title: 更新k8s集群证书有效期 #标题tags: k8s #标签
categories: k8s # 分类
date: 2021-04-22
大多数文档,都推荐使用kubeadm来部署k8s集群,但是这种方式与二进制相比而言,有个弊端,就是大多数默认的证书有效期时间只有1年,最好是在初始化集群时,调整下证书有效期(可参考博文部署k8s集群)所以需要考虑证书升级的问题,此文档采用K8s 1.18.3版本,不保证其他版本也适用,建议自行测试。
在操作之前一定要先对证书目录进行备份,防止操作错误进行回滚。此文档记录下两种更新集群证书的方式。
手动更新证书
由 kubeadm 生成的客户端证书默认只有一年有效期,我们可以通过 check-expiration 命令来检查证书是否过期:
$ kubeadm alpha certs check-expiration[check-expiration] Reading configuration from the cluster...[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGEDadmin.conf Jul 19, 2021 09:11 UTC 319d noapiserver Jul 19, 2021 09:11 UTC 319d ca noapiserver-etcd-client Jul 19, 2021 09:11 UTC 319d etcd-ca noapiserver-kubelet-client Jul 19, 2021 09:11 UTC 319d ca nocontroller-manager.conf Jul 19, 2021 09:11 UTC 319d noetcd-healthcheck-client Jul 19, 2021 09:11 UTC 319d etcd-ca noetcd-peer Jul 19, 2021 09:11 UTC 319d etcd-ca noetcd-server Jul 19, 2021 09:11 UTC 319d etcd-ca nofront-proxy-client Jul 19, 2021 09:11 UTC 319d front-proxy-ca noscheduler.conf Jul 19, 2021 09:11 UTC 319d noCERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Jul 17, 2030 09:11 UTC 9y noetcd-ca Jul 17, 2030 09:11 UTC 9y nofront-proxy-ca Jul 17, 2030 09:11 UTC 9y no# 由上述输出,可以看到,多数证书的到期时间为 Jul 19, 2021 09:11,有效期还有319天# 还有三个证书的到期时间是 Jul 17, 2030 09:11,有效期还有9年
上述指令显示/etc/kubernetes/pki目录下的客户端证书及kubeadm 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。
———————————————————————我是分割线————————————————————————————-
补充问题:如果你的集群证书已过期,重启了kubelet又导致了你的apiserver挂了,6443端口已经不在监听,此时你基本无法对集群进行任何操作,包括查询,此时怎么办?
解决:
将你的master所在节点的宿主机时间修改为你证书有效期内的某一天,重启kubelet,搞定,6443成功监听,继续更换证书操作,更换成功后,将时间校准即可。
———————————————————————我是分割线————————————————————————————-
注意:kubeadm 不能管理由外部 CA 签名的证书,如果是外部的证书,需要自己手动去管理证书的更新。
另外需要说明的是上面的列表中没有包含 kubelet.conf,因为 kubeadm 将 kubelet 配置为自动更新证书。
另外 kubeadm 会在master节点升级的时候自动更新所有证书,所以使用 kubeadm 搭建的集群最佳的做法是经常升级集群,这样可以确保你的集群保持最新状态并保持合理的安全性。但是对于实际的生产环境我们可能并不会去频繁的升级集群,所以这个时候我们就需要去手动更新证书。
要手动更新证书也非常方便,我们只需要通过 kubeadm alpha certs renew 命令即可更新你的证书,这个命令用 CA(或者 front-proxy-CA )证书和存储在 /etc/kubernetes/pki 中的密钥执行更新。
注意:如果你运行了一个高可用的集群,你需要将第一台master更新的证书copy到其他master节点。
接下来更新集群证书,下面的操作都是在 master 节点上进行:
备份原有数据
$ kubeadm config view > /root/kubeadm.yaml # 生成集群配置的yaml文件$ cat kubeadm.yaml # 文件内容如下apiServer:extraArgs:authorization-mode: Node,RBACtimeoutForControlPlane: 4m0sapiVersion: kubeadm.k8s.io/v1beta2certificatesDir: /etc/kubernetes/pkiclusterName: kubernetescontrolPlaneEndpoint: apiserver.demo:6443controllerManager: {}dns:type: CoreDNSetcd:local:dataDir: /var/lib/etcdimageRepository: registry.cn-hangzhou.aliyuncs.com/google_containerskind: ClusterConfigurationkubernetesVersion: v1.18.3networking:dnsDomain: cluster.localpodSubnet: 10.100.0.1/16serviceSubnet: 10.96.0.0/16scheduler: {}# 备份原有证书$ mkdir /data/backup -p$ cp -rp /etc/kubernetes /data/backup/kubernetes_$(date +%F)$ ls /data/backup/kubernetes_$(date +%F) # 确认备份数据admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
更新证书
$ kubeadm alpha certs renew all --config=/root/kubeadm.yaml # 更新现有证书W0904 06:22:46.595339 27700 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewedcertificate for serving the Kubernetes API renewedcertificate the apiserver uses to access etcd renewedcertificate for the API server to connect to kubelet renewedcertificate embedded in the kubeconfig file for the controller manager to use renewedcertificate for liveness probes to healthcheck etcd renewedcertificate for etcd nodes to communicate with each other renewedcertificate for serving etcd renewedcertificate for the front proxy client renewedcertificate embedded in the kubeconfig file for the scheduler manager to use renewed
通过上面的命令证书就一键更新完成了,这个时候查看上面的证书可以看到过期时间已经是一年后的时间了:
$ kubeadm alpha certs check-expiration # 查看证书有效期
输出如下:
更新kubeconfig文件
