我是靠谱客的博主 忧心小松鼠,最近开发中收集的这篇文章主要介绍K8S单节点和集群证书更新到100年,集群证书更新基于源码包单节点证书更新证书更新填坑集群证书更新—源码包编译关于git命令修改证书有效期编译执行命令更新证书,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
单节点证书更新
1、查看证书的有效期
[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
Not Before: Jan 17 13:34:36 2022 GMT #从2022-1-17开始
Not After : Jan 17 13:34:37 2023 GMT #到2023-1-17结束
2、查看各个证书的详细信息
[root@master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 17, 2023 13:34 UTC 364d no
apiserver Jan 17, 2023 13:34 UTC 364d ca no
apiserver-etcd-client Jan 17, 2023 13:34 UTC 364d etcd-ca no
apiserver-kubelet-client Jan 17, 2023 13:34 UTC 364d ca no
controller-manager.conf Jan 17, 2023 13:34 UTC 364d no
etcd-healthcheck-client Jan 17, 2023 13:34 UTC 364d etcd-ca no
etcd-peer Jan 17, 2023 13:34 UTC 364d etcd-ca no
etcd-server Jan 17, 2023 13:34 UTC 364d etcd-ca no
front-proxy-client Jan 17, 2023 13:34 UTC 364d front-proxy-ca no
scheduler.conf Jan 17, 2023 13:34 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 15, 2032 13:34 UTC 9y no
etcd-ca Jan 15, 2032 13:34 UTC 9y no
front-proxy-ca Jan 15, 2032 13:34 UTC 9y no
3、导出集群配置
[root@master ~]# kubeadm config view > kube-config.yaml
4、备份原理的证书
[root@master ~]# cp -r /etc/kubernetes/pki/ /etc/kubernetes/pki_backup
5、更新证书
[root@master ~]# kubeadm alpha certs renew all --config=kube-config.yaml
W0117 22:07:55.114229 33581 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
6、再次查看证书的信息
[root@master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 17, 2023 14:07 UTC 364d no
apiserver Jan 17, 2023 14:07 UTC 364d ca no
apiserver-etcd-client Jan 17, 2023 14:07 UTC 364d etcd-ca no
apiserver-kubelet-client Jan 17, 2023 14:07 UTC 364d ca no
controller-manager.conf Jan 17, 2023 14:07 UTC 364d no
etcd-healthcheck-client Jan 17, 2023 14:07 UTC 364d etcd-ca no
etcd-peer Jan 17, 2023 14:07 UTC 364d etcd-ca no
etcd-server Jan 17, 2023 14:07 UTC 364d etcd-ca no
front-proxy-client Jan 17, 2023 14:07 UTC 364d front-proxy-ca no
scheduler.conf Jan 17, 2023 14:07 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 15, 2032 13:34 UTC 9y no
etcd-ca Jan 15, 2032 13:34 UTC 9y no
front-proxy-ca Jan 15, 2032 13:34 UTC 9y no
可以看日期会看不出来,因为我们做实验是同一天做的。但是我们可以看具体的时间,可以发现变更了
7、在更新完证书后需要重启四个容器:kube-apiserver、kube-controller、kube-scheduler、etcd
当然如果嫌弃费事,可以直接重启docker
docker restart `docker ps |grep kube-scheduler |awk '{print $1}'`
docker restart `docker ps |grep kube-controller |awk '{print $1}'`
docker restart `docker ps |grep etcd |awk '{print $1}'`
docker restart `docker ps |grep kube-apiserver |awk '{print $1}'`
#或者
systemctl restart docker
8、再次查看集群中所有的Pod
[root@master ~]# kubectl get pods --all-namespaces -o wide
证书更新填坑
1、先查看证书的更新时间,可以发现是2023-1-17过期
[root@master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 17, 2023 14:07 UTC 364d no
apiserver Jan 17, 2023 14:07 UTC 364d ca no
apiserver-etcd-client Jan 17, 2023 14:07 UTC 364d etcd-ca no
apiserver-kubelet-client Jan 17, 2023 14:07 UTC 364d ca no
controller-manager.conf Jan 17, 2023 14:07 UTC 364d no
etcd-healthcheck-client Jan 17, 2023 14:07 UTC 364d etcd-ca no
etcd-peer Jan 17, 2023 14:07 UTC 364d etcd-ca no
etcd-server Jan 17, 2023 14:07 UTC 364d etcd-ca no
