参考
kubeadm 部署的 kubernetes 集群,默认的证书有效时间是1年,需要每年手工更新。
1. 重新编译kubeadm
1.1 准备
# 下载对应的kubernetes源代码,这里采用 "v1.14.1" 版本
wget https://codeload.github.com/kubernetes/kubernetes/tar.gz/v1.14.1
# untar
tar -zxvf kubernetes-1.14.1.tar.gz
cd kubernetes-1.14.1
# 进入源代码目录
cd kubernetes-1.14.1
1.2 修改源代码-cert.go
- 文件:
staging/src/k8s.io/client-go/util/cert/cert.go NewSelfSignedCACert方法,签发以下证书,且默认为10年有效期:- front-proxy-ca.crt
- front-proxy-client.crt
- ca.crt
- etcd/ca.crt
- etcd/peer.crt
# 1.14.0版本开始,此文件不需要修改
vim staging/src/k8s.io/client-go/util/cert/cert.go
const duration365d = time.Hour * 24 * 365
// Config contains the basic fields required for creating a certificate
type Config struct {
CommonName string
Organization []string
AltNames AltNames
Usages []x509.ExtKeyUsage
}
// AltNames contains the domain names and IP addresses that will be added
// to the API Server's x509 certificate SubAltNames field. The values will
// be passed directly to the x509.Certificate object.
type AltNames struct {
DNSNames []string
IPs []net.IP
}
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
# 默认已调整有效期为10年;
# 但只影响部分证书:
NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
1.3 修改源代码-pki_helpers.go
- ,以下证书由
NewSignedCert方法签发,但签发的证书默认只有一年有效期:- apiserver.crt
- apiserver-etcd-client.crt
- etcd/server.crt
- etcd/healthcheck-client.crt
- apiserver-kubelet-client.crt
# `NewSignedCert` 方法:
# 部分证书是通过NewSignedCert这个方法签发,而这个方法签发的证书默认只有一年有效期,查看代码逻辑
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
# 修改签发相关证书的默认有效期为10年
// NotAfter: time.Now().Add(duration365d).UTC(),
NotAfter: time.Now().Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
1.4 编译
# go环境已经准备好
# kubeadm
make WHAT=cmd/kubeadm GOFLAGS=-v
# 补充:编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 补充:编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
# 编译生成的二进制文件在 _output/bin/ 目录下
1.5 更新kubeadm
# 将kubeadm 文件拷贝替换系统中原有kubeadm
cp /usr/bin/kubeadm /usr/bin/kubeadm.origin
cp _output/bin/kubeadm /usr/bin/kubeadm
2. 更新证书
2.1 更新 kube-master (任一)节点证书
1.13.x版本(含)之后的处理方式;- 不更新
kubeadm的情况下,也可手动更新证书,但更新的证书有效期默认仍是一年。
# 备份
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.origin
# 更新证书;
# "--config" 指定 "kubeadm" 的配置文件,建议使用部署集群时使用的配置文件;
# 其他参数可参考官方文档
cd /etc/kubernetes/pki
kubeadm alpha certs renew all --config=/root/kubeadm/kubeadm-config.yaml
# 验证新的证书有效期,以 "apiserver.crt" 为例
openssl x509 -in apiserver.crt -text -noout | grep Not
# 备份 /etc/kubernetes/*.conf 文件;
# 必须备份(mv),否则无法更新 "*.conf" 文件
ll /etc/kubernetes/*.conf | awk '{print $9}' | xargs -i mv {} {}.`date "+%Y%m%d"`
# 更新/etc/kubernetes/*.conf文件;
# 如果没有 "mv" , 输出为 "[kubeconfig] Using existing kubeconfig file",
kubeadm init phase kubeconfig all --config=/root/kubeadm/kubeadm-config.yaml
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
# 在(所有) kube-master 节点重启 "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd" 4个容器
docker ps | egrep "etcd|kube-apiserver|kube-controller-manager|kube-scheduler" | grep -v pause | awk '{print $1}' | xargs -i docker restart {}
# 覆盖 "$HOME/.kube/config" 文件
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
2.2 (optional) HA集群其余mater节点证书更新
- 在已更新证书的master节点运行脚本,将更新的证书同步到其余master节点
# 如果可以,请提前在被同步master节点做备份
cat certificate.sh
#!/bin/bash
# 2019-05-27 v0.1
# scp certificate files from the first control plane node to the rest.
USER=root # customizable
CONTROL_PLANE_IPS="100.64.198.137 100.64.198.138"
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/ca.crt "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/ca.key "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.key "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.pub "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.crt "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.key "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.crt "${USER}"@$host:/etc/kubernetes/pki/etcd/ca.crt
scp /etc/kubernetes/pki/etcd/ca.key "${USER}"@$host:/etc/kubernetes/pki/etcd/ca.key
scp /etc/kubernetes/admin.conf "${USER}"@$host:/etc/kubernetes/
done
3. 补充:go 环境
# download,根据需要选择版本
wget https://studygolang.com/dl/golang/go1.12.1.linux-amd64.tar.gz
# untar
tar -zxvf go1.12.1.linux-amd64.tar.gz -C /usr/local
# edit /etc/profile,在文件末尾添加如下内容
vim /etc/profile
# go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin
# enable /etc/profile
source /etc/profile