博客
关于我
Kubernetes 证书有效期更改
阅读量:634 次
发布时间:2019-03-14

本文共 4081 字,大约阅读时间需要 13 分钟。

Kubernetes相关证书详细介绍:

在更新证书之前先查看一下当前证书的过期时间

[root@k8s-master01 ~]# kubeadm alpha certs check-expirationCERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGEDadmin.conf                 Feb 20, 2022 05:57 UTC   363d            no      apiserver                  Feb 20, 2022 05:57 UTC   363d            no      apiserver-etcd-client      Feb 20, 2022 05:57 UTC   363d            no      apiserver-kubelet-client   Feb 20, 2022 05:57 UTC   363d            no      controller-manager.conf    Feb 20, 2022 05:57 UTC   363d            no      etcd-healthcheck-client    Feb 20, 2022 05:57 UTC   363d            no      etcd-peer                  Feb 20, 2022 05:57 UTC   363d            no      etcd-server                Feb 20, 2022 05:57 UTC   363d            no      front-proxy-client         Feb 20, 2022 05:57 UTC   363d            no      scheduler.conf             Feb 20, 2022 05:57 UTC   363d            no

Go环境部署:

[root@k8s-master01 ~]# wget https://dl.google.com/go/go1.15.6.linux-amd64.tar.gz[root@k8s-master01 ~]# tar -zxvf go1.15.6.linux-amd64.tar.gz -C /usr/local[root@k8s-master01 ~]# vim /etc/profile添加:    export PATH=$PATH:/usr/local/go/bin[root@k8s-master01 ~]# source /etc/profile

下载Kubernetes源码

[root@k8s-master01 ~]# cd /home && git clone https://github.com/kubernetes/kubernetes.git[root@k8s-master01 ~]# git clone -b 1.15.1 --depth=1 https://github.com/kubernetes/kubernetes.git	#  下载执行版本[root@k8s-master01 home]# git checkout -b remotes/origin/release-1.15.1 v1.15.1	# 切换当前Kubernetes 版本

修改 Kubeadm 源码包更新证书策略

[root@k8s-master01 home]# vim staging/src/k8s.io/client-go/util/cert/cert.go  # kubeadm 1.14 版本之前[root@k8s-master01 home]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今	const duration365d = time.Hour * 24 * 365	NotAfter:     time.Now().Add(duration365d).UTC(),[root@k8s-master01 home]# makeWHAT=cmd/kubeadm GOFLAGS=-v[root@k8s-master01 home]# cp _output/bin/kubeadm /root/kubeadm-new

更新 kubeadm

# 将 kubeadm 进行替换[root@k8s-master01 home]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old[root@k8s-master01 home]# cp /root/kubeadm-new /usr/bin/kubeadm[root@k8s-master01 home]# chmod a+x /usr/bin/kubeadm

更新各节点证书至 Master 节点

[root@k8s-master01 home]# cp-r /etc/kubernetes/pki /etc/kubernetes/pki.old[root@k8s-master01 home]# cd /etc/kubernetes/pki[root@k8s-master01 pki]# kubeadm alpha certs renew all --config=/root/kubeadm-config.yaml[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text-noout | grep Not

HA集群其余 mater 节点证书更新

#!/bin/bashmasterNode="192.168.66.20 192.168.66.21"# for host in ${masterNode}; do#    scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}"${USER}"@$host:/etc/kubernetes/pki/#    scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/etc/kubernetes/pki/etcd#    scp /etc/kubernetes/admin.conf "root"@$host:/etc/kubernetes/#donefor host in${CONTROL_PLANE_IPS}; do    scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}"${USER}"@$host:/root/pki/    scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/root/etcd    scp /etc/kubernetes/admin.conf "root"@$host:/root/kubernetes/done

再次再看证书过期时间

[root@k8s-master01 ~]# kubeadm alpha certs check-expirationCERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGEDadmin.conf                 Feb 20, 2032 05:57 UTC   363d            no      apiserver                  Feb 20, 2032 05:57 UTC   363d            no      apiserver-etcd-client      Feb 20, 2032 05:57 UTC   363d            no      apiserver-kubelet-client   Feb 20, 2032 05:57 UTC   363d            no      controller-manager.conf    Feb 20, 2032 05:57 UTC   363d            no      etcd-healthcheck-client    Feb 20, 2032 05:57 UTC   363d            no      etcd-peer                  Feb 20, 2022 05:57 UTC   363d            no      etcd-server                Feb 20, 2022 05:57 UTC   363d            no      front-proxy-client         Feb 20, 2022 05:57 UTC   363d            no      scheduler.conf             Feb 20, 2032 05:57 UTC   363d            no

转载地址:http://txqoz.baihongyu.com/

你可能感兴趣的文章
m个苹果放入n个盘子问题
查看>>
n = 3 , while n , continue
查看>>
n 叉树后序遍历转换为链表问题的深入探讨
查看>>
N!
查看>>
N-Gram的基本原理
查看>>
n1 c语言程序,全国青少年软件编程等级考试C语言经典程序题10道七
查看>>
Nacos Client常用配置
查看>>
nacos config
查看>>
Nacos Config--服务配置
查看>>
Nacos Derby 远程命令执行漏洞(QVD-2024-26473)
查看>>
Nacos 与 Eureka、Zookeeper 和 Consul 等其他注册中心的区别
查看>>
Nacos 单机集群搭建及常用生产环境配置 | Spring Cloud 3
查看>>
Nacos 启动报错[db-load-error]load jdbc.properties error
查看>>
Nacos 报Statement cancelled due to timeout or client request
查看>>
Nacos 注册服务源码分析
查看>>
Nacos 融合 Spring Cloud,成为注册配置中心
查看>>
Nacos-注册中心
查看>>
Nacos2.X 源码分析:为订阅方推送、服务健康检查、集群数据同步、grpc客户端服务端初始化
查看>>
Nacos2.X 配置中心源码分析:客户端如何拉取配置、服务端配置发布客户端监听机制
查看>>
Nacos2.X源码分析:服务注册、服务发现流程
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-11-13 21:58:27   当前IP: 10.8.45.227   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2025 baihongyu.com 京ICP备2021015314号-2