zoukankan      html  css  js  c++  java

  • kubeadm初始化k8s-延长证书过期时间

    kubeadm初始化k8s-延长证书过期时间

    一、查看证书过期时间

    # ca证书有效期是10年,从2021到2031年
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not
            Not Before: Jul  8 02:55:00 2021 GMT
            Not After : Jul  6 02:55:00 2031 GMT

# apiserver证书有效期是1年,从2021到2022年
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not
            Not Before: Jul  8 02:55:00 2021 GMT
            Not After : Jul  8 02:55:00 2022 GMT

    二、延长证书过期时间

    1)把update-kubeadm-cert.sh文件上传到k8s-master1、k8s-master2节点

    脚本下载地址:https://github.com/yuyicai/update-kube-cert

    2)在每个节点都执行如下命令

    # 1)给update-kubeadm-cert.sh证书授权可执行权限
[root@k8s-master1 ~]# chmod +x update-kubeadm-cert.sh
[root@k8s-master2 ~]# chmod +x update-kubeadm-cert.sh

# 2)执行下面命令,修改证书过期时间,把时间延长到10年
[root@k8s-master1 ~]# ./update-kubeadm-cert.sh all
[root@k8s-master2 ~]# ./update-kubeadm-cert.sh all
[2021-07-08T11:45:19.707677552+0800]: INFO: backup /etc/kubernetes to /etc/kubernetes.old-20210708
Signature ok
subject=/CN=etcd-server
Getting CA Private Key
[2021-07-08T11:45:19.772840987+0800]: INFO: generated /etc/kubernetes/pki/etcd/server.crt
Signature ok
subject=/CN=etcd-peer
Getting CA Private Key
[2021-07-08T11:45:19.809399855+0800]: INFO: generated /etc/kubernetes/pki/etcd/peer.crt
Signature ok
subject=/O=system:masters/CN=kube-etcd-healthcheck-client
Getting CA Private Key
[2021-07-08T11:45:19.831445526+0800]: INFO: generated /etc/kubernetes/pki/etcd/healthcheck-client.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-etcd-client
Getting CA Private Key
[2021-07-08T11:45:19.853244272+0800]: INFO: generated /etc/kubernetes/pki/apiserver-etcd-client.crt
2e55581300ad
[2021-07-08T11:45:20.247350515+0800]: INFO: restarted etcd
Signature ok
subject=/CN=kube-apiserver
Getting CA Private Key
[2021-07-08T11:45:20.282054309+0800]: INFO: generated /etc/kubernetes/pki/apiserver.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-kubelet-client
Getting CA Private Key
[2021-07-08T11:45:20.307074813+0800]: INFO: generated /etc/kubernetes/pki/apiserver-kubelet-client.crt
Signature ok
subject=/CN=system:kube-controller-manager
Getting CA Private Key
[2021-07-08T11:45:20.349848678+0800]: INFO: generated /etc/kubernetes/controller-manager.crt
[2021-07-08T11:45:20.355202936+0800]: INFO: generated new /etc/kubernetes/controller-manager.conf
Signature ok
subject=/CN=system:kube-scheduler
Getting CA Private Key
[2021-07-08T11:45:20.401409577+0800]: INFO: generated /etc/kubernetes/scheduler.crt
[2021-07-08T11:45:20.407255673+0800]: INFO: generated new /etc/kubernetes/scheduler.conf
Signature ok
subject=/O=system:masters/CN=kubernetes-admin
Getting CA Private Key
[2021-07-08T11:45:20.453035542+0800]: INFO: generated /etc/kubernetes/admin.crt
[2021-07-08T11:45:20.463892109+0800]: INFO: generated new /etc/kubernetes/admin.conf
[2021-07-08T11:45:20.470917866+0800]: INFO: copy the admin.conf to ~/.kube/config for kubectl
[2021-07-08T11:45:20.473552470+0800]: WARNING: does not need to update kubelet.conf
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
[2021-07-08T11:45:20.494001710+0800]: INFO: generated /etc/kubernetes/pki/front-proxy-client.crt
86a98ff73131
[2021-07-08T11:45:24.268973792+0800]: INFO: restarted kube-apiserver
7c01cab842fa
[2021-07-08T11:45:24.812039934+0800]: INFO: restarted kube-controller-manager
59ed847ae4eb
[2021-07-08T11:45:25.765110177+0800]: INFO: restarted kube-scheduler
[2021-07-08T11:45:25.875676379+0800]: INFO: restarted kubelet

# 3)在k8s-master1节点查询Pod是否正常,能查询出数据说明证书签发完成
[root@k8s-master1 ~]# kubectl  get pods 
NAME       READY   STATUS    RESTARTS   AGE
demo-pod   1/1     Running   0          15m

    3)查看证书的有效期

    # 查看apiserver证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not
            Not Before: Jul  8 03:45:17 2021 GMT
            Not After : Jul  6 03:45:17 2031 GMT

# 查看etcd证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not
            Not Before: Jul  8 03:45:16 2021 GMT
            Not After : Jul  6 03:45:16 2031 GMT
            
# 查看fron-proxy证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt  -noout -text  |grep Not
            Not Before: Jul  8 02:55:00 2021 GMT
            Not After : Jul  6 02:55:00 2031 GMT
    作者:Lawrence

    -------------------------------------------

    个性签名:独学而无友,则孤陋而寡闻。做一个灵魂有趣的人!

    扫描上面二维码关注我
    如果你真心觉得文章写得不错,而且对你有所帮助,那就不妨帮忙“推荐"一下,您的“推荐”和”打赏“将是我最大的写作动力!
    本文版权归作者所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.
  • 相关阅读:
    头插法建立单链表
    顺序表
    栈的顺序存储实现
    折半查找
    myeclipe 快捷键盘
    ztree redio单选按钮
    webuploader上传进度条 上传删除
    svn乱码解决办法
    异构SOA系统架构之Asp.net实现(兼容dubbo)
    RPC框架
  • 原文地址:https://www.cnblogs.com/hujinzhong/p/14985449.html
Copyright © 2011-2022 走看看