxr-xr-x 1 mac staff 42M 4 23 15:02 kubeadm
编译各个组件命令
# 编译 kubeadm, 这里主要编译 kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译 kubelet
make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译 kubectl
make all WHAT=cmd/kubectl GOFLAGS=-v
测试阶段、
先备份原来的kubeadm命令,然后上传到安装kubeadm命令初始化master节点上的/usr/bin/目录下
因为我是在mac上编译上传的,linux服务器上还需要添加可执行权限
chmod +x /usr/bin/kubeadm
查看kubeadm的版本信息,发现信息跟之前的变了
root@master:~# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"23+", GitVersion:"v1.23.6-dirty", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", GitTreeState:
"dirty", BuildDate:"2024-04-23T07:02:06Z", GoVersion:"go1.21.0", Compiler:"gc", Platform:"linux/amd64"}
备份原来的证书目录,然后重新生成新的证书并查看
cp -rfa /etc/kubernetes/pki /etc/kubernetes/pki-`date +%Y%m%d`
kubeadm certs renew all
然后查看下证书的有效期
root@master:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 21, 2034 07:12 UTC 9y ca no
apiserver Apr 21, 2034 07:12 UTC 9y ca no
apiserver-etcd-client Apr 21, 2034 07:12 UTC 9y etcd-ca no
apiserver-kubelet-client Apr 21, 2034 07:12 UTC 9y ca no
controller-manager.conf Apr 21, 2034 07:12 UTC 9y ca no
etcd-healthcheck-client Apr 21, 2034 07:12 UTC 9y etcd-ca no
etcd-peer Apr 21, 2034 07:12 UTC 9y etcd-ca no
etcd-server Apr 21, 2034 07:12 UTC 9y etcd-ca no
front-proxy-client Apr 21, 2034 07:12 UTC 9y front-proxy-ca no
scheduler.conf Apr 21, 2034 07:12 UTC 9y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 22, 2033 10:37 UTC 9y no
etcd-ca Dec 22, 2033 10:37 UTC 9y no
front-proxy-ca Dec 22, 2033 10:37 UTC 9y no
因为我的CA证书只有9年多的有效期所以,只能更新到9年多的有效期,说明成功了
注意:更新完了之后需要重启服务才会成功更新证书,否则服务内部证书还是会过期