官方文档： k8s kubeadm管理证书

查询证书过期时间

$ kubeadm alpha certs check-expiration

如下输出

[root@master1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0425 13:59:12.092991
16885 defaults.go:186] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE
EXPIRES
RESIDUAL TIME
CERTIFICATE AUTHORITY
EXTERNALLY MANAGED
admin.conf
Apr 25, 2022 05:53 UTC
364d
no
apiserver
Apr 25, 2022 05:53 UTC
364d
ca
no
apiserver-kubelet-client
Apr 25, 2022 05:53 UTC
364d
ca
no
controller-manager.conf
Apr 25, 2022 05:53 UTC
364d
no
front-proxy-client
Apr 25, 2022 05:53 UTC
364d
front-proxy-ca
no
scheduler.conf
Apr 25, 2022 05:53 UTC
364d
no
CERTIFICATE AUTHORITY
EXPIRES
RESIDUAL TIME
EXTERNALLY MANAGED
ca
Mar 11, 2031 05:51 UTC
9y
no
front-proxy-ca
Mar 11, 2031 05:51 UTC
9y
no

直接使用命令续期证书，默认是apiserver 一年

$ kubeadm alpha
certs renew all

所以修改了源码，重新编译了Kubeadm

# /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName:
cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore:
now.UTC(),
NotAfter:
now.Add(duration365d * 100).UTC(), # 修改了这里100年
KeyUsage:
x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA:
true,
}

# /kubernetes/test/utils/pki_helpers.go
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName:
cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames:
cfg.AltNames.DNSNames,
IPAddresses:
cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore:
caCert.NotBefore,
NotAfter:
time.Now().Add(duration365d * 100).UTC(), # 修改了这里100年
KeyUsage:
x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage:
cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}

# /kubernetes/vendor/k8s.io/client-go/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName:
cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore:
now.UTC(),
NotAfter:
now.Add(duration365d * 100).UTC(), # 修改了这里100年
KeyUsage:
x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA:
true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}

# /kubernetes/cmd/kubeadm/app/contants
CertificateValidity = time.Hour * 24 * 365 * 100

修改后，准备好go环境和相关包，这个就不说了 so easy 自行解决
开始编译

$ make all WHAT=cmd/kubeadm GOFLAGS=-v

二进制文件在/kubernetes/_output/bin 下

自行寻找，并替换任意master节点二进制文件即可

替换前执行 chmod a+x 给权限，然后执行命令

$ kubeadm alpha
certs renew all

执行命令 查询证书过期时间

$ kubeadm alpha certs check-expiration

[root@master1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0425 14:11:55.863296
30256 defaults.go:186] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE
EXPIRES
RESIDUAL TIME
CERTIFICATE AUTHORITY
EXTERNALLY MANAGED
admin.conf
Apr 01, 2121 06:11 UTC
99y
no
apiserver
Apr 01, 2121 06:11 UTC
99y
ca
no
apiserver-kubelet-client
Apr 01, 2121 06:11 UTC
99y
ca
no
controller-manager.conf
Apr 01, 2121 06:11 UTC
99y
no
front-proxy-client
Apr 01, 2121 06:11 UTC
99y
front-proxy-ca
no
scheduler.conf
Apr 01, 2121 06:11 UTC
99y
no
CERTIFICATE AUTHORITY
EXPIRES
RESIDUAL TIME
EXTERNALLY MANAGED
ca
Mar 11, 2031 05:51 UTC
9y
no
front-proxy-ca
Mar 11, 2031 05:51 UTC
9y
no

最后

以上就是美好心情为你收集整理的K8S kubeadm管理证书查询证书过期时间如下输出直接使用命令续期证书，默认是apiserver 一年二进制文件在/kubernetes/_output/bin 下自行寻找，并替换任意master节点二进制文件即可替换前执行 chmod a+x 给权限，然后执行命令执行命令 查询证书过期时间的全部内容，希望文章能够帮你解决K8S kubeadm管理证书查询证书过期时间如下输出直接使用命令续期证书，默认是apiserver 一年二进制文件在/kubernetes/_output/bin 下自行寻找，并替换任意master节点二进制文件即可替换前执行 chmod a+x 给权限，然后执行命令执行命令 查询证书过期时间所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。