附025.kubeadm部署Kubernetes更新证书
<h2 align="left">一 查看证书</h2><h3 align="left">1.1 查看过期时间-方式一</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># tree /etc/kubernetes/pki/</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># for tls in `find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"`; \</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> do echo ===============$tls===============; \
<span style="color: rgba(0, 128, 128, 1)">4</span> openssl x509 -in $tls -text| grep Not; \
<span style="color: rgba(0, 128, 128, 1)">5</span> done</pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093337754-2050708014.png" alt="clipboard" width="785" height="601" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="8B6847A25104416BA2507AC20F51AB19" data-media-type="image"></span></div>
<h3 align="left">1.1 查看过期时间-方式二</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># tree /etc/kubernetes/pki/</span></pre>
</div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093338183-1087513031.png" alt="clipboard" width="445" height="503" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="32C6F8D3D5F547D087DC406777D15A7C" data-media-type="image"></span></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs check-expiration</span></pre>
</div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093339102-362115899.png" alt="clipboard" width="840" height="293" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="698F85E7DFF6446092E9F22557CF6D87" data-media-type="image"></span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:由上可知,根证书有效期为10年,其他所有证书有效期为1年。</strong></span></div>
<h2 align="left">二 证书类别</h2>
<h3 align="left">2.1 集群根证书</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/ca*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.1K Jun 15 21:08 /etc/kubernetes/pki/ca.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/ca.key</pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">由此集群根证书签发的证书有:</span></div>
<div style="line-height: normal; -ms-word-break: normal"><ol style="margin: 0; padding-left: 30pt">
<li style="text-align: left; line-height: 1.75; list-style-type: decimal; list-style-position: inside; white-space: pre-wrap; background-color: rgba(0, 0, 0, 0)"><span style="font-family: 微软雅黑; font-size: small">kube-apiserver 组件持有的服务端证书</span></li>
</ol></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/apiserver.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.3K Jun 15 21:08 /etc/kubernetes/pki/apiserver.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/apiserver.key</pre>
</div>
<div style="line-height: 1.75; margin-left: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: normal; -ms-word-break: normal"><ol style="margin: 0; padding-left: 30pt" start="2">
<li style="text-align: left; line-height: 1.75; list-style-type: decimal; list-style-position: inside; white-space: pre-wrap; background-color: rgba(0, 0, 0, 0)"><span style="font-family: 微软雅黑; font-size: small">kubelet 组件持有的客户端证书</span></li>
</ol></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/apiserver-kubelet-client.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.1K Jun 15 21:08 /etc/kubernetes/pki/apiserver-kubelet-client.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/apiserver-kubelet-client.key</pre>
</div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:kubelet的/var/lib/kubelet/config.yaml配置文件中一般不会明确指定服务端证书,而是只指定 ca 根证书, 让 kubelet 根据本地主机信息自动生成服务端证书并保存到配置的cert-dir文件夹中。</strong></span></div>
<h3 align="left">2.2 汇聚层证书</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/front-proxy-ca.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.1K Jun 15 21:08 /etc/kubernetes/pki/front-<span style="color: rgba(0, 0, 255, 1)">proxy</span>-ca.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/front-<span style="color: rgba(0, 0, 255, 1)">proxy</span>-ca.key</pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">由此汇聚层根证书签发的证书有:</span></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/front-proxy-client.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.1K Jun 15 21:08 /etc/kubernetes/pki/front-<span style="color: rgba(0, 0, 255, 1)">proxy</span>-client.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/front-<span style="color: rgba(0, 0, 255, 1)">proxy</span>-client.key</pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<h3 align="left">2.3 etcd集群根证书</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/etcd/ca.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1017 Jun 15 21:08 /etc/kubernetes/pki/etcd/ca.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/etcd/ca.key</pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">由此etcd根证书签发的证书有:</span></div>