$ rm -f /etc/kubernetes/*.conf$ kubeadm init phase kubeconfig all --config /root/kubeadm.yaml # 重新生成kubeconfig文件W0904 06:24:59.387870 29610 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io][kubeconfig] Using kubeconfig folder "/etc/kubernetes"[kubeconfig] Writing "admin.conf" kubeconfig file[kubeconfig] Writing "kubelet.conf" kubeconfig file[kubeconfig] Writing "controller-manager.conf" kubeconfig file[kubeconfig] Writing "scheduler.conf" kubeconfig file
重启相关pod
在所有Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。
$ docker ps |egrep "k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd" | awk '{print $1}' | xargs docker rm -f
替换admin文件
$ mv ~/.kube/config{,.old}$ cp -i /etc/kubernetes/admin.conf ~/.kube/config$ chown $(id -u):$(id -g) ~/.kube/config
确认指令正常
至此,证书更新就完成了,执行以下指令,可以确认指令是否可以正常执行
$ kubectl get pods -A -o wide
输出如下:
源码编译kubeadm修改证书时间
备份集群配置
$ kubeadm config view > kubeadm-cluster.yaml # 备份$ kubectl version # 确定其版本Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:52:00Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}# 我这里的版本是18.3
修改kubeadm源码并编译
$ wget https://github.com/kubernetes/kubernetes/archive/v1.18.3.tar.gz$ tar zxf v1.18.3.tar.gz
修改CA证书时间
$ vim kubernetes-1.18.3/staging/src/k8s.io/client-go/util/cert/cert.go# 跳转至66行,将10修改为100(是将十年的ca证书修改为100年)65 NotBefore: now.UTC(),66 NotAfter: now.Add(duration365d * 100).UTC(),
具体位置如下:
修改其他证书有效期
$ vim kubernetes-1.18.3/cmd/kubeadm/app/constants/constants.go# 跳转至49行,修改如下(追加 * 100):CertificateValidity = time.Hour * 24 * 365 * 100
具体位置如下:
编译kubeadm
可以采用容器运行一个go环境,如果你的宿主机有go环境,则用宿主机进行编译即可。
$ wget https://dl.google.com/go/go1.13.9.linux-amd64.tar.gz$ tar zxf go1.13.9.linux-amd64.tar.gz -C /opt/$ cat >> /etc/profile << EOFexport GOROOT=/opt/goexport PATH=\$PATH:\$GOROOT/binEOF$ source /etc/profile$ go version # 确认版本信息go version go1.13.9 linux/amd64$ cd kubernetes-1.18.3/ # 进入kubeadm源码目录$ make all WHAT=cmd/kubeadm GOFLAGS=-v
执行上述命令后,等待1~2分钟,输入如下:
替换kubeadm指令
$ mv /usr/bin/kubeadm{,.bak}$ cp _output/local/bin/linux/amd64/kubeadm /usr/bin/
更新集群证书
$ kubeadm config view > kubeadm-cluster.yaml# 如果有多个master节点,请将 kubeadm-cluster.yaml 文件和编译后的kubeadm指令发送至其他master节点# 更新证书(若有多个master,则需要在所有master上执行)$ kubeadm alpha certs renew all --config=kubeadm-cluster.yamlW0904 07:23:15.938694 59308 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewedcertificate for serving the Kubernetes API renewedcertificate the apiserver uses to access etcd renewedcertificate for the API server to connect to kubelet renewedcertificate embedded in the kubeconfig file for the controller manager to use renewedcertificate for liveness probes to healthcheck etcd renewedcertificate for etcd nodes to communicate with each other renewedcertificate for serving etcd renewedcertificate for the front proxy client renewedcertificate embedded in the kubeconfig file for the scheduler manager to use renewed
更新kubeconfig文件
$ rm -f /etc/kubernetes/*.conf$ kubeadm init phase kubeconfig all --config kubeadm-cluster.yamlW0904 07:25:41.882636 61426 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io][kubeconfig] Using kubeconfig folder "/etc/kubernetes"[kubeconfig] Writing "admin.conf" kubeconfig file[kubeconfig] Writing "kubelet.conf" kubeconfig file[kubeconfig] Writing "controller-manager.conf" kubeconfig file[kubeconfig] Writing "scheduler.conf" kubeconfig file
重启相关pod
在所有Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。
$ docker ps |egrep "k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd" | awk '{print $1}' | xargs docker restart
替换admin文件
$ mv ~/.kube/config{,.old}$ cp -i /etc/kubernetes/admin.conf ~/.kube/config$ chown $(id -u):$(id -g) ~/.kube/config
确认指令正常
至此,证书更新就完成了,执行以下指令,可以确认指令是否可以正常执行
$ kubectl get pods -A -o wide
查看证书有效期
$ kubeadm alpha certs check-expiration
输出如下:
若有收获,就点个赞吧
0 人点赞
