zoukankan      html  css  js  c++  java

  • k8s 证书过期解决

    下载kubernetest 源码

    apt -get install git 

git clone https://github.com/kubernetes/kubernetes.git

    切换分支

    cd kubernetes && git checkout -b remotes/origin/release-1.13 v1.13.0

    下载docker编译环境

    https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2  在dockerhub 下载相应的版本

    docker pull gcrcontainer/kube-cross:v1.13.1-1 
    docker run --rm -v /root/kubernetes/:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.13.1-1 bash

    修改源码

    vim  /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go

maxAge := time.Hour * 24 * 365   #修改前       

NotAfter:     time.Now().Add(duration365d).UTC()

 maxAge := time.Hour * 24 * 365 * 50  #修改后   给证书期限为50年

NotAfter:     time.Now().Add(duration365d * 50).UTC()

    编译

    cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
    拷贝编译的文件
cp ./_output/local/bin/linux/amd64/kubeadm

    master  

    备份证书和配置文件

    cp -r  /etc/kubernetes/ ./
    #!/usr/bin/env bash
set -e
sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.crt /etc/kubernetes/pki/front-proxy-ca.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.key /etc/kubernetes/pki/front-proxy-ca.key.old
sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old
sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old
sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
    View Code

    拷贝编译后的kubeadm

    cp kubeadm /usr/bin/

    创建kubeadm-conf.yaml 文件

    cat > /tmp/kubeadm-conf.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
networking:
  podSubnet: 192.169.0.0/16
  serviceSubnet: 10.96.0.0/12
#apiServerCertSANs:
#- master01
#- master02
#- master03
#- 172.16.2.1
#- 172.16.2.2
#- 172.16.2.3
#- 172.16.2.100
#etcd:
#  endpoints:
#     - http://192.168.188.160:2379
#     - http://192.168.188.161:2379
#     - http://192.168.188.162:2379
#token: 2wt8ap.ev8cvrpuzt81zwm7
#tokenTTL: "0"
kubernetesVersion: v1.11.5
#imageRepository:
api:
  advertiseAddress: 192.168.188.160
kubeletConfiguration:
  baseConfig:
    evictionHard:
      imagefs.available: 6Gi
      memory.available: 512Mi
      nodefs.available: 3Gi
EOF
    View Code
    sudo kubeadm alpha phase certs apiserver --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-ca --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs apiserver-kubelet-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase kubeconfig all --config /tmp/kubeadm-conf.yaml
    View Code
    sudo rm -rf $HOME/.kube
mkdir -p mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
    View Code

    查看证书时间

    openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -dates

    追加部分:

    为了不要每年都更新客户端证书可以在/etc/kubernetes/manifests/kube-controller-manager.yaml的26行左右添加下面内容(主要空格对其):

         - --experimental-cluster-signing-duration=876000h0m0s

    修改完成后,需要删除/var/lib/kubelet/pki/下的文件,重新启动kubelet服务就可以了

    注意:如果为生成证书,请查看时间是否同步

    创建永久token

    kubeadm token create --ttl 0

kubeadm token list

systemctl restart kubelet

    node

    删除/var/lib/kubelet/pki/下的所有文件

    rm -rf /var/lib/kubelet/pki/*

    替换/etc/kubernetes/bootstrap-kubelet.conf中的token(红色框的部分)为上面创建的token值

    sudo sed -i "s/56d5fi.18j8g4fgca4lf1a1/06cymx.d1vcolksn9uwthqz/g" /etc/kubernetes/bootstrap-kubelet.conf

    重启kubelet 服务,systemctl restart kubelet

    检测是否成功,ls /var/lib/kubelet/pki/

    kubelet 自动续期

    https://www.cnblogs.com/lvcisco/p/11912637.html 

     docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-cross:v1.7.5-2

    https://www.cnblogs.com/skymyyang/p/11093686.html
https://www.cnblogs.com/kuku0223/p/10509637.html
https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2
  • 相关阅读:
    Android TextView中文字通过SpannableString来设置超链接、颜色、字体等属性
    Android-自定义dialog
    安卓签名
    安卓 textview 换行 不满就换了
    [android] setOnTouchEvent 设置返回值为true 和 false的区别
    图片自动切换, 滑动循环切换图片
    Android访问中央气象台的天气预报API得到天气数据
    android:windowSoftInputMode属性详解
    Android中资源文件夹res/raw和assets的使用
    WPF基础学习笔记整理 (二) XAML
  • 原文地址:https://www.cnblogs.com/hanwei666/p/12058978.html
Copyright © 2011-2022 走看看