(1)、查看当前的证书时间

    1. # kubeadm alpha certs check-expiration
    2. [check-expiration] Reading configuration from the cluster...
    3. [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
    4. CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
    5. admin.conf Jun 20, 2021 11:21 UTC 364d no
    6. apiserver Jun 20, 2021 11:21 UTC 364d ca no
    7. apiserver-etcd-client Jun 20, 2021 11:21 UTC 364d etcd-ca no
    8. apiserver-kubelet-client Jun 20, 2021 11:21 UTC 364d ca no
    9. controller-manager.conf Jun 20, 2021 11:21 UTC 364d no
    10. etcd-healthcheck-client Jun 20, 2021 11:21 UTC 364d etcd-ca no
    11. etcd-peer Jun 20, 2021 11:21 UTC 364d etcd-ca no
    12. etcd-server Jun 20, 2021 11:21 UTC 364d etcd-ca no
    13. front-proxy-client Jun 20, 2021 11:21 UTC 364d front-proxy-ca no
    14. scheduler.conf Jun 20, 2021 11:21 UTC 364d no
    15. CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
    16. ca Jun 18, 2030 11:21 UTC 9y no
    17. etcd-ca Jun 18, 2030 11:21 UTC 9y no
    18. front-proxy-ca Jun 18, 2030 11:21 UTC 9y no

    (2)、下载源码

    1. git clone https://github.com/kubernetes/kubernetes.git

    (3)、切换到自己的版本,修改源码,比如我的是v1.17.2版本

    1. cd kubernetes
    2. git checkout v1.17.2

    vim cmd/kubeadm/app/constants/constants.go,找到CertificateValidity,修改如下

    1. ....
    2. const (
    3. // KubernetesDir is the directory Kubernetes owns for storing various configuration files
    4. KubernetesDir = "/etc/kubernetes"
    5. // ManifestsSubDirName defines directory name to store manifests
    6. ManifestsSubDirName = "manifests"
    7. // TempDirForKubeadm defines temporary directory for kubeadm
    8. // should be joined with KubernetesDir.
    9. TempDirForKubeadm = "tmp"
    10. // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
    11. CertificateValidity = time.Hour * 24 * 365 * 100
    12. ....

    (4)、编译kubeadm

    1. make WHAT=cmd/kubeadm

    编译完生成如下目录和二进制文件

    1. # ll _output/bin/
    2. total 76172
    3. -rwxr-xr-x 1 root root 6799360 Jun 20 21:08 conversion-gen
    4. -rwxr-xr-x 1 root root 6778880 Jun 20 21:08 deepcopy-gen
    5. -rwxr-xr-x 1 root root 6750208 Jun 20 21:08 defaulter-gen
    6. -rwxr-xr-x 1 root root 4883629 Jun 20 21:08 go2make
    7. -rwxr-xr-x 1 root root 2109440 Jun 20 21:09 go-bindata
    8. -rwxr-xr-x 1 root root 39256064 Jun 20 21:11 kubeadm
    9. -rwxr-xr-x 1 root root 11419648 Jun 20 21:09 openapi-gen

    (5)、备份原kubeadm和证书文件

    1. cp /usr/bin/kubeadm{,.bak20200620}
    2. cp -r /etc/kubernetes/pki{,.bak20200620}

    (7)、将新生成的kubeadm进行替换

    1. cp _output/bin/kubeadm /usr/bin/kubeadm

    (8)、生成新的证书

    1. cd /etc/kubernetes/pki
    2. kubeadm alpha certs renew all

    输出如下

    1. [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
    2. certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
    3. certificate for serving the Kubernetes API renewed
    4. certificate the apiserver uses to access etcd renewed
    5. certificate for the API server to connect to kubelet renewed
    6. certificate embedded in the kubeconfig file for the controller manager to use renewed
    7. certificate for liveness probes to healthcheck etcd renewed
    8. certificate for etcd nodes to communicate with each other renewed
    9. certificate for serving etcd renewed
    10. certificate for the front proxy client renewed
    11. certificate embedded in the kubeconfig file for the scheduler manager to use renewed

