2024年11月

当爬取微信里的图片使用的时候会发现,当我们浏览器地址栏
访问微信中的图片URL
是没有问题。但当我们在自己项目中使用
img
标签
src
引入的时候,就会出现,
“此图片来自微信公众平台未经允许不可引用”
的问题。这是因为微信为了防止其他平台引入,特意做了类似防盗链的功能。

前往原文地址查看效果:
张苹果博客

网上找了几个解决方法。

一,在页面header中添加meta标签,设置referrer。

<meta name="referrer" content="never">

该属性禁止了header发送页面相关信息,虽然可以阻止一些攻击以及绕过图片防盗链的效果。确实解决了这个问题。但是会出现其他问题如:影响页面跳转和回溯,第三方统计代码失效(如CNZZ、百度统计),SEO和社交媒体分享影响等。

二,img标签上添加 referrerpolicy="no-referrer"

<img src="微信图片url" referrerPolicy="no-referrer"  />

正常应该能解决,但我的项目第一次打开图片的时候没问题,但当我第二次访问的时候,不知道为什么又出现了“此图片来自xxxxx”的问题。

三,第三方代理

 <img src="https://xxx代理地址/?url=微信图片url"/>

需要自己去找一些第三方的代理,但是如果第三方地址挂了,那么就出问题了。所以这个方法可能不太稳定。

想了想,既然别人的可能不稳定,能不能自己写一个呢?后面自己用python简单实现了一下。

四,Python Flask代理服务器

通过Flask框架和requests库实现图片资源的获取和转发。该方法相对稳定(毕竟是自己弄的),但可能受到服务器性能和网络环境的影响。

1,完整代码
from flask import Flask, Response, request
import requests

app = Flask(__name__)

def fetch_image(image_url):
    try:
        response = requests.get(image_url)
        if response.status_code == 200:
            return response.content
        else:
            return None
    except requests.RequestException as e:
        print(f"Error fetching image: {e}")
        return None

@app.route('/fetchImage', methods = ['GET'])
def fetchImage():
    # 获取图片地址
    image_url = request.args.get('url')
    image_data = fetch_image(image_url)
    if image_data:
        mime_type = 'image/jpeg'  # 这里需要替换为实际的MIME类型
        return Response(image_data, mimetype=mime_type)
    else:
        return "Failed to fetch image", 404



if __name__ == '__main__':
    # 使用WSGI服务器运行应用程序
    from gevent.pywsgi import WSGIServer
    http_server = WSGIServer(('127.0.0.1', 5000), app)
    http_server.serve_forever()
2,测试接口没问题

3,部署到服务器上使用。
   <img src="https://zhangpingguo.com/spider/fetchImage?url=https://mmbiz.qpic.cn/sz_mmbiz_png/3Vm2lcZKj6kibOJxU942w70J8zb6ianMzwPvEwSI5SNOzicM47GN9Bo3MvPAeHJr7pjPRVsjxDLgOYKQ3pR8jcHHA/640?wx_fmt=png&from=appmsg"/>

最后结果正常访问。但是估计是我服务器太廉价了,访问速度忒慢了。不管了,反正能用就行...
如你是PC端访问本文,进入
原文张苹果博客
,鼠标移入上方线条,点击“摸鱼日历”可查看效果。

目录

一.系统环境

本文主要基于Kubernetes1.22.2和Linux操作系统Ubuntu 18.04。

服务器版本 docker软件版本 Kubernetes(k8s)集群版本 CPU架构
Ubuntu 18.04.5 LTS Docker version 20.10.14 v1.22.2 x86_64

Kubernetes集群架构:k8scludes1作为master节点,k8scludes2,k8scludes3作为worker节点。

服务器 操作系统版本 CPU架构 进程 功能描述
k8scludes1/192.168.110.128 Ubuntu 18.04.5 LTS x86_64 docker,kube-apiserver,etcd,kube-scheduler,kube-controller-manager,kubelet,kube-proxy,coredns,calico k8s master节点
k8scludes2/192.168.110.129 Ubuntu 18.04.5 LTS x86_64 docker,kubelet,kube-proxy,calico k8s worker节点
k8scludes3/192.168.110.130 Ubuntu 18.04.5 LTS x86_64 docker,kubelet,kube-proxy,calico k8s worker节点

