kubeadm集群修改k8s证书时间到99年
生活随笔
收集整理的這篇文章主要介紹了
kubeadm集群修改k8s证书时间到99年
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
kubeadm集群修改k8s證書時間到99年
kubeadm修改證書時間
(1)、查看當前的證書時間
# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jun 20, 2021 11:21 UTC 364d no apiserver Jun 20, 2021 11:21 UTC 364d ca no apiserver-etcd-client Jun 20, 2021 11:21 UTC 364d etcd-ca no apiserver-kubelet-client Jun 20, 2021 11:21 UTC 364d ca no controller-manager.conf Jun 20, 2021 11:21 UTC 364d no etcd-healthcheck-client Jun 20, 2021 11:21 UTC 364d etcd-ca no etcd-peer Jun 20, 2021 11:21 UTC 364d etcd-ca no etcd-server Jun 20, 2021 11:21 UTC 364d etcd-ca no front-proxy-client Jun 20, 2021 11:21 UTC 364d front-proxy-ca no scheduler.conf Jun 20, 2021 11:21 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Jun 18, 2030 11:21 UTC 9y no etcd-ca Jun 18, 2030 11:21 UTC 9y no front-proxy-ca Jun 18, 2030 11:21 UTC 9y no(2)、下載源碼
git clone https://github.com/kubernetes/kubernetes.git(3)、切換到自己的版本,修改源碼,比如我的是v1.17.2版本
cd kubernetes git checkout v1.17.2vim cmd/kubeadm/app/constants/constants.go,找到CertificateValidity,修改如下
.... const (// KubernetesDir is the directory Kubernetes owns for storing various configuration filesKubernetesDir = "/etc/kubernetes"// ManifestsSubDirName defines directory name to store manifestsManifestsSubDirName = "manifests"// TempDirForKubeadm defines temporary directory for kubeadm// should be joined with KubernetesDir.TempDirForKubeadm = "tmp"// CertificateValidity defines the validity for all the signed certificates generated by kubeadmCertificateValidity = time.Hour * 24 * 365 * 100 ....(4)、編譯kubeadm
make WHAT=cmd/kubeadm編譯完生成如下目錄和二進制文件
# ll _output/bin/ total 76172 -rwxr-xr-x 1 root root 6799360 Jun 20 21:08 conversion-gen -rwxr-xr-x 1 root root 6778880 Jun 20 21:08 deepcopy-gen -rwxr-xr-x 1 root root 6750208 Jun 20 21:08 defaulter-gen -rwxr-xr-x 1 root root 4883629 Jun 20 21:08 go2make -rwxr-xr-x 1 root root 2109440 Jun 20 21:09 go-bindata -rwxr-xr-x 1 root root 39256064 Jun 20 21:11 kubeadm -rwxr-xr-x 1 root root 11419648 Jun 20 21:09 openapi-gen(5)、備份原kubeadm和證書文件
cp /usr/bin/kubeadm{,.bak20200620} cp -r /etc/kubernetes/pki{,.bak20200620}(7)、將新生成的kubeadm進行替換
cp _output/bin/kubeadm /usr/bin/kubeadm(8)、生成新的證書
cd /etc/kubernetes/pki kubeadm alpha certs renew all輸出如下
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed(9)、驗證結果
kubeadm alpha certs check-expiration輸出如下
[root@k8s-master pki]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf May 27, 2120 13:25 UTC 99y no apiserver May 27, 2120 13:25 UTC 99y ca no apiserver-etcd-client May 27, 2120 13:25 UTC 99y etcd-ca no apiserver-kubelet-client May 27, 2120 13:25 UTC 99y ca no controller-manager.conf May 27, 2120 13:25 UTC 99y no etcd-healthcheck-client May 27, 2120 13:25 UTC 99y etcd-ca no etcd-peer May 27, 2120 13:25 UTC 99y etcd-ca no etcd-server May 27, 2120 13:25 UTC 99y etcd-ca no front-proxy-client May 27, 2120 13:25 UTC 99y front-proxy-ca no scheduler.conf May 27, 2120 13:25 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Jun 18, 2030 11:21 UTC 9y no etcd-ca Jun 18, 2030 11:21 UTC 9y no front-proxy-ca Jun 18, 2030 11:21 UTC 9y no查看集群狀態是否OK。
[root@k8s-master pki]# kubectl get node NAME STATUS ROLES AGE VERSION k8s-master Ready master 127m v1.17.2 k8s-node01 Ready <none> 94m v1.17.2 k8s-node02 Ready <none> 95m v1.17.2 [root@k8s-master pki]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-589b5f594b-76vwr 1/1 Running 0 93m calico-node-4qvfj 1/1 Running 0 93m calico-node-cn79s 1/1 Running 0 93m calico-node-sppn9 1/1 Running 0 93m coredns-7f9c544f75-hc5q5 1/1 Running 0 127m coredns-7f9c544f75-z77s8 1/1 Running 0 127m etcd-k8s-master 1/1 Running 0 114m kube-apiserver-k8s-master 1/1 Running 0 115m kube-controller-manager-k8s-master 1/1 Running 0 114m kube-proxy-6kckk 1/1 Running 0 94m kube-proxy-r7mn2 1/1 Running 0 127m kube-proxy-zf48c 1/1 Running 0 95m kube-scheduler-k8s-master 1/1 Running 0 114m到此證書修改完成。
如果github上下載很慢的話可以到gitee上下載,地址:https://gitee.com/mirrors/Kubernetes/tree/master/
參考鏈接:
https://cloud.tencent.com/developer/article/1650657
總結
以上是生活随笔為你收集整理的kubeadm集群修改k8s证书时间到99年的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux cp命令强行覆盖复制
- 下一篇: win10安装docker deskto