<div style="line-height: normal; -ms-word-break: normal"><ol style="margin: 0; padding-left: 30pt">
<li style="text-align: left; line-height: 1.75; list-style-type: decimal; list-style-position: inside; white-space: pre-wrap; background-color: rgba(0, 0, 0, 0)"><span style="font-family: 微软雅黑; font-size: small">etcd server服务端证书</span></li>
</ol></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/etcd/server.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.2K Jun 15 21:08 /etc/kubernetes/pki/etcd/server.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/etcd/server.key</pre>
</div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: normal; -ms-word-break: normal"><ol style="margin: 0; padding-left: 30pt" start="2">
<li style="text-align: left; line-height: 1.75; list-style-type: decimal; list-style-position: inside; white-space: pre-wrap; background-color: rgba(0, 0, 0, 0)"><span style="font-family: 微软雅黑; font-size: small">etcd 集群中peer节点互相通信使用的客户端证书</span></li>
</ol></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/etcd/peer.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.2K Jun 15 21:08 /etc/kubernetes/pki/etcd/peer.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/etcd/peer.key</pre>
</div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: normal; -ms-word-break: normal"><ol style="margin: 0; padding-left: 30pt" start="3">
<li style="text-align: left; line-height: 1.75; list-style-type: decimal; list-style-position: inside; white-space: pre-wrap; background-color: rgba(0, 0, 0, 0)"><span style="font-family: 微软雅黑; font-size: small">pod 中定义 Liveness 探针使用的客户端证书</span></li>
</ol></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/etcd/healthcheck-client.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.1K Jun 15 21:08 /etc/kubernetes/pki/etcd/healthcheck-client.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/etcd/healthcheck-client.key</pre>
</div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: normal; -ms-word-break: normal"><ol style="margin: 0; padding-left: 30pt" start="4">
<li style="text-align: left; line-height: 1.75; list-style-type: decimal; list-style-position: inside; white-space: pre-wrap; background-color: rgba(0, 0, 0, 0)"><span style="font-family: 微软雅黑; font-size: small">配置在 kube-apiserver 中用来与 etcd server 做双向认证的客户端证书</span></li>
</ol></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/apiserver-etcd-client.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw-r--r-- 1 root root 1.1K Jun 15 21:08 /etc/kubernetes/pki/apiserver-etcd-client.crt
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/apiserver-etcd-client.key</pre>
</div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<h3 align="left">2.4 Serveice Account密钥</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ll /etc/kubernetes/pki/sa.*</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> -rw------- 1 root root 1.7K Jun 15 21:08 /etc/kubernetes/pki/sa.key
<span style="color: rgba(0, 128, 128, 1)">3</span> -rw------- 1 root root451 Jun 15 21:08 /etc/kubernetes/pki/sa.pub</pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">Serveice Account密钥对仅提供给 kube-controller-manager 使用. kube-controller-manager 通过 sa.key 对 token 进行签名, master 节点通过公钥 sa.pub 进行签名的验证。</span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">延伸:API Server身份验证过程:</span></div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">API Server的authenticating环节支持多种身份校验方式:client cert、bearer token、static password auth等,这些方式中只要有一种方式通过authenticating(Kubernetes API Server会逐个方式尝试),那么身份校验就会通过。</span></div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">一旦API Server发现client发起的request使用的是service account token的方式,API Server就会自动采用signed bearer token方式进行身份校验。而request则使用携带的service account token参与验证。该token是API Server在创建service account时用API server启动参数:–service-account-key-file的值签署(sign)生成的。如果–service-account-key-file未传入任何值,那么将默认使用–tls-private-key-file的值,即API Server的私钥(server.key)。</span></div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">通过authenticating后,API Server将根据Pod username所在的group:system:serviceaccounts和system:serviceaccounts:(NAMESPACE)的权限对其进行authority 和admission control两个环节的处理。在这两个环节中,cluster管理员可以对service account的权限进行细化设置。</span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; text-indent: 28px; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">kubeadm 创建的集群,kube-proxy、flannel、coreDNS是以 pod 形式运行的,在 pod 中,直接使用 service account 与 kube-apiserver 进行认证,此时就不需要再单独为 kube-proxy 创建证书。</span></div>