二.前言

Kubernetes集群的证书对于集群的安全性和稳定性至关重要。然而,随着时间的推移,这些证书会过期,导致集群服务不可用。本文将详细介绍如何使用kubeadm工具为Kubernetes集群续期证书。

给Kubernetes集群证书续期的
前提
是已经有一套可以正常运行的Kubernetes集群,关于Kubernetes(k8s)集群的安装部署,可以查看博客《Ubuntu 安装部署Kubernetes(k8s)集群》
https://www.cnblogs.com/renshengdezheli/p/17632858.html,如果你的操作系统是RHEL的,可以查看博客《Centos7
安装部署Kubernetes(k8s)集群》
https://www.cnblogs.com/renshengdezheli/p/16686769.html。

三.Kubernetes证书过期及续期简介

Kubernetes集群在初始化时,会自动生成一系列证书,包括API服务器证书、CA证书、Kubelet证书等。这些证书通常有1年的有效期。当证书过期后,Kubernetes集群的某些服务可能会受到影响,例如API服务器无法访问。为了解决证书过期的问题,我们可以使用kubeadm工具进行证书续期。

四.使用kubeadm为Kubernetes集群证书续期

4.1 查看k8s集群证书过期时间

现在k8s集群已经不能正常运行了,查询pod报错,可以看到报错信息为:“连接API服务器拒绝”。

root@k8scludes1:~# kubectl get pod -o wie
The connection to the server 192.168.110.128:6443 was refused - did you specify the right host or port?

master节点的/etc/kubernetes/pki/目录下存的是各个组件的证书。

root@k8scludes1:~# ls /etc/kubernetes/pki/
apiserver.crt              apiserver-etcd-client.key  apiserver-kubelet-client.crt  ca.crt  ca.srl  front-proxy-ca.crt  front-proxy-ca.srl      front-proxy-client.key  sa.key
apiserver-etcd-client.crt  apiserver.key              apiserver-kubelet-client.key  ca.key  etcd    front-proxy-ca.key  front-proxy-client.crt  mytok.csv               sa.pub

查看master节点的apiserver证书有效期,可以看到证书在2023年4月16号就过期了,证书已经过期一年多了。

root@k8scludes1:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
            Not Before: Apr 16 14:57:44 2022 GMT
            Not After : Apr 16 14:57:44 2023 GMT

在master节点查看各个组件的证书过期时间。

root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 21, 2023 14:25 UTC   9y                                      no      
apiserver                  Oct 21, 2023 14:25 UTC   9y              ca                      no      
apiserver-etcd-client      Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
apiserver-kubelet-client   Oct 21, 2023 14:25 UTC   9y              ca                      no      
controller-manager.conf    Oct 21, 2023 14:25 UTC   9y                                      no      
etcd-healthcheck-client    Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
etcd-peer                  Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
etcd-server                Oct 21, 2023 14:25 UTC   9y              etcd-ca                 no      
front-proxy-client         Oct 21, 2023 14:25 UTC   9y              front-proxy-ca          no      
scheduler.conf             Oct 21, 2023 14:25 UTC   9y                                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 13, 2023 14:57 UTC   7y              no      
etcd-ca                 Apr 13, 2023 14:57 UTC   7y              no      
front-proxy-ca          Apr 13, 2023 14:57 UTC   7y              no

查看master节点的kubelet证书过期时间。

root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Apr 16 14:57:44 2022 GMT
            Not After : Apr 16 14:57:46 2023 GMT

4.2 为master节点续期证书

在master节点给各个组件续签证书。

root@k8scludes1:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

在master节点再次查看各个组件的证书过期时间,可以看到证书续签了一年。

root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 24, 2025 02:53 UTC   364d                                    no      
apiserver                  Oct 24, 2025 02:53 UTC   364d            ca                      no      
apiserver-etcd-client      Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Oct 24, 2025 02:53 UTC   364d            ca                      no      
controller-manager.conf    Oct 24, 2025 02:53 UTC   364d                                    no      
etcd-healthcheck-client    Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
etcd-peer                  Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
etcd-server                Oct 24, 2025 02:53 UTC   364d            etcd-ca                 no      
front-proxy-client         Oct 24, 2025 02:53 UTC   364d            front-proxy-ca          no      
scheduler.conf             Oct 24, 2025 02:53 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 13, 2025 14:57 UTC   7y              no      
etcd-ca                 Apr 13, 2025 14:57 UTC   7y              no      
front-proxy-ca          Apr 13, 2025 14:57 UTC   7y              no

