k8s 证书过期时间调整

检查证书有限期 kubeadm 部署集群默认证书有效期为一年

cd /etc/kubernetes/pki 
openssl x509 -in apiserver.crt -text -noout

  Validity
        Not Before: Jun 12 04:41:18 2019 GMT
        Not After : Jun 12 04:41:18 2020 GMT


go 环境部署
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz 
tar -xf go1.12.1.linux-amd64.tar.gz -C /usr/local 
vi /etc/profile export PATH=$PATH:/usr/local/go/bin
source /etc/profile

下载源码
git clone https://github.com/kubernetes/kubernetes.git
查看当前版本 
kubeadm version 
[root@k8s-master kubernetes]# pwd /root/kubernetes 
git checkout -b remotes/origin/release-1.14.0 v1.14.0 #修改至当前版本


修改 Kubeadm 源码包更新证书策略
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go

增加 const duration3650d = time.Hour * 24 * 365 * 100 #表示一小时24365 表示100年 NotAfter: time.Now().Add(duration36500d).UTC(), #这一行在下面修改add的值就行,如下


make WHAT=cmd/kubeadm GOFLAGS=-v #只编译kubeadm
cp _output/bin/kubeadm /root/kubeadm-new

更新 kubeadm
将 kubeadm 进行替换 
cp /usr/bin/kubeadm /usr/bin/kubeadm.old
cp /root/kubeadm-new /usr/bin/kubeadm
chmod a+x /usr/bin/kubeadm

证书更新
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
cd /etc/kubernetes/pki
kubeadm alpha certs renew all 有提示可忽略 查看证书有限期 100年 
cd /etc/kubernetes/pki 
openssl x509 -in apiserver.crt -text -noout


        Validity
            Not Before: Jun 12 04:41:18 2019 GMT
            Not After : Nov 18 11:22:53 2119 GMT

生成一个集群配置的yaml文件 kubeadm config view > /root/cluster.yaml 
cd /etc/kubernetes 
mkdir conf.old 
mv *.conf conf.old

生效 /etc/kubernetes *.conf 
kubeadm init phase kubeconfig all   /root/cluster.yaml 


$ ll
total 40
-rw------- 1 root root 5455 Dec 12 19:30 admin.conf
drwxr-xr-x 2 root root   93 Dec 12 19:25 conf.old
-rw------- 1 root root 5491 Dec 12 19:30 controller-manager.conf
-rw------- 1 root root 5471 Dec 12 19:30 kubelet.conf
drwxr-xr-x 2 root root  109 Jun 20 14:16 manifests
drwxr-xr-x 3 root root 4096 Jun 12  2019 pki
drwxr-xr-x 3 root root 4096 Dec 12 17:40 pki.old
-rw------- 1 root root 5439 Dec 12 19:30 scheduler.conf

已经生成最新配置文件

其他master 节点
scp -qpr master01:/usr/bin/kubeadm master02:/usr/bin/kubeadm 然后 进行证书更新操作 和 集群配置文件生成操作

完成后依次重启 etcd  kube-apiserver kube-controller-manager kube-proxy kube-scheduler  查看各个日志  没有报错则没有错


systemctl restart kubelet

$ kubectl get pod   -n kube-system 
NAME                                    READY   STATUS             RESTARTS   AGE
coredns-c7b458cf-fxjpp                  1/1     Running            0          6h26m
coredns-c7b458cf-gfsqt                  0/1     Terminating        0          31d
coredns-c7b458cf-sxlps                  1/1     Running            8          7h18m
etcd-master01                           1/1     Running            214        183d
etcd-master02                           1/1     Running            229        183d
etcd-master03                           1/1     Running            210        183d
kube-apiserver-master01                 1/1     Running            2216       72m
kube-apiserver-master02                 1/1     Running            1823       73m
kube-apiserver-master03                 1/1     Running            2155       74m
kube-controller-manager-master01        1/1     Running            9441       71m
kube-controller-manager-master02        1/1     Running            9780       70m
kube-controller-manager-master03        1/1     Running            9431       71m
kube-proxy-glqvn                        1/1     Running            0          63m
kube-proxy-m4fhg                        1/1     Running            0          65m
kube-proxy-rjrlp                        1/1     Running            0          62m
kube-proxy-s4pfg                        1/1     Running            0          66m
kube-proxy-snl7s                        1/1     Running            0          62m
kube-proxy-v5dfz                        0/1     Terminating        0          128d
kube-scheduler-master01                 1/1     Running            9341       69m
kube-scheduler-master02                 1/1     Running            9687       69m
kube-scheduler-master03                 0/1     Error              9374       68m