<h2 align="left">三 更新证书方法一</h2>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:此方式采用kubeadm默认延期1年时间的策略,若要自定义更长时间,如100年,参考步骤四。</strong></span></div>
<h3 align="left">3.1 备份集群配置</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm config view > kubeadm-cluster.yaml</span></pre>
</div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093339654-1420285562.png" alt="clipboard" width="436" height="643" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="BB6A2C25312F492E9F040B55FB21D302" data-media-type="image"></span></div>
<h3 align="left">3.2 更新证书</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs renew --help #查看帮助</span></pre>
</div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093340313-1680803547.png" alt="clipboard" width="845" height="647" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="67A0DF3DA4104CD2A291AD334BC52A5D" data-media-type="image"></span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:由help可知,证书更新可针对单个证书更新。</strong></span></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs renew all --config=kubeadm-cluster.yaml #更新所有证书</span></pre>
</div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093340831-521879374.png" alt="clipboard" width="854" height="241" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="3704E4F361B747988A0363B6ED65B46E" data-media-type="image"></span></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs check-expiration #确认验证</span></pre>
</div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093341771-287723264.png" alt="clipboard" width="849" height="294" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="777D81390FA34F3BAFB54BC246D1D718" data-media-type="image"></span></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># scp -rp kubeadm-cluster.yaml root@master02:/root/</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># scp -rp kubeadm-cluster.yaml root@master03:/root/</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs renew all --config=kubeadm-cluster.yaml</span>
<span style="color: rgba(0, 128, 128, 1)">4</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs renew all --config=kubeadm-cluster.yaml</span></pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:更新操作需要在所有master节点执行。</strong></span></div>
<h3 align="left">3.3 启用证书</h3>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">在三台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。</span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> <span style="color: rgba(0, 128, 0, 1)"># docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart</span></pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:启用操作需要在所有master节点执行。</strong></span></div>
<h2 align="left">四 更新证书方法二</h2>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:此方式采用编译kubeadm源码,源码中自定义证书时间,如100年。</strong></span></div>
<h3 align="left">4.1 备份集群配置</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm config view > kubeadm-cluster.yaml</span></pre>
</div>
<h3 align="left">4.2 查看当前版本</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubectl version</span></pre>
</div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093342237-329375235.png" alt="clipboard" width="735" height="100" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="C6B7F187922A4FFF8F40E6377969DC20" data-media-type="image"></span></div>
<h3 align="left">4.3 获取源码</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># wget https://github.com/kubernetes/kubernetes/archive/v1.18.3.tar.gz</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># tar -zxvf v1.18.3.tar.gz</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> </pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<h3 align="left">4.4 修改CA证书时间</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># vi kubernetes-1.18.3/staging/src/k8s.io/client-go/util/cert/cert.go</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> ……