当前kubernetes各个组件所使用的kubecong文件都在/etc/kubernetes/里。

root@k8scludes1:~# ls /etc/kubernetes/
admin.conf  admission-control-config-file  audit  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf

文件后缀为conf的都是各个组件所需的kubeconfig文件,但是这些文件里使用的证书都是之前过期的证书,需要把conf文件删除并重新生成。

root@k8scludes1:~# ls /etc/kubernetes/*.conf
/etc/kubernetes/admin.conf  /etc/kubernetes/controller-manager.conf  /etc/kubernetes/kubelet.conf  /etc/kubernetes/scheduler.conf

root@k8scludes1:~# mkdir k8sconf_bak

root@k8scludes1:~# cp /etc/kubernetes/*.conf k8sconf_bak/

root@k8scludes1:~# ls k8sconf_bak/
admin.conf  controller-manager.conf  kubelet.conf  scheduler.conf

root@k8scludes1:~# rm -rf /etc/kubernetes/*.conf

root@k8scludes1:~# ls /etc/kubernetes/
admission-control-config-file  audit  manifests  pki

为k8s的各个组件重新生成kubeconfig文件。

root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2  phase kubeconfig all
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file

root@k8scludes1:~# ls /etc/kubernetes/
admin.conf  admission-control-config-file  audit  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf

替换管理员所用的kubeconfig文件。

root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config

root@k8scludes1:~# rm -rf ~/.kube/config

root@k8scludes1:~# ls ~/.kube/
cache  config.old-20241023  kubens

root@k8scludes1:~# cp /etc/kubernetes/admin.conf ~/.kube/config

root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config

重启kube-scheduler。

root@k8scludes1:~# docker ps | grep kube-scheduler
47ac8592cf5c   b51ddc1014b0                                        "kube-scheduler --au…"   6 minutes ago   Up 6 minutes             k8s_kube-scheduler_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_289
6e65a5b16329   registry.aliyuncs.com/google_containers/pause:3.5   "/pause"                 6 minutes ago   Up 6 minutes             k8s_POD_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_75

root@k8scludes1:~# docker ps | awk '/kube-scheduler /{print $1}'
47ac8592cf5c

root@k8scludes1:~# docker rm -f $(docker ps | awk '/kube-scheduler /{print $1}')
47ac8592cf5c

root@k8scludes1:~# kubectl get pods -n kube-system | grep scheduler
kube-scheduler-k8scludes1                  1/1     Running   289 (2y120d ago)   2y191d

查看master节点的kubelet当前使用的证书,kubelet-client-current.pem软链接到了kubelet-client-2024-10-24-11-08-14.pem,说明现在kubelet使用的是最新的证书。

root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem  kubelet-client-2024-10-24-11-05-29.pem  kubelet-client-2024-10-24-11-08-14.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes1:~# ls /var/lib/kubelet/pki/kubelet-client-current.pem -l
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem

如果kubelet-client-current.pem软链接到kubelet-client-2022-04-16-22-57-47.pem,说明kubelet使用的是旧的证书,重启kebelet即可。

root@k8scludes1:~# systemctl restart kubelet

root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem  kubelet-client-2024-10-24-11-05-29.pem  kubelet-client-2024-10-24-11-08-14.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes1:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem 
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem

在master节点上查看证书签名请求(简称为CSR),如果CONDITION显示的是Approved,Issued,说明证书签名请求CSR已经被批准,则不需要执行
kubectl certificate approve csr-htp29
,如果CONDITION显示的是Pending,则需要手动批准证书签名请求CSR,语法为:
kubectl certificate approve CSR名 

root@k8scludes1:~# kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                REQUESTEDDURATION   CONDITION
csr-htp29   12m   kubernetes.io/kube-apiserver-client-kubelet   system:node:k8scludes1   <none>              Approved,Issued

