一、背景
k8s默认证书有效时间是1年,证书过期后就不能执行相关命令进行管理,如下图:
二、查看证书有效时间
可以看出RESIDUAL的显示结果是invalid,表示过期
[root@master pki]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Dec 28, 2021 08:24 UTC <invalid> ca no apiserver Dec 28, 2021 08:24 UTC <invalid> ca no apiserver-etcd-client Dec 28, 2021 08:24 UTC <invalid> etcd-ca no apiserver-kubelet-client Dec 28, 2021 08:24 UTC <invalid> ca no controller-manager.conf Dec 28, 2021 08:24 UTC <invalid> ca no etcd-healthcheck-client Dec 28, 2021 08:24 UTC <invalid> etcd-ca no etcd-peer Dec 28, 2021 08:24 UTC <invalid> etcd-ca no etcd-server Dec 28, 2021 08:24 UTC <invalid> etcd-ca no front-proxy-client Dec 28, 2021 08:24 UTC <invalid> front-proxy-ca no scheduler.conf Dec 28, 2021 08:24 UTC <invalid> ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Dec 20, 2031 07:18 UTC 9y no etcd-ca Dec 20, 2031 07:18 UTC 9y no front-proxy-ca Dec 20, 2031 07:18 UTC 9y no
三、解决方案
修改源码重新生成
官方默认证书都是一年,我就以生成证书有效期为10年为例
现在机器上安装go环境,这个过程就省略了,度娘下很简单
1、查看当前环境安装的看k8s版本
kubeamd version
2、下载源码
github上下载看k8s的源码,版本是第一步查询的版本,过程略
3、修改代码
我的版本是1.23.1版本,修改/opt/kubernetes/cmd/kubeadm/app/util/pkiutil/pki_helpers.go文件,我的大概在653行,有可能不同版本地方不一样,可以通过kubeadmconstants.CertificateValidity关键词搜索定位
注释掉notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
在上面添加:
const year10 = time.Hour * 24 * 365 * 10
notAfter := time.Now().Add(year10).UTC()
4、重新编译
make WHAT=cmd/kubeadm GOFLAGS=-v
会在/opt/kubernetes/_output/bin 下生成kubeadm命令
5、备份原来的kubeadm和证书文件,避免出错还原
cp /usr/bin/kubeadm /usr/bin/kubeadm_bak cp -r /etc/kubernetes/pki /etc/kubernetes/pki_bak
6、拷贝kubeadm到/usr/bin/下
[root@master bin]# pwd /opt/kubernetes-master/_output/bin [root@master bin]# [root@master bin]# [root@master bin]# ll total 79136 -rwxr-xr-x 1 root root 6295552 Dec 28 16:58 conversion-gen -rwxr-xr-x 1 root root 6021120 Dec 28 16:58 deepcopy-gen -rwxr-xr-x 1 root root 6029312 Dec 28 16:58 defaulter-gen -rwxr-xr-x 1 root root 3376703 Dec 28 16:58 go2make -rwxr-xr-x 1 root root 45187072 Dec 28 17:00 kubeadm -rwxr-xr-x 1 root root 8126464 Dec 28 16:58 openapi-gen -rwxr-xr-x 1 root root 5996544 Dec 28 16:58 prerelease-lifecycle-gen [root@master bin]# [root@master bin]# cp kubeadm /usr/bin/ cp: overwrite ‘/usr/bin/kubeadm’? y
7、重新生成证书
[root@master bin]# kubeadm certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [renew] Error reading configuration from the Cluster. Falling back to default configuration certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
8、重启相关服务
[root@master bin]# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
3af36fb43da0
6ff7681f2556
91eaaacf2664
b886b4e5f623
9、确认证书时间
这里图上看是9年有肯能是时间取整了的原因
可以使用基本管理命令了
