kubeadm 默认证书为一年,一年过期后,会导致api service不可用,使用过程中会出现:
- x509: certificate has expired or is not yet valid.
Google 建议通过不停更新版本来自动更新证书,太坑_
可以在初始化群集之前重新编译kubeadm,证书有效期自动为100年
wget https://github.com/kubernetes/kubernetes/archive/v1.18.0.tar.gz
tar -zxvf v1.18.0.tar.gz
mv kubernetes-1.18.0 kubernetes
cd kubernetes
或者使用git获取
# yum install git
git clone https://github.com/kubernetes/kubernetes.git
cd kubernetes
git checkout -b remotes/origin/release-1.18 v1.18.0
如果拉不下来考虑下 整个蓝灯
修改证书有效期
查看网上的资料主要有两个地方需要修改
修改 CA 有效期为 100 年(默认为 10 年)
vim ./staging/src/k8s.io/client-go/util/cert/cert.go
// 这个方法里面NotAfter: now.Add(duration365d * 10).UTC()
// 默认有效期就是10年,改成100年
// 按/NotAfter查找
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 90).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
修改证书有效期为 100 年(默认为 1 年)
vim ./cmd/kubeadm/app/constants/constants.go
// 就是这个常量定义CertificateValidity,改成*100年
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 90
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
源代码改好了,接下来就是编译kubeadm了
3. 编译(两种方法看好了,别都搞一遍建议plan b)
PLAN A
Docker镜像编译(推荐)
查看 kube-cross 的 TAG 版本号# cat ./build/build-image/cross/VERSION v1.13.8-1这里我们可以使用官方容器对代码进行编译:k8s.gcr.io/kube-cross:v1.13.6-1(当前只有1.13.6而不是1.13.8,未知)
拉取镜像
无法翻墙可以用下面的替代镜像:
docker pull gcrcontainer/kube-cross:v1.13.6-1
或者:‘docker pull registry.aliyuncs.com/google_containers/kube-cross:v1.13.6-1’
- 编译
# docker run --rm -v <你修改后的代码目录>:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross bash
docker run --rm -v /root/kubernetes:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.13.6-1 bash
cd /go/src/k8s.io/kubernetes
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
# 退出容器
exit
#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
#chmod +x /usr/bin/kubeadm
# 验证版本
kubeadm version
PLAN B
- 本机编
环境需求参看官方文档。
软件包准备
CentOS:
yum install gcc make -y
yum install rsync jq -y
Ubuntu:
sudo apt install build-essential #(Following command will install essential commands like gcc, make etc.)
sudo apt install rsync jq -yGoLang 环境
查看 kube-cross 的 TAG 版本号
# cat ./build/build-image/cross/VERSION
v1.13.8-1`
- 安装Go环境:
wget https://dl.google.com/go/go1.13.8.linux-amd64.tar.gz
tar zxvf go1.13.8.linux-amd64.tar.gz -C /usr/local
# 编辑/etc/profile文件添加如下:
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin
#生效
source /etc/profile
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
4、执行命令更新证书
可以先备份证书,证书在/etc/kubernetes/pki
- 检查证书到期时间
kubeadm alpha certs check-expiration- 续订证书,查看可以使用的参数
[root@master100 kubernetes]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 14, 2022 07:19 UTC 280d no
apiserver Jan 14, 2022 07:19 UTC 280d ca no
apiserver-etcd-client Jan 14, 2022 07:19 UTC 280d etcd-ca no
apiserver-kubelet-client Jan 14, 2022 07:19 UTC 280d ca no
controller-manager.conf Jan 14, 2022 07:20 UTC 280d no
etcd-healthcheck-client Jan 14, 2022 07:19 UTC 280d etcd-ca no
etcd-peer Jan 14, 2022 07:19 UTC 280d etcd-ca no
etcd-server Jan 14, 2022 07:19 UTC 280d etcd-ca no
front-proxy-client Jan 14, 2022 07:19 UTC 280d front-proxy-ca no
scheduler.conf Jan 14, 2022 07:20 UTC 280d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 12, 2031 07:19 UTC 9y no
etcd-ca Jan 12, 2031 07:19 UTC 9y no
front-proxy-ca Jan 12, 2031 07:19 UTC 9y no
- 续订全部证书
kubeadm alpha certs renew all`
- 再次查看证书有效期,全部都100年了
[root@master100 kubernetes]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 19, 2111 06:21 UTC 89y no
apiserver Mar 19, 2111 06:21 UTC 89y ca no
apiserver-etcd-client Mar 19, 2111 06:21 UTC 89y etcd-ca no
apiserver-kubelet-client Mar 19, 2111 06:21 UTC 89y ca no
controller-manager.conf Mar 19, 2111 06:21 UTC 89y no
etcd-healthcheck-client Mar 19, 2111 06:21 UTC 89y etcd-ca no
etcd-peer Mar 19, 2111 06:21 UTC 89y etcd-ca no
etcd-server Mar 19, 2111 06:21 UTC 89y etcd-ca no
front-proxy-client Mar 19, 2111 06:21 UTC 89y front-proxy-ca no
scheduler.conf Mar 19, 2111 06:21 UTC 89y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 12, 2031 07:19 UTC 9y no
etcd-ca Jan 12, 2031 07:19 UTC 9y no
front-proxy-ca Jan 12, 2031 07:19 UTC 9y no
[root@master100 kubernetes]# cd /etc/kubernetes/pki
[root@master100 pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
===== apiserver.crt =====
Validity
Not Before: Jan 14 07:19:55 2021 GMT
Not After : Mar 19 06:21:27 2111 GMT
Subject: CN=kube-apiserver
===== apiserver-etcd-client.crt =====
Validity
Not Before: Jan 14 07:19:56 2021 GMT
Not After : Mar 19 06:21:27 2111 GMT
Subject: O=system:masters, CN=kube-apiserver-etcd-client
===== apiserver-kubelet-client.crt =====
Validity
Not Before: Jan 14 07:19:55 2021 GMT
Not After : Mar 19 06:21:27 2111 GMT
Subject: O=system:masters, CN=kube-apiserver-kubelet-client
===== ca.crt =====
Validity
Not Before: Jan 14 07:19:55 2021 GMT
Not After : Jan 12 07:19:55 2031 GMT
Subject: CN=kubernetes
===== front-proxy-ca.crt =====
Validity
Not Before: Jan 14 07:19:56 2021 GMT
Not After : Jan 12 07:19:56 2031 GMT
Subject: CN=front-proxy-ca
===== front-proxy-client.crt =====
Validity
Not Before: Jan 14 07:19:56 2021 GMT
Not After : Mar 19 06:21:29 2111 GMT
Subject: CN=front-proxy-client
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。