一、为什么要修改 kubeadm 证书时间

Kubernetes 官方提供了 kubeadm 工具安装 kubernetes 集群,使用这个工具安装集群非常便捷,使部署和升级 Kubernetes 变得简单起来。

不过该工具有点坑的就是,使用其安装的 kubernetes 集群的大部分证书有效期只有一年,需要在证书过期前,使用更新操作更新集群,使证书的有效期再续一年。如果忘记这个操作,那么在使用过程中证书到期将导致集群不可用,应用无法访问,急急忙忙解决也需要半天时间,这个问题是致命的。

不过实际情况下,在现网环境中大部分人追求稳定,一般不会大改 Kubernetes 版本,所以解决 kubeadm 集群证书有效期只有一年的最好办法就是重新编译 kubeadm 源码,将里面的 1 年有效期修改为 10 年或者 100 年,也不会影响使用 kubeadm 后续的升级,所以修改源码能很好的规避这个证书过期风险。

二、如何查看 kubernetes 证书过期时间

在执行修改 Kubeadm 源码且重新编译之前,我们先通观察下使用的官方的 Kubeadm 工具初始化的 Kubernetes 集群,观察在默认情况下证书过期时间,执行的命令如下:

$ kubeadm alpha certs check-expiration
然后可以看到输出的过期时间如下:


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 14, 2022 03:15 UTC   364d                                     no
apiserver                  Aug 14, 2022 03:15 UTC   364d             ca                      no
apiserver-etcd-client      Aug 14, 2022 03:15 UTC   364d             etcd-ca                 no
apiserver-kubelet-client   Aug 14, 2022 03:15 UTC   364d             ca                      no
controller-manager.conf    Aug 14, 2022 03:15 UTC   364d                                     no
etcd-healthcheck-client    Aug 14, 2022 03:15 UTC   364d             etcd-ca                 no
etcd-peer                  Aug 14, 2022 03:15 UTC   364d             etcd-ca                 no
etcd-server                Aug 14, 2022 03:15 UTC   364d             etcd-ca                 no
front-proxy-client         Aug 14, 2022 03:15 UTC   364d             front-proxy-ca          no
scheduler.conf             Aug 14, 2022 03:15 UTC   364d                                     no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 14, 2031 03:15 UTC   9y             no
etcd-ca                 Aug 14, 2031 03:15 UTC   9y             no
front-proxy-ca          Aug 14, 2031 03:15 UTC   9y             no

从上面可以了解到,默认情况下 ETCD 证书有效期是 10 年时间,其它证书有效期为 1 年时间,所以如果我们安装集群时没有修改证书过期时间,那么默认 1 年后可能会出现证书过期集群不可用的问题,所以接下来我们进入修改 kubeadm 源码过程。

三、修改 kubeadm 源码并重新编译

3.1 安装 Golang 等编译源码的环境包
由于 Kubeadm 是 Go 语言编写的,所以我们提前安装好编译 Kubeadm 源码的工具,操作过程按下面执行即可:

(1) 安装编译工具

$ yum install -y gcc make rsync jq

(2) 下载并配置 Golang 环境

## 下载 golang 1.15.15
$ wget https://dl.google.com/go/go1.15.15.linux-amd64.tar.gz

## 解压并放置在一个目录中
$ tar zxvf go1.15.15.linux-amd64.tar.gz  -C /usr/local

## 编辑 /etc/profile 文件,添加 Go 环境配置内容
$ vi /etc/profile

export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin

## 使配置生效
$ source /etc/profile

## 测试 Go 命令是否配置成功,成功则显示如下
$ go version

go version go1.15.15 linux/amd64

3.2 下载 kubernetes 源码
下载 Kubernetes 源码,然后切换到指定版本,操作的命令如下:

## 下的 kubernetes 源码
$ git clone https://github.com/kubernetes/kubernetes.git

## 进入 Kubernetes 目录
$ cd kubernetes

## 切换 Kubernetes 版本
$ git checkout v1.20.9

3.3 修改 kubeadm 源码中证书过期时间
接下来我们修改 Kubernetes 代码中与 kubeadm 证书有效期相关的源码,操作的命令如下:

(1) 修改 constants.go 文件,操作如下:

$ vim cmd/kubeadm/app/constants/constants.go
########### 后面追加个 * 100 (注掉部分为源代码,后面跟着的是修改后的代码)
#const duration365d = time.Hour * 24 * 365
const duration365d = time.Hour * 24 * 365 * 100

// Config contains the basic fields required for creating a certificate
type Config struct {
        CommonName   string
        Organization []string
        AltNames     AltNames
        Usages       []x509.ExtKeyUsage
}

(2) 修改 cert.go 文件,操作如下:

$ vim staging/src/k8s.io/client-go/util/cert/cert.go
########### 修改10年为100年(注掉部分为源代码,后面跟着的是修改后的代码)
#NotAfter:             now.Add(duration365d * 10).UTC(),
NotAfter:              now.Add(duration365d * 100).UTC(),
KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA:                  true,
......

3.4 执行 kubeadm 编译
使用 make 命令编译 kubeadm, 执行的命令如下:

$ make all WHAT=cmd/kubeadm GOFLAGS=-v

编译成功后的 kubeadm 会放到当前目录中的 ./_output/local/bin/linux/amd64/ 目录中,我们进入到该文件下,查看是否有对应的文件。

## 进入
$ cd ./_output/local/bin/linux/amd64/

## 查看文件列表
$ ls -l

-rwxr-xr-x 10:03 conversion-gen
-rwxr-xr-x 10:03 deepcopy-gen
-rwxr-xr-x 10:03 defaulter-gen
-rwxr-xr-x 10:03 go2make
-rwxr-xr-x 10:04 go-bindata
-rwxr-xr-x 10:04 kubeadm
-rwxr-xr-x 10:47 kubectl
-rwxr-xr-x 10:34 kubelet
-rwxr-xr-x 10:04 openapi-gen
-rwxr-xr-x 10:03 prerelease-lifecycle-gen

四、续签证书

4.1 备份数据

kubectl -n kube-system get cm kubeadm-config -o yaml > kubeadm-config.yaml
$ cp -rp /etc/kubernetes /root/kubernetes_$(date +%F)
$ ls /etc/kubernetes_2024-08-25/
admin.conf  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf

4.2 续签证书

  • 查看证书到期时间
$ kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 17, 2025 02:26 UTC   175d                                    no      
apiserver                  Feb 17, 2025 02:26 UTC   175d            ca                      no      
apiserver-etcd-client      Feb 17, 2025 02:26 UTC   175d            etcd-ca                 no      
apiserver-kubelet-client   Feb 17, 2025 02:26 UTC   175d            ca                      no      
controller-manager.conf    Feb 17, 2025 02:26 UTC   175d                                    no      
etcd-healthcheck-client    Feb 17, 2025 02:26 UTC   175d            etcd-ca                 no      
etcd-peer                  Feb 17, 2025 02:26 UTC   175d            etcd-ca                 no      
etcd-server                Feb 17, 2025 02:26 UTC   175d            etcd-ca                 no      
front-proxy-client         Feb 17, 2025 02:26 UTC   175d            front-proxy-ca          no      
scheduler.conf             Feb 17, 2025 02:26 UTC   175d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 06, 2033 02:38 UTC   8y              no      
etcd-ca                 Feb 06, 2033 02:38 UTC   8y              no      
front-proxy-ca          Feb 06, 2033 02:38 UTC   8y              no 
  • 续签所有证书
./kubeadm alpha  certs renew all
  • 更新kubeconfig证书
$ mv $HOME/.kube/config $HOME/.kube/config.old
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ chown $(id -u):$(id -g) $HOME/.kube/config
  • 再次查看证书到期时间
$ kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 01, 2124 02:58 UTC   99y                                     no      
apiserver                  Aug 01, 2124 02:58 UTC   99y             ca                      no      
apiserver-etcd-client      Aug 01, 2124 02:58 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Aug 01, 2124 02:58 UTC   99y             ca                      no      
controller-manager.conf    Aug 01, 2124 02:58 UTC   99y                                     no      
etcd-healthcheck-client    Aug 01, 2124 02:58 UTC   99y             etcd-ca                 no      
etcd-peer                  Aug 01, 2124 02:58 UTC   99y             etcd-ca                 no      
etcd-server                Aug 01, 2124 02:58 UTC   99y             etcd-ca                 no      
front-proxy-client         Aug 01, 2124 02:58 UTC   99y             front-proxy-ca          no      
scheduler.conf             Aug 01, 2124 02:58 UTC   99y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 06, 2033 02:38 UTC   8y              no      
etcd-ca                 Feb 06, 2033 02:38 UTC   8y              no      
front-proxy-ca          Feb 06, 2033 02:38 UTC   8y              no  