front-proxy-client Jan 17, 2023 14:07 UTC 364d front-proxy-ca no
scheduler.conf Jan 17, 2023 14:07 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 15, 2032 13:34 UTC 9y no
etcd-ca Jan 15, 2032 13:34 UTC 9y no
front-proxy-ca Jan 15, 2032 13:34 UTC 9y no
2、现在改变时间,来使证书过期
[root@master ~]# date -s 2023-2-2
Thu Feb 2 00:00:00 CST 2023
[root@master ~]# date
Thu Feb 2 00:00:01 CST 2023
[root@master ~]# kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid
#可以发现证书已经无效
3、更新证书
#注意区别上面写的,这里没有带”--config=kube-config.yaml “参数,那这里就代表更新全部证书
[root@master ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
W0202 00:02:14.485812 52342 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
注意这里,这里看似是更新了全部证书,也就是说更新了/etc/kubernetes/pki/目录下的全部证书,但是没有更新
/etc/kubernetes/目录下的kubelet.conf文件信息。
所以下面就要删除原来的kubelet.conf,在生成新的kubelet.conf文件
4、生成新的kubelet.conf证书
[root@master ~]# mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
[root@master ~]# kubeadm init phase kubeconfig kubelet
[root@master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master ~]# systemctl restart kubelet
[root@master ~]# systemctl status kubelet
5、重启上面的四个容器,这里直接重启docker
[root@master ~]# systemctl restart docker
注意:这个坑只有在kubelet重启才会发现,因为这个坑会导致kubelet重启失败
6、到这里坑是解决了,但是查看节点状态会发现,node1、node2已经NoReady了
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 380d v1.18.1
node1 NotReady <none> 380d v1.18.1
node2 NotReady <none> 380d v1.18.1
这是因为我们重新生成了kubelet.conf文件,这就意味着node节点需要重新加入集群
7、测试,可以通过dashboard的状态来测试,如果正常则正常
也可以再次查看各个证书的详细信息
[root@master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 01, 2024 16:02 UTC 364d no
apiserver Feb 01, 2024 16:02 UTC 364d ca no
apiserver-etcd-client Feb 01, 2024 16:02 UTC 364d etcd-ca no
apiserver-kubelet-client Feb 01, 2024 16:02 UTC 364d ca no
controller-manager.conf Feb 01, 2024 16:02 UTC 364d no
etcd-healthcheck-client Feb 01, 2024 16:02 UTC 364d etcd-ca no
etcd-peer Feb 01, 2024 16:02 UTC 364d etcd-ca no
etcd-server Feb 01, 2024 16:02 UTC 364d etcd-ca no
front-proxy-client Feb 01, 2024 16:02 UTC 364d front-proxy-ca no
scheduler.conf Feb 01, 2024 16:02 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 15, 2032 13:34 UTC 8y no
etcd-ca Jan 15, 2032 13:34 UTC 8y no
front-proxy-ca Jan 15, 2032 13:34 UTC 8y no
可以看到成功续期一年
集群证书更新—源码包编译
前提:部署好完整的k8s集群
实验环境:kubernetes版本:v1.18.1,
1、获取源码
访问:https://github.com/kubernetes/kubernetes/releases,下载特定版本源码
wget https://github.com/kubernetes/kubernetes/archive/v1.18.1.tar.gz
tar -zxvf kubernetes-1.18.1.tar.gz
mv kubernetes-1.18.1 kubernetes
cd kubernetes
或使用git获取
yum install -y git
#在官网中,是以https协议的网址,这样网络不行的会下载失败,这时将https替换为git,如下:
git clone git://github.com/kubernetes/kubernetes.git
#clone完毕会产生个kubernetes目录
[root@master ~]# du -sh kubernetes/
1.2G kubernetes/
[root@master ~]# git checkout -b remotes/origin/release-1.18 v1.18.1
关于git命令
查看远程所有分支
git branch -a
[root@master kubernetes]# git branch -a
* (detached from v1.18.0)
master
remotes/origin/release-1.18
remotes/origin/HEAD -> origin/master
remotes/origin/feature-rate-limiting
remotes/origin/feature-serverside-apply
remotes/origin/feature-workload-ga
remotes/origin/master
remotes/origin/release-0.10
remotes/origin/release-0.12
remotes/origin/release-0.13
...