<span style="color: rgba(0, 128, 128, 1)">3</span>57 func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
<span style="color: rgba(0, 128, 128, 1)">4</span> ……
<span style="color: rgba(0, 128, 128, 1)">5</span>65 NotBefore: now.UTC(),
<span style="color: rgba(0, 128, 128, 1)">6</span>66 NotAfter: now.Add(duration365d * 100).UTC(),
<span style="color: rgba(0, 128, 128, 1)">7</span> ……</pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:ca证书最大时间限定为100年,若要将最大时限也延长,可在cert.go中修改如下maxAge值:</strong></span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>maxAge := time.Hour * 24 * 365 * 10</strong></span></div>
<h3 align="left">4.5 修改其他证书时间</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># vi kubernetes-1.18.3/cmd/kubeadm/app/constants/constants.go</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> ……
<span style="color: rgba(0, 128, 128, 1)">3</span>39 const (
<span style="color: rgba(0, 128, 128, 1)">4</span>48 // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
<span style="color: rgba(0, 128, 128, 1)">5</span>49 CertificateValidity = <span style="color: rgba(0, 0, 255, 1)">time</span>.Hour * 24 * 365 * 100
<span style="color: rgba(0, 128, 128, 1)">6</span> ……
<span style="color: rgba(0, 128, 128, 1)">7</span> <span style="color: rgba(0, 128, 0, 1)"># cat build/build-image/cross/VERSION</span>
<span style="color: rgba(0, 128, 128, 1)">8</span> v1.13.9-5 <span style="color: rgba(0, 128, 0, 1)">#使用官方corss版本</span></pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<h3 align="left">4.6 编译kubeadm方式一</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># docker pull us.gcr.io/k8s-artifacts-prod/build-image/kube-cross:v1.13.9-5</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># docker run --rm -v /root/kubernetes-1.18.3/:/go/src/k8s.io/kubernetes -it us.gcr.io/k8s-artifacts-prod/build-image/kube-cross:v1.13.9-5 bash</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> root@51e96585ea73:/go<span style="color: rgba(0, 128, 0, 1)"># cd /go/src/k8s.io/kubernetes</span>
<span style="color: rgba(0, 128, 128, 1)">4</span> root@51e96585ea73:/go/src/k8s.io/kubernetes<span style="color: rgba(0, 128, 0, 1)"># make all WHAT=cmd/kubeadm GOFLAGS=-v</span></pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:若要编译其他命令,可参考如下:</strong></span></div>
<div style="line-height: 1.4285; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong># 编译kubelet # make all WHAT=cmd/kubelet GOFLAGS=-v # 编译kubectl # make all WHAT=cmd/kubectl GOFLAGS=-v</strong></span></div>
<div style="line-height: 1.4285; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>#编译完命令在 _output/bin/kubeadm 目录下,</strong></span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>#其中bin是使用了软连接</strong></span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>#真实路径是_output/local/bin/linux/amd64/kubeadm</strong></span></div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> root@51e96585ea73:/go/src/k8s.io/kubernetes<span style="color: rgba(0, 128, 0, 1)"># exit #退出容器</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># mv /usr/bin/kubeadm /usr/bin/kubeadm_backup #备份原kubeadm</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> <span style="color: rgba(0, 128, 0, 1)"># cp kubernetes-1.18.3/_output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm</span>
<span style="color: rgba(0, 128, 128, 1)">4</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm version </span> <span style="color: rgba(0, 128, 0, 1)">#查看版本</span></pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<h3 align="left">4.7 编译kubeadm方式二</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># yum -y install gcc make rsync jq</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># wget https://dl.google.com/go/go1.13.9.linux-amd64.tar.gz</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> <span style="color: rgba(0, 128, 0, 1)"># tar zxvf go1.13.9.linux-amd64.tar.gz -C /usr/local/</span>
<span style="color: rgba(0, 128, 128, 1)">4</span> <span style="color: rgba(0, 128, 0, 1)"># vi /etc/profile.d/goenv.sh</span>
<span style="color: rgba(0, 128, 128, 1)">5</span> <span style="color: rgba(0, 128, 0, 1)">#go setting</span>
<span style="color: rgba(0, 128, 128, 1)">6</span> export GOROOT=/usr/local/go
<span style="color: rgba(0, 128, 128, 1)">7</span> export GOPATH=/usr/local/gopath