    (9)、验证结果

    1. kubeadm alpha certs check-expiration

    输出如下

    1. [root@k8s-master pki]# kubeadm alpha certs check-expiration
    2. [check-expiration] Reading configuration from the cluster...
    3. [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
    4. CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
    5. admin.conf May 27, 2120 13:25 UTC 99y no
    6. apiserver May 27, 2120 13:25 UTC 99y ca no
    7. apiserver-etcd-client May 27, 2120 13:25 UTC 99y etcd-ca no
    8. apiserver-kubelet-client May 27, 2120 13:25 UTC 99y ca no
    9. controller-manager.conf May 27, 2120 13:25 UTC 99y no
    10. etcd-healthcheck-client May 27, 2120 13:25 UTC 99y etcd-ca no
    11. etcd-peer May 27, 2120 13:25 UTC 99y etcd-ca no
    12. etcd-server May 27, 2120 13:25 UTC 99y etcd-ca no
    13. front-proxy-client May 27, 2120 13:25 UTC 99y front-proxy-ca no
    14. scheduler.conf May 27, 2120 13:25 UTC 99y no
    15. CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
    16. ca Jun 18, 2030 11:21 UTC 9y no
    17. etcd-ca Jun 18, 2030 11:21 UTC 9y no
    18. front-proxy-ca Jun 18, 2030 11:21 UTC 9y no

    查看集群状态是否OK。

    1. [root@k8s-master pki]# kubectl get node
    2. NAME STATUS ROLES AGE VERSION
    3. k8s-master Ready master 127m v1.17.2
    4. k8s-node01 Ready <none> 94m v1.17.2
    5. k8s-node02 Ready <none> 95m v1.17.2
    6. [root@k8s-master pki]# kubectl get pod -n kube-system
    7. NAME READY STATUS RESTARTS AGE
    8. calico-kube-controllers-589b5f594b-76vwr 1/1 Running 0 93m
    9. calico-node-4qvfj 1/1 Running 0 93m
    10. calico-node-cn79s 1/1 Running 0 93m
    11. calico-node-sppn9 1/1 Running 0 93m
    12. coredns-7f9c544f75-hc5q5 1/1 Running 0 127m
    13. coredns-7f9c544f75-z77s8 1/1 Running 0 127m
    14. etcd-k8s-master 1/1 Running 0 114m
    15. kube-apiserver-k8s-master 1/1 Running 0 115m
    16. kube-controller-manager-k8s-master 1/1 Running 0 114m
    17. kube-proxy-6kckk 1/1 Running 0 94m
    18. kube-proxy-r7mn2 1/1 Running 0 127m
    19. kube-proxy-zf48c 1/1 Running 0 95m
    20. kube-scheduler-k8s-master 1/1 Running 0 114m

    更新kubeconfig

    1. kubeadm init phase kubeconfig all --config kubeadm.yaml
    2. [kubeconfig] Using kubeconfig folder "/etc/kubernetes"
    3. [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
    4. [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
    5. [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
    6. [kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

    将新生成的 admin 配置文件覆盖掉原本的 admin 文件:

    1. mv $HOME/.kube/config $HOME/.kube/config.old
    2. cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    3. chown $(id -u):$(id -g) $HOME/.kube/config

    完成后重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器即可,我们可以查看 apiserver 的证书的有效期来验证是否更新成功:

    1. $ echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
    2. notAfter=Aug 26 03:47:23 2021 GMT

    到此证书修改完成。

    如果github上下载很慢的话可以到gitee上下载,地址:https://gitee.com/mirrors/Kubernetes/tree/master/

    不过证书修改虽然完成了,但是kubelet的证书并没有更新,这时候我们可以开启证书自动轮转。
    (1)增加 kubelet 参数
    修改/usr/lib/systemd/system/kubelet.service

    1. --feature-gates=RotateKubeletServerCertificate=true

    (2)增加 controller-manager 参数
    修改controller-manager的yaml文件

    1. --experimental-cluster-signing-duration=87600h0m0s
    2. --feature-gates=RotateKubeletServerCertificate=true

    (3)创建 rbac 对象
    创建rbac对象,允许节点轮换kubelet server证书:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4. annotations:
    5. rbac.authorization.kubernetes.io/autoupdate: "true"
    6. labels:
    7. kubernetes.io/bootstrapping: rbac-defaults
    8. name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
    9. rules:
    10. - apiGroups:
    11. - certificates.k8s.io
    12. resources:
    13. - certificatesigningrequests/selfnodeserver
    14. verbs:
    15. - create
    16. ---
    17. apiVersion: rbac.authorization.k8s.io/v1
    18. kind: ClusterRoleBinding
    19. metadata:
    20. name: kubeadm:node-autoapprove-certificate-server
    21. roleRef:
    22. apiGroup: rbac.authorization.k8s.io
    23. kind: ClusterRole
    24. name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
    25. subjects:
    26. - apiGroup: rbac.authorization.k8s.io
    27. kind: Group
    28. name: system:nodes

    查看证书时间

    1. openssl x509 -in ca.crt -noout -text | grep "Not"