zoukankan      html  css  js  c++  java

  • k8s 证书过期解决

    下载kubernetest 源码

    apt -get install git 

git clone https://github.com/kubernetes/kubernetes.git

    切换分支

    cd kubernetes && git checkout -b remotes/origin/release-1.13 v1.13.0

    下载docker编译环境

    https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2  在dockerhub 下载相应的版本

    docker pull gcrcontainer/kube-cross:v1.13.1-1 
    docker run --rm -v /root/kubernetes/:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.13.1-1 bash

    修改源码

    vim  /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go

maxAge := time.Hour * 24 * 365   #修改前       

NotAfter:     time.Now().Add(duration365d).UTC()

 maxAge := time.Hour * 24 * 365 * 50  #修改后   给证书期限为50年

NotAfter:     time.Now().Add(duration365d * 50).UTC()

    编译

    cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
    拷贝编译的文件
cp ./_output/local/bin/linux/amd64/kubeadm

    master  

    备份证书和配置文件

    cp -r  /etc/kubernetes/ ./
    #!/usr/bin/env bash
set -e
sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.crt /etc/kubernetes/pki/front-proxy-ca.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.key /etc/kubernetes/pki/front-proxy-ca.key.old
sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old
sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old
sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
    View Code

    拷贝编译后的kubeadm

    cp kubeadm /usr/bin/

    创建kubeadm-conf.yaml 文件

    cat > /tmp/kubeadm-conf.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
networking:
  podSubnet: 192.169.0.0/16
  serviceSubnet: 10.96.0.0/12
#apiServerCertSANs:
#- master01
#- master02
#- master03
#- 172.16.2.1
#- 172.16.2.2
#- 172.16.2.3
#- 172.16.2.100
#etcd:
#  endpoints:
#     - http://192.168.188.160:2379
#     - http://192.168.188.161:2379
#     - http://192.168.188.162:2379
#token: 2wt8ap.ev8cvrpuzt81zwm7
#tokenTTL: "0"
kubernetesVersion: v1.11.5
#imageRepository:
api:
  advertiseAddress: 192.168.188.160
kubeletConfiguration:
  baseConfig:
    evictionHard:
      imagefs.available: 6Gi
      memory.available: 512Mi
      nodefs.available: 3Gi
EOF
    View Code
    sudo kubeadm alpha phase certs apiserver --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-ca --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs apiserver-kubelet-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase kubeconfig all --config /tmp/kubeadm-conf.yaml
    View Code
    sudo rm -rf $HOME/.kube
mkdir -p mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
    View Code

    查看证书时间

    openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -dates

    追加部分:

    为了不要每年都更新客户端证书可以在/etc/kubernetes/manifests/kube-controller-manager.yaml的26行左右添加下面内容(主要空格对其):

         - --experimental-cluster-signing-duration=876000h0m0s

    修改完成后,需要删除/var/lib/kubelet/pki/下的文件,重新启动kubelet服务就可以了

    注意:如果为生成证书,请查看时间是否同步

    创建永久token

    kubeadm token create --ttl 0

kubeadm token list

systemctl restart kubelet

    node

    删除/var/lib/kubelet/pki/下的所有文件

    rm -rf /var/lib/kubelet/pki/*

    替换/etc/kubernetes/bootstrap-kubelet.conf中的token(红色框的部分)为上面创建的token值

    sudo sed -i "s/56d5fi.18j8g4fgca4lf1a1/06cymx.d1vcolksn9uwthqz/g" /etc/kubernetes/bootstrap-kubelet.conf

    重启kubelet 服务,systemctl restart kubelet

    检测是否成功,ls /var/lib/kubelet/pki/

    kubelet 自动续期

    https://www.cnblogs.com/lvcisco/p/11912637.html 

     docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-cross:v1.7.5-2

    https://www.cnblogs.com/skymyyang/p/11093686.html
https://www.cnblogs.com/kuku0223/p/10509637.html
https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2
  • 相关阅读:
    Codeforces 1265A Beautiful String
    1039 Course List for Student (25)
    1038 Recover the Smallest Number (30)
    1037 Magic Coupon (25)
    1024 Palindromic Number (25)
    1051 Pop Sequence (25)
    1019 General Palindromic Number (20)
    1031 Hello World for U (20)
    1012 The Best Rank (25)
    1011 World Cup Betting (20)
  • 原文地址:https://www.cnblogs.com/hanwei666/p/12058978.html
Copyright © 2011-2022 走看看