(1)、查看当前的证书时间
# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 22, 2021 14:59 UTC 360d no
apiserver Jul 22, 2021 14:59 UTC 360d ca no
apiserver-etcd-client Jul 22, 2021 14:59 UTC 360d etcd-ca no
apiserver-kubelet-client Jul 22, 2021 14:59 UTC 360d ca no
controller-manager.conf Jul 22, 2021 14:59 UTC 360d no
etcd-healthcheck-client Jul 22, 2021 14:59 UTC 360d etcd-ca no
etcd-peer Jul 22, 2021 14:59 UTC 360d etcd-ca no
etcd-server Jul 22, 2021 14:59 UTC 360d etcd-ca no
front-proxy-client Jul 22, 2021 14:59 UTC 360d front-proxy-ca no
scheduler.conf Jul 22, 2021 14:59 UTC 360d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jul 20, 2030 14:59 UTC 9y no
etcd-ca Jul 20, 2030 14:59 UTC 9y no
front-proxy-ca Jul 20, 2030 14:59 UTC 9y no
(2)、下载源码
git clone https://github.com/kubernetes/kubernetes.git
(3)、切换到自己的版本,修改源码,比如我的是v1.17.2版本
cd kubernetes git checkout v1.17.2
vim cmd/kubeadm/app/constants/constants.go,找到CertificateValidity,修改如下
....
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100
....
(4)、编译kubeadm
make WHAT=cmd/kubeadm
编译完生成如下目录和二进制文件
# ll _output/bin/ total 76172 -rwxr-xr-x 1 root root 6799360 Jun 20 21:08 conversion-gen -rwxr-xr-x 1 root root 6778880 Jun 20 21:08 deepcopy-gen -rwxr-xr-x 1 root root 6750208 Jun 20 21:08 defaulter-gen -rwxr-xr-x 1 root root 4883629 Jun 20 21:08 go2make -rwxr-xr-x 1 root root 2109440 Jun 20 21:09 go-bindata -rwxr-xr-x 1 root root 39256064 Jun 20 21:11 kubeadm -rwxr-xr-x 1 root root 11419648 Jun 20 21:09 openapi-gen
(5)、备份原kubeadm和证书文件
cp /usr/bin/kubeadm{,.bak20200620}
cp -r /etc/kubernetes/pki{,.bak20200620}
(6)、将新生成的kubeadm进行替换
cp _output/bin/kubeadm /usr/bin/kubeadm
(7)、生成新的证书
cd /etc/kubernetes/pki kubeadm alpha certs renew all
输出如下
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed
(8)、验证结果
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 27, 2120 13:25 UTC 99y no
apiserver May 27, 2120 13:25 UTC 99y ca no
apiserver-etcd-client May 27, 2120 13:25 UTC 99y etcd-ca no
apiserver-kubelet-client May 27, 2120 13:25 UTC 99y ca no
controller-manager.conf May 27, 2120 13:25 UTC 99y no
etcd-healthcheck-client May 27, 2120 13:25 UTC 99y etcd-ca no
etcd-peer May 27, 2120 13:25 UTC 99y etcd-ca no
etcd-server May 27, 2120 13:25 UTC 99y etcd-ca no
front-proxy-client May 27, 2120 13:25 UTC 99y front-proxy-ca no
scheduler.conf May 27, 2120 13:25 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 18, 2030 11:21 UTC 9y no
etcd-ca Jun 18, 2030 11:21 UTC 9y no
front-proxy-ca Jun 18, 2030 11:21 UTC 9y no
如果github上下载很慢的话可以到gitee上下载,地址:https://gitee.com/mirrors/Kubernetes/tree/master/