完成后重启 kube-api server、kube-controller、kube-scheduler、etcd 这 4 个容器即可,我们可以查看 apiserver 的证书的有效期来验证是否更新成功:

$ echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
notAfter=Aug  1 02:58:33 2124 GMT

可以看到现在的有效期是100年以后,证明已经更新成功。

  • 也可以直接获取所有证书的过期时间
$ for item in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`;do openssl x509 -in $item -text -noout| grep Not;echo ======================$item===============;done

            Not Before: Feb  9 02:38:42 2023 GMT
            Not After : Feb  6 02:38:42 2033 GMT
======================/etc/kubernetes/pki/front-proxy-ca.crt===============
            Not Before: Feb  9 02:38:43 2023 GMT
            Not After : Aug  1 02:58:33 2124 GMT
======================/etc/kubernetes/pki/apiserver-etcd-client.crt===============
            Not Before: Feb  9 02:38:41 2023 GMT
            Not After : Feb  6 02:38:41 2033 GMT
======================/etc/kubernetes/pki/ca.crt===============
            Not Before: Feb  9 02:38:41 2023 GMT
            Not After : Aug  1 02:58:34 2124 GMT
======================/etc/kubernetes/pki/apiserver-kubelet-client.crt===============
            Not Before: Feb  9 02:38:41 2023 GMT
            Not After : Aug  1 02:58:33 2124 GMT
======================/etc/kubernetes/pki/apiserver.crt===============
            Not Before: Feb  9 02:38:42 2023 GMT
            Not After : Aug  1 02:58:36 2124 GMT
======================/etc/kubernetes/pki/front-proxy-client.crt===============
            Not Before: Feb  9 02:38:43 2023 GMT
            Not After : Aug  1 02:58:36 2124 GMT
======================/etc/kubernetes/pki/etcd/server.crt===============
            Not Before: Feb  9 02:38:43 2023 GMT
            Not After : Aug  1 02:58:35 2124 GMT
======================/etc/kubernetes/pki/etcd/peer.crt===============
            Not Before: Feb  9 02:38:43 2023 GMT
            Not After : Feb  6 02:38:43 2033 GMT
======================/etc/kubernetes/pki/etcd/ca.crt===============
            Not Before: Feb  9 02:38:43 2023 GMT
            Not After : Aug  1 02:58:34 2124 GMT
======================/etc/kubernetes/pki/etcd/healthcheck-client.crt===============
  • 高可用k8s master节点需要将以下证书拷贝至其他master节点并重启 kube-api server、kube-controller、kube-scheduler、etcd 4 个容器。
cp  /root/etc/kubernetes/pki/ca.* /etc/kubernetes/pki/
cp  /root/etc/kubernetes/pki/sa.* /etc/kubernetes/pki/
cp  /root/etc/kubernetes/pki/front-proxy-ca.* /etc/kubernetes/pki/
cp  /root/etc/kubernetes/admin.conf /etc/kubernetes/admin.conf
cp  /etc/kubernetes/admin.conf /root/.kube/config

部分转载至
http://www.mydlq.club/article/118/

标签: none

添加新评论