前景
kubeadm部署的集群默认集群证书有效期为1年,为了减少后续麻烦,可将证书时间有效期延长,此处以 kubeadm1.18 版本进行操作。通过重新编译kubeadm的方式将证书有效期改为10年。
注意:不同版本的kubeadm要修改源代码的文件可能存在不同,请知悉。
操作
查看当前证书有效期
[root@m ~]# kubeadm alpha certs check-expiration[check-expiration] Reading configuration from the cluster...[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Mar 23, 2023 09:00 UTC 364d noapiserver Mar 23, 2023 09:00 UTC 364d ca noapiserver-etcd-client Mar 23, 2023 09:00 UTC 364d etcd-ca noapiserver-kubelet-client Mar 23, 2023 09:00 UTC 364d ca nocontroller-manager.conf Mar 23, 2023 09:00 UTC 364d noetcd-healthcheck-client Mar 23, 2023 09:00 UTC 364d etcd-ca noetcd-peer Mar 23, 2023 09:00 UTC 364d etcd-ca noetcd-server Mar 23, 2023 09:00 UTC 364d etcd-ca nofront-proxy-client Mar 23, 2023 09:00 UTC 364d front-proxy-ca noscheduler.conf Mar 23, 2023 09:00 UTC 364d noCERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Mar 18, 2032 08:42 UTC 9y noetcd-ca Mar 18, 2032 08:42 UTC 9y nofront-proxy-ca Mar 18, 2032 08:42 UTC 9y no
下载源码并修改
git clone https://github.com/kubernetes/kubernetes.gitcd kubernetesgit checkout release-1.18vim cmd/kubeadm/app/constants/constants.go #将CertificateValidity后面的时间加 * 10...const (// KubernetesDir is the directory Kubernetes owns for storing various configuration filesKubernetesDir = "/etc/kubernetes"// ManifestsSubDirName defines directory name to store manifestsManifestsSubDirName = "manifests"// TempDirForKubeadm defines temporary directory for kubeadm// should be joined with KubernetesDir.TempDirForKubeadm = "tmp"// CertificateValidity defines the validity for all the signed certificates generated by kubeadmCertificateValidity = time.Hour * 24 * 365 * 10// CACertAndKeyBaseName defines certificate authority base name...
go环境
# download,根据需要选择版本
wget https://studygolang.com/dl/golang/go1.18.linux-amd64.tar.gz
# untar
tar -zxvf go1.18.linux-amd64.tar.gz -C /usr/local
# edit /etc/profile,在文件末尾添加如下内容
vim /etc/profile
# go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin
# enable /etc/profile
source /etc/profile
~]# go version
go version go1.18 linux/amd64
编译kubeadm,成功后生成_output目录
make WHAT=cmd/kubeadm
更新kubeadm并生成新证书
mv /usr/bin/kubeadm{,.bak}
cp -r /etc/kubernetes/pki{,.bak}
cp _output/bin/kubeadm /usr/bin/kubeadm
cd /etc/kubernetes/pki
kubeadm alpha certs renew all
验证
查看证书有效期
[root@m pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 21, 2032 07:12 UTC 9y no
apiserver Mar 21, 2032 07:12 UTC 9y ca no
apiserver-etcd-client Mar 21, 2032 07:12 UTC 9y etcd-ca no
apiserver-kubelet-client Mar 21, 2032 07:12 UTC 9y ca no
controller-manager.conf Mar 21, 2032 07:12 UTC 9y no
etcd-healthcheck-client Mar 21, 2032 07:12 UTC 9y etcd-ca no
etcd-peer Mar 21, 2032 07:12 UTC 9y etcd-ca no
etcd-server Mar 21, 2032 07:12 UTC 9y etcd-ca no
front-proxy-client Mar 21, 2032 07:12 UTC 9y front-proxy-ca no
scheduler.conf Mar 21, 2032 07:12 UTC 9y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 18, 2032 08:42 UTC 9y no
etcd-ca Mar 18, 2032 08:42 UTC 9y no
front-proxy-ca Mar 18, 2032 08:42 UTC 9y no
查看集群是否正常
[root@m ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
m Ready master 2d22h v1.18.20
s1 Ready <none> 2d22h v1.18.20
s2 Ready <none> 2d22h v1.18.20
[root@m ~]# kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-deploy-d46f5678b-524q5 1/1 Running 0 23m
nginx-deploy-d46f5678b-n69mq 1/1 Running 0 2d22h
nginx-deploy-d46f5678b-qkmcs 1/1 Running 0 2d22h
若有收获,就点个赞吧
0 人点赞
