本文共 4081 字,大约阅读时间需要 13 分钟。
Kubernetes相关证书详细介绍:
在更新证书之前先查看一下当前证书的过期时间
[root@k8s-master01 ~]# kubeadm alpha certs check-expirationCERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf Feb 20, 2022 05:57 UTC 363d no apiserver Feb 20, 2022 05:57 UTC 363d no apiserver-etcd-client Feb 20, 2022 05:57 UTC 363d no apiserver-kubelet-client Feb 20, 2022 05:57 UTC 363d no controller-manager.conf Feb 20, 2022 05:57 UTC 363d no etcd-healthcheck-client Feb 20, 2022 05:57 UTC 363d no etcd-peer Feb 20, 2022 05:57 UTC 363d no etcd-server Feb 20, 2022 05:57 UTC 363d no front-proxy-client Feb 20, 2022 05:57 UTC 363d no scheduler.conf Feb 20, 2022 05:57 UTC 363d no
Go环境部署:
[root@k8s-master01 ~]# wget https://dl.google.com/go/go1.15.6.linux-amd64.tar.gz[root@k8s-master01 ~]# tar -zxvf go1.15.6.linux-amd64.tar.gz -C /usr/local[root@k8s-master01 ~]# vim /etc/profile添加: export PATH=$PATH:/usr/local/go/bin[root@k8s-master01 ~]# source /etc/profile
下载Kubernetes源码
[root@k8s-master01 ~]# cd /home && git clone https://github.com/kubernetes/kubernetes.git[root@k8s-master01 ~]# git clone -b 1.15.1 --depth=1 https://github.com/kubernetes/kubernetes.git # 下载执行版本[root@k8s-master01 home]# git checkout -b remotes/origin/release-1.15.1 v1.15.1 # 切换当前Kubernetes 版本
修改 Kubeadm 源码包更新证书策略
[root@k8s-master01 home]# vim staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前[root@k8s-master01 home]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今 const duration365d = time.Hour * 24 * 365 NotAfter: time.Now().Add(duration365d).UTC(),[root@k8s-master01 home]# makeWHAT=cmd/kubeadm GOFLAGS=-v[root@k8s-master01 home]# cp _output/bin/kubeadm /root/kubeadm-new
更新 kubeadm
# 将 kubeadm 进行替换[root@k8s-master01 home]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old[root@k8s-master01 home]# cp /root/kubeadm-new /usr/bin/kubeadm[root@k8s-master01 home]# chmod a+x /usr/bin/kubeadm
更新各节点证书至 Master 节点
[root@k8s-master01 home]# cp-r /etc/kubernetes/pki /etc/kubernetes/pki.old[root@k8s-master01 home]# cd /etc/kubernetes/pki[root@k8s-master01 pki]# kubeadm alpha certs renew all --config=/root/kubeadm-config.yaml[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text-noout | grep Not
HA集群其余 mater 节点证书更新
#!/bin/bashmasterNode="192.168.66.20 192.168.66.21"# for host in ${masterNode}; do# scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}"${USER}"@$host:/etc/kubernetes/pki/# scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/etc/kubernetes/pki/etcd# scp /etc/kubernetes/admin.conf "root"@$host:/etc/kubernetes/#donefor host in${CONTROL_PLANE_IPS}; do scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}"${USER}"@$host:/root/pki/ scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/root/etcd scp /etc/kubernetes/admin.conf "root"@$host:/root/kubernetes/done 再次再看证书过期时间
[root@k8s-master01 ~]# kubeadm alpha certs check-expirationCERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf Feb 20, 2032 05:57 UTC 363d no apiserver Feb 20, 2032 05:57 UTC 363d no apiserver-etcd-client Feb 20, 2032 05:57 UTC 363d no apiserver-kubelet-client Feb 20, 2032 05:57 UTC 363d no controller-manager.conf Feb 20, 2032 05:57 UTC 363d no etcd-healthcheck-client Feb 20, 2032 05:57 UTC 363d no etcd-peer Feb 20, 2022 05:57 UTC 363d no etcd-server Feb 20, 2022 05:57 UTC 363d no front-proxy-client Feb 20, 2022 05:57 UTC 363d no scheduler.conf Feb 20, 2032 05:57 UTC 363d no
转载地址:http://txqoz.baihongyu.com/