1. 百年的kubeadm
1.1 源码修改
- 源码下载
cd /usr/local/src/
git clone -b release-1.15 https://github.com/kubernetes/kubernetes.git
- 再次确认分支
cd kubernetes
git branch -a
- 修改cert.go
vim ./staging/src/k8s.io/client-go/util/cert/cert.go
NotBefore: now.UTC(),
#修改下边的10为100
NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA:
- 修改constants.go
vim ./cmd/kubeadm/app/constants/constants.go
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
#将下边time.Hour * 100
CertificateValidity = time.Hour * 24 * 365
修改后如下:
vim ./cmd/kubeadm/app/constants/constants.go
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100
1.2 准备镜像
docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1
官方提供的编译镜像,无论如何弄到服务器上就行了
1.3 编译
docker run --rm -it -v /usr/local/src/k8s.io/kubernetes:/go/src/k8s.io/kubernetes \
mirrorgooglecontainers/kube-cross:v1.12.10-1 bash
cd /go/src/k8s.io/kubernetes
make all WHAT=cmd/kubeadm GOFLAGS=-v
exit
1.4 成品备份
-
成品位置
编译好的成品在: _output/local/bin/linux/amd64/kubeadm -
成品测试
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/
chmod a+x /usr/bin/kubeadm
kubeadm version
- 成本保存
已上传至ftp服务器,ftp://10.252.97.213/soft/kubeadm
2. 生成证书
2.1 master主节点
- 将前边准备的kubeadm 拷贝到服务器
cd /usr/local/src
wget ftp://10.252.97.213/soft/kubeadm
- 替换原来kubeadm文件
cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm
- 备份配置文件和证书
cp -ra /etc/kubernetes /etc/kubernetes_back
- 查看证书到期时间
kubeadm alpha certs check-expiration
- 更新证书和配置文件
kubeadm alpha certs renew all
- 确认证书到期时间
[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Apr 03, 2120 06:46 UTC 99y no
apiserver Apr 03, 2120 09:36 UTC 99y no
apiserver-etcd-client Apr 03, 2120 09:36 UTC 99y no
apiserver-kubelet-client Apr 03, 2120 09:36 UTC 99y no
controller-manager.conf Apr 03, 2120 09:36 UTC 99y no
etcd-healthcheck-client Apr 03, 2120 09:36 UTC 99y no
etcd-peer Apr 03, 2120 09:36 UTC 99y no
etcd-server Apr 03, 2120 09:36 UTC 99y no
front-proxy-client Apr 03, 2120 06:47 UTC 99y no
scheduler.conf Apr 03, 2120 09:36 UTC 99y no
- 重启docker
说明:主要为了重启proxy和etcd文章来源:https://www.toymoban.com/news/detail-582189.html
service docker restart
- 重启kubelet
service kubelet restart
2.2 其他master节点
- 拷贝100年的kubeadmin 文件
- 将前边准备的kubeadm 拷贝到服务器
cd /usr/local/src
wget ftp://10.252.97.213/soft/kubeadm
- 替换原来kubeadm文件
cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm
- 备份配置文件和证书
cp -ra /etc/kubernetes /etc/kubernetes_back
- 查看证书到期时间
kubeadm alpha certs check-expiration
- 更新证书和配置文件
kubeadm alpha certs renew all
- 确认证书到期时间
[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Apr 03, 2120 06:46 UTC 99y no
apiserver Apr 03, 2120 09:36 UTC 99y no
apiserver-etcd-client Apr 03, 2120 09:36 UTC 99y no
apiserver-kubelet-client Apr 03, 2120 09:36 UTC 99y no
controller-manager.conf Apr 03, 2120 09:36 UTC 99y no
etcd-healthcheck-client Apr 03, 2120 09:36 UTC 99y no
etcd-peer Apr 03, 2120 09:36 UTC 99y no
etcd-server Apr 03, 2120 09:36 UTC 99y no
front-proxy-client Apr 03, 2120 06:47 UTC 99y no
scheduler.conf Apr 03, 2120 09:36 UTC 99y no
- 从master-01 上拷贝证书文件
从master01 上拷贝证书
ssh 10.251.137.187 "mkdir -p /etc/kubernetes/pki/etcd"
ssh 10.251.137.188 "mkdir -p /etc/kubernetes/pki/etcd"
scp -r /etc/kubernetes/admin.conf 10.251.137.187:/etc/kubernetes/admin.conf
scp -r /etc/kubernetes/admin.conf 10.251.137.188:/etc/kubernetes/admin.conf
scp -r /etc/kubernetes/pki/{ca.*,sa.*,front*} 10.251.137.187:/etc/kubernetes/pki/
scp -r /etc/kubernetes/pki/{ca.*,sa.*,front*} 10.251.137.188:/etc/kubernetes/pki/
scp -r /etc/kubernetes/pki/etcd/ca.* 10.251.137.187:/etc/kubernetes/pki/etcd/
scp -r /etc/kubernetes/pki/etcd/ca.* 10.251.137.188:/etc/kubernetes/pki/etcd/
- 重启docker
说明:主要为了重启proxy和etcd文章来源地址https://www.toymoban.com/news/detail-582189.html
service docker restart
- 重启kubelet
service kubelet restart
到了这里,关于k8s证书到期实际操作的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!