remotes/origin/release-1.6
remotes/origin/release-1.6.3
remotes/origin/release-1.7
remotes/origin/release-1.8
remotes/origin/release-1.9
#git branch不带参数,列出本地已经存在的分支,并且在当前分支的前面用*标记,加上-a参数可以查看所有分支列表,包括本地和远程,远程分支一般会用红色字体标记出来
其实我们上述使用git命令去clone源代码,是把所有的版本全部clone下来了,而我们现在的kubernetes版本是v1.18.1,我们只需要去v1.18.1版本的源代码进行操作即可,因此我们需要再次执行新的分支
git checkout -b remotes/origin/release-1.18 v1.18.1
#git checkout -b origin/远程分支名 本地分支名
#这个命令就是新建v1.18.1分支并切换到指定分支,
#该命令可以将远程git仓库里的指定分支拉取到本地,这样就在本地新建了一个v1.18.1分支,并和指定的远程分支remotes/origin/release-1.18关联了起来。
#所以这个命令的作用就是过滤出和本k8s版本的源代码
修改证书有效期
1、修改CA证书有效期为100 年(默认为 10 年)
// 这个方法里面 NotAfter: now.Add(duration365d * 10).UTC()
// 默认有效期就是 10 年,改成 100 年
// 输入 /NotAfter 查找,回车定位
// NewSelfSignedCACert creates a CA certificate
[root@master ~]# vi /root/kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 100).UTC(), #将其改为‘*100’
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
2、修改证书有效期为 100 年(默认为 1 年)
// 就是这个常量定义 CertificateValidity,改成 * 100 年
// 输入 /CertificateValidity 查找,回车定位
[root@master ~]# vi /root/kubernetes/cmd/kubeadm/app/constants/constants.go
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100 #添加‘* 100’
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
编译
镜像编译
需要下载kube-cross镜像,其实这个镜像就是安装的Go语言的镜像
#查看k8sv1.18.1版本的源码包所需要Go语言的版本
[root@master ~]# cat /root/kubernetes/build/build-image/cross/VERSION
v1.13.9-2
#可以看到需要Gov1.13.9-2的版本,那我们pull的kube-cross镜像就需要高于或等于这个v1.13.9-2版本的
#pull镜像
[root@master ~]# docker pull wzshiming/kube-cross:v1.15.5-1
[root@master ~]# docker run --rm -v /root/kubernetes:/go/src/k8s.io/kubernetes -it wzshiming/kube-cross:v1.15.5-1 bash
#--rm 的意思就是,在容器退出时,删除容器,并且删除容器的匿名卷,所以执行docker run --rm命令,等价于容器退出后,执行docker rm -v
# 编译 kubeadm, 这里主要编译 kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译 kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译 kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
# 退出容器
exit
编译完产物在 _output/bin/kubeadm 目录下,
cp /root/kubernetes/_output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
# 验证版本
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.1-dirty", GitCommit:"7879fc12a63337efff607952a323df90cdc7a335", GitTreeState:"dirty", BuildDate:"2022-01-18T06:00:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
本机编译
1、安装编译包
#安装编译包
yum install gcc make -y
yum install rsync jq -y #jq需要epel源
2、查看 kube-cross 的 TAG 版本号
[root@master ~]# cat /root/kubernetes/build/build-image/cross/VERSION
v1.13.9-2
3、安装Go环境
wget https://dl.google.com/go/go1.13.9.linux-amd64.tar.gz
tar zxvf go1.13.9.linux-amd64.tar.gz -C /usr/local
vi /etc/profile 文件添加如下:
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin
#生效
source /etc/profile
# 这里一次性编译,直接执行如下命令即可
export PATH=$PATH:/usr/local/go/bin
#版本验证
go version
go version go1.13.9 linux/amd64
6、编译
# 编译 kubeadm, 这里主要编译 kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译 kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译 kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
#编译完产物在 _output/bin/kubeadm 目录下,
#其中 bin 是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.1-dirty", GitCommit:"7879fc12a63337efff607952a323df90cdc7a335", GitTreeState:"dirty", BuildDate:"2022-01-18T06:00:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
如果master有多个节点
scp /usr/bin/kubeadm root@master2:/usr/bin/
执行命令更新证书
可以先备份证书,证书在 /etc/kubernetes/pki
# 早期版本 (1.19 及之前版本) 命令如下
kubeadm alpha certs check-expiration
#1.19以后
kubeadm certs check-expiration
kubeadm alpha certs 命令 1.20 开始废弃。
kubeadm alpha 命令 1.21 开始彻底废弃
1、续订全部证书
kubeadm alpha certs renew all
2、查看全部证书的详细信息,可以看到99y,加上今年就是100y
[root@master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 25, 2121 06:04 UTC 99y no
apiserver Dec 25, 2121 06:04 UTC 99y ca no
apiserver-etcd-client Dec 25, 2121 06:04 UTC 99y etcd-ca no
apiserver-kubelet-client Dec 25, 2121 06:04 UTC 99y ca no
controller-manager.conf Dec 25, 2121 06:04 UTC 99y no
etcd-healthcheck-client Dec 25, 2121 06:04 UTC 99y etcd-ca no
etcd-peer Dec 25, 2121 06:04 UTC 99y etcd-ca no
etcd-server Dec 25, 2121 06:04 UTC 99y etcd-ca no
front-proxy-client Dec 25, 2121 06:04 UTC 99y front-proxy-ca no
scheduler.conf Dec 25, 2121 06:04 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 15, 2032 13:34 UTC 9y no
etcd-ca Jan 15, 2032 13:34 UTC 9y no
front-proxy-ca Jan 15, 2032 13:34 UTC 9y no
最后
以上就是忧心小松鼠为你收集整理的K8S单节点和集群证书更新到100年,集群证书更新基于源码包单节点证书更新证书更新填坑集群证书更新—源码包编译关于git命令修改证书有效期编译执行命令更新证书的全部内容,希望文章能够帮你解决K8S单节点和集群证书更新到100年,集群证书更新基于源码包单节点证书更新证书更新填坑集群证书更新—源码包编译关于git命令修改证书有效期编译执行命令更新证书所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复