#批准证书签名请求CSR
root@k8scludes1:~# kubectl certificate approve csr-htp29
certificatesigningrequest.certificates.k8s.io/csr-rn8xc approved

在master节点查看kubelet的证书过期时间,到2025年才过期了。

root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Oct 24 03:03:14 2024 GMT
            Not After : Oct 24 03:03:14 2025 GMT

查看k8s集群状态,可以发现k8scludes1节点已经正常了,但是两个worker节点还是不正常,原因是两个worker节点的证书还是旧的,需要替换为最新的证书。

root@k8scludes1:~# kubectl get node
NAME         STATUS     ROLES                  AGE      VERSION
k8scludes1   Ready      control-plane,master   2y191d   v1.22.2
k8scludes2   NotReady   <none>                 2y191d   v1.22.2
k8scludes3   NotReady   <none>                 2y191d   v1.22.2

4.3 为worker节点替换最新的证书

k8scludes2节点的kubelet使用的还是旧的证书。

root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Apr 16 17:54:26 2022 GMT
            Not After : Apr 16 17:54:26 2023 GMT

在master节点生成k8scludes2节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。

root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes2 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file
 
root@k8scludes1:~# ls /tmp/
kubelet.conf  systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-resolved.service-kzxcft  systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-timesyncd.service-Uop8xG  vmware-root_751-4290559920

复制文件到k8scludes2节点的/etc/kubernetes/目录下。

root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.129:/etc/kubernetes/
root@192.168.110.129's password: 
kubelet.conf                                                                                                                                                                   100% 5671     1.4MB/s   00:00

k8scludes2节点重启kubelet。

root@k8scludes2:~# systemctl restart kubelet

再次查看k8scludes2节点的kubelet证书,现在已经是最新的证书了。

root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem  kubelet-client-2024-10-24-11-29-31.pem  kubelet-client-2024-10-24-11-29-40.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes2:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem 
lrwxrwxrwx 1 root root 59 Oct 24 11:29 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-29-40.pem

root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Oct 24 03:24:40 2024 GMT
            Not After : Oct 24 03:24:40 2025 GMT

k8scludes3节点也是类似的操作。

在master节点生成k8scludes3节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。

root@k8scludes1:~# rm -rf /tmp/* ;  ls /tmp/

root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes3 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file

复制kubelet.conf到k8scludes3节点的/etc/kubernetes/目录下

root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.130:/etc/kubernetes/
root@192.168.110.130's password: 
kubelet.conf                                                                                                                                                                   100% 5671     2.6MB/s   00:00

重启k8scludes3节点的kubelet,现在kubelet使用的是最新的证书了。

root@k8scludes3:~# systemctl restart kubelet

root@k8scludes3:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-29.pem  kubelet-client-2024-10-24-11-34-49.pem  kubelet-client-2024-10-24-11-34-57.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

root@k8scludes3:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem 
lrwxrwxrwx 1 root root 59 Oct 24 11:34 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-34-57.pem

root@k8scludes3:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text  |grep Not
            Not Before: Oct 24 03:29:57 2024 GMT
            Not After : Oct 24 03:29:57 2025 GMT

查看k8s集群状态,现在集群恢复正常了。

root@k8scludes1:~# kubectl get node
NAME         STATUS   ROLES                  AGE      VERSION
k8scludes1   Ready    control-plane,master   2y191d   v1.22.2
k8scludes2   Ready    <none>                 2y191d   v1.22.2
k8scludes3   Ready    <none>                 2y191d   v1.22.2

五.总结

本文介绍了如何使用kubeadm工具为Kubernetes集群续期证书。通过定期检查和续期证书,可以确保Kubernetes集群的安全性和稳定性。

  • 在进行证书续期时,请确保有足够的磁盘空间来存储新的证书文件;
  • 如果你的集群配置了自动化工具或脚本来管理Kubernetes集群,确保这些工具和脚本也更新为处理新的证书;
  • 在生产环境中,建议设置证书到期提醒,以便提前进行维护工作。
  1. 1
  2. ...
  3. 82
  4. 83
  5. 84
  6. 85