我是靠谱客的博主 美好心情,这篇文章主要介绍K8S kubeadm管理证书查询证书过期时间如下输出直接使用命令续期证书,默认是apiserver 一年二进制文件在/kubernetes/_output/bin 下自行寻找,并替换任意master节点二进制文件即可替换前执行 chmod a+x 给权限,然后执行命令执行命令 查询证书过期时间,现在分享给大家,希望可以做个参考。
官方文档: k8s kubeadm管理证书
查询证书过期时间
复制代码
1
2$ kubeadm alpha certs check-expiration
如下输出
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50[root@master1 ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' W0425 13:59:12.092991 16885 defaults.go:186] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10] CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Apr 25, 2022 05:53 UTC 364d no apiserver Apr 25, 2022 05:53 UTC 364d ca no apiserver-kubelet-client Apr 25, 2022 05:53 UTC 364d ca no controller-manager.conf Apr 25, 2022 05:53 UTC 364d no front-proxy-client Apr 25, 2022 05:53 UTC 364d front-proxy-ca no scheduler.conf Apr 25, 2022 05:53 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Mar 11, 2031 05:51 UTC 9y no front-proxy-ca Mar 11, 2031 05:51 UTC 9y no
直接使用命令续期证书,默认是apiserver 一年
复制代码
1
2
3$ kubeadm alpha certs renew all
所以修改了源码,重新编译了Kubeadm
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22# /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go // NewSelfSignedCACert creates a CA certificate func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, NotBefore: now.UTC(), NotAfter: now.Add(duration365d * 100).UTC(), # 修改了这里100年 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, }
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40# /kubernetes/test/utils/pki_helpers.go // NewSignedCert creates a signed certificate using the given CA certificate and key func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) if err != nil { return nil, err } if len(cfg.CommonName) == 0 { return nil, errors.New("must specify a CommonName") } if len(cfg.Usages) == 0 { return nil, errors.New("must specify at least one ExtKeyUsage") } certTmpl := x509.Certificate{ Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: cfg.AltNames.DNSNames, IPAddresses: cfg.AltNames.IPs, SerialNumber: serial, NotBefore: caCert.NotBefore, NotAfter: time.Now().Add(duration365d * 100).UTC(), # 修改了这里100年 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: cfg.Usages, } certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) if err != nil { return nil, err } return x509.ParseCertificate(certDERBytes) }
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28# /kubernetes/vendor/k8s.io/client-go/util/cert/cert.go // NewSelfSignedCACert creates a CA certificate func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, NotBefore: now.UTC(), NotAfter: now.Add(duration365d * 100).UTC(), # 修改了这里100年 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, } certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) if err != nil { return nil, err } return x509.ParseCertificate(certDERBytes) }
复制代码
1
2
3# /kubernetes/cmd/kubeadm/app/contants CertificateValidity = time.Hour * 24 * 365 * 100
修改后,准备好go环境和相关包,这个就不说了 so easy 自行解决
开始编译
复制代码
1
2$ make all WHAT=cmd/kubeadm GOFLAGS=-v
二进制文件在/kubernetes/_output/bin 下
自行寻找,并替换任意master节点二进制文件即可
替换前执行 chmod a+x 给权限,然后执行命令
复制代码
1
2
3$ kubeadm alpha certs renew all
执行命令 查询证书过期时间
复制代码
1
2$ kubeadm alpha certs check-expiration
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50[root@master1 ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' W0425 14:11:55.863296 30256 defaults.go:186] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10] CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Apr 01, 2121 06:11 UTC 99y no apiserver Apr 01, 2121 06:11 UTC 99y ca no apiserver-kubelet-client Apr 01, 2121 06:11 UTC 99y ca no controller-manager.conf Apr 01, 2121 06:11 UTC 99y no front-proxy-client Apr 01, 2121 06:11 UTC 99y front-proxy-ca no scheduler.conf Apr 01, 2121 06:11 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Mar 11, 2031 05:51 UTC 9y no front-proxy-ca Mar 11, 2031 05:51 UTC 9y no
最后
以上就是美好心情最近收集整理的关于K8S kubeadm管理证书查询证书过期时间如下输出直接使用命令续期证书,默认是apiserver 一年二进制文件在/kubernetes/_output/bin 下自行寻找,并替换任意master节点二进制文件即可替换前执行 chmod a+x 给权限,然后执行命令执行命令 查询证书过期时间的全部内容,更多相关K8S内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复