zoukankan      html  css  js  c++  java
  • k8s证书过期问题

    一、背景

    k8s默认证书有效时间是1年,证书过期后就不能执行相关命令进行管理,如下图:

     二、查看证书有效时间

    可以看出RESIDUAL的显示结果是invalid,表示过期

    [root@master pki]# kubeadm certs check-expiration
    [check-expiration] Reading configuration from the cluster...
    [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
    [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
    
    CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
    admin.conf                 Dec 28, 2021 08:24 UTC   <invalid>       ca                      no      
    apiserver                  Dec 28, 2021 08:24 UTC   <invalid>       ca                      no      
    apiserver-etcd-client      Dec 28, 2021 08:24 UTC   <invalid>       etcd-ca                 no      
    apiserver-kubelet-client   Dec 28, 2021 08:24 UTC   <invalid>       ca                      no      
    controller-manager.conf    Dec 28, 2021 08:24 UTC   <invalid>       ca                      no      
    etcd-healthcheck-client    Dec 28, 2021 08:24 UTC   <invalid>       etcd-ca                 no      
    etcd-peer                  Dec 28, 2021 08:24 UTC   <invalid>       etcd-ca                 no      
    etcd-server                Dec 28, 2021 08:24 UTC   <invalid>       etcd-ca                 no      
    front-proxy-client         Dec 28, 2021 08:24 UTC   <invalid>       front-proxy-ca          no      
    scheduler.conf             Dec 28, 2021 08:24 UTC   <invalid>       ca                      no      
    
    CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
    ca                      Dec 20, 2031 07:18 UTC   9y              no      
    etcd-ca                 Dec 20, 2031 07:18 UTC   9y              no      
    front-proxy-ca          Dec 20, 2031 07:18 UTC   9y              no  

    三、解决方案

    修改源码重新生成

    官方默认证书都是一年,我就以生成证书有效期为10年为例

    现在机器上安装go环境,这个过程就省略了,度娘下很简单

    1、查看当前环境安装的看k8s版本

    kubeamd  version
    

    2、下载源码

    github上下载看k8s的源码,版本是第一步查询的版本,过程略

    3、修改代码

    我的版本是1.23.1版本,修改/opt/kubernetes/cmd/kubeadm/app/util/pkiutil/pki_helpers.go文件,我的大概在653行,有可能不同版本地方不一样,可以通过kubeadmconstants.CertificateValidity关键词搜索定位

    注释掉notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()

    在上面添加:

    const year10 = time.Hour * 24 * 365 * 10

    notAfter := time.Now().Add(year10).UTC()

    4、重新编译

    make WHAT=cmd/kubeadm GOFLAGS=-v
    

    会在/opt/kubernetes/_output/bin 下生成kubeadm命令

    5、备份原来的kubeadm和证书文件,避免出错还原

    cp  /usr/bin/kubeadm /usr/bin/kubeadm_bak
    cp -r  /etc/kubernetes/pki /etc/kubernetes/pki_bak
    

    6、拷贝kubeadm到/usr/bin/下

    [root@master bin]# pwd
    /opt/kubernetes-master/_output/bin
    [root@master bin]# 
    [root@master bin]# 
    [root@master bin]# ll
    total 79136
    -rwxr-xr-x 1 root root  6295552 Dec 28 16:58 conversion-gen
    -rwxr-xr-x 1 root root  6021120 Dec 28 16:58 deepcopy-gen
    -rwxr-xr-x 1 root root  6029312 Dec 28 16:58 defaulter-gen
    -rwxr-xr-x 1 root root  3376703 Dec 28 16:58 go2make
    -rwxr-xr-x 1 root root 45187072 Dec 28 17:00 kubeadm
    -rwxr-xr-x 1 root root  8126464 Dec 28 16:58 openapi-gen
    -rwxr-xr-x 1 root root  5996544 Dec 28 16:58 prerelease-lifecycle-gen
    [root@master bin]# 
    [root@master bin]# cp kubeadm /usr/bin/
    cp: overwrite ‘/usr/bin/kubeadm’? y
    

    7、重新生成证书

    [root@master bin]# kubeadm certs renew all
    [renew] Reading configuration from the cluster...
    [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
    [renew] Error reading configuration from the Cluster. Falling back to default configuration
    
    certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
    certificate for serving the Kubernetes API renewed
    certificate the apiserver uses to access etcd renewed
    certificate for the API server to connect to kubelet renewed
    certificate embedded in the kubeconfig file for the controller manager to use renewed
    certificate for liveness probes to healthcheck etcd renewed
    certificate for etcd nodes to communicate with each other renewed
    certificate for serving etcd renewed
    certificate for the front proxy client renewed
    certificate embedded in the kubeconfig file for the scheduler manager to use renewed
    
    Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
    

    8、重启相关服务

    [root@master bin]# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
    3af36fb43da0
    6ff7681f2556
    91eaaacf2664
    b886b4e5f623
    

    9、确认证书时间

    这里图上看是9年有肯能是时间取整了的原因

     可以使用基本管理命令了

    作者:凉生墨客 本文版权归作者所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。
  • 相关阅读:
    面向对象之绑定方法与非绑定方法
    Django-admin源码解析
    单例模式
    Django-admin管理工具
    Django-CBV
    叠加装饰器,三元表达,生成,调用,递归
    迭代器与生成器
    有参装饰器
    储备知识与装饰器
    文件修改
  • 原文地址:https://www.cnblogs.com/heruiguo/p/15741473.html
Copyright © 2011-2022 走看看