<span style="color: rgba(0, 128, 128, 1)">8</span> export PATH=$PATH:$GOROOT/bin
<span style="color: rgba(0, 128, 128, 1)">9</span> <span style="color: rgba(0, 128, 0, 1)"># source /etc/profile</span>
<span style="color: rgba(0, 128, 128, 1)"> 10</span> <span style="color: rgba(0, 128, 0, 1)"># go version</span>
<span style="color: rgba(0, 128, 128, 1)"> 11</span> go <span style="color: rgba(0, 0, 255, 1)">version</span> go1.13.9 linux/amd64
<span style="color: rgba(0, 128, 128, 1)"> 12</span> <span style="color: rgba(0, 128, 0, 1)"># cd kubernetes-1.18.3/</span>
<span style="color: rgba(0, 128, 128, 1)"> 13</span> <span style="color: rgba(0, 128, 0, 1)"># make all WHAT=cmd/kubeadm GOFLAGS=-v</span>
<span style="color: rgba(0, 128, 128, 1)"> 14</span> <span style="color: rgba(0, 128, 0, 1)"># mv /usr/bin/kubeadm /usr/bin/kubeadm_backup #备份原kubeadm</span>
<span style="color: rgba(0, 128, 128, 1)"> 15</span> <span style="color: rgba(0, 128, 0, 1)"># cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm</span></pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<h3 align="left">4.8 备份集群配置</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm config view > kubeadm-cluster.yaml</span></pre>
</div>
<h3 align="left">4.8 更新证书</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> <span style="color: rgba(0, 128, 0, 1)"># ssh root@master02 "mv /usr/bin/kubeadm /usr/bin/kubeadm_backup"</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> <span style="color: rgba(0, 128, 0, 1)"># ssh root@master03 "mv /usr/bin/kubeadm /usr/bin/kubeadm_backup"</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> <span style="color: rgba(0, 128, 0, 1)"># scp -rp kubeadm-cluster.yaml root@master02:/root/</span>
<span style="color: rgba(0, 128, 128, 1)">4</span> <span style="color: rgba(0, 128, 0, 1)"># scp -rp kubeadm-cluster.yaml root@master03:/root/</span>
<span style="color: rgba(0, 128, 128, 1)">5</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs renew all --config=kubeadm-cluster.yaml</span>
<span style="color: rgba(0, 128, 128, 1)">6</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs renew all --config=kubeadm-cluster.yaml</span>
<span style="color: rgba(0, 128, 128, 1)">7</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs renew all --config=kubeadm-cluster.yaml</span>
<span style="color: rgba(0, 128, 128, 1)">8</span> <span style="color: rgba(0, 128, 0, 1)"># kubeadm alpha certs check-expiration #确认验证</span></pre>
</div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"> </div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093342839-2070367004.png" alt="clipboard" width="844" height="212" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="7AB67AF5C24F4BB99E27787148894A3E" data-media-type="image"></span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>提示:更新操作需要在所有master节点执行。</strong></span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="color: rgba(255, 0, 0, 1); font-family: 微软雅黑; font-size: small"><strong>所有根证书:ca、etcd-ca、front-proxy-ca只有在init初始化的时候才会更新时间,因此建议对于kubeadm部署Kubernetes,可以在初始化之前使用编译的方式将证书设置为更长时间,如100年。</strong></span></div>
<div style="line-height: normal; float: none; -ms-word-break: normal" align="center"><span style="font-family: 微软雅黑; font-size: small"><img src="https://img2020.cnblogs.com/blog/680719/202007/680719-20200724093343772-557392093.png" alt="clipboard" width="846" height="293" title="clipboard" border="0" style="border: 0 currentColor; border-image: none; margin-right: auto; margin-left: auto; float: none; display: block; max-width: none; background-image: none" data-attr-org-src-id="FE8B9E2C9F82419AB687A4F258B51A0C" data-media-type="image"></span></div>
<h3 align="left">4.9 启用证书</h3>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">在三台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。</span></div>
<div style="line-height: 1.75; white-space: pre-wrap; -ms-word-break: normal" align="left"><span style="font-family: 微软雅黑; font-size: small">参考3.3即可。</span></div>
</div>
<div id="MySignature" role="contentinfo">
<div style="background: #f7acbc; color: #0; font-size: small">
<p>
作者:木二
</p>
<p>
出处:http://www.cnblogs.com/itzgr/
</p>
<p>
关于作者:云计算、虚拟化,Linux,多多交流!
</p>
<p>
本文版权归作者所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文链接!如有其他问题,可邮件(xhy@itzgr.com)咨询。
</p>
</div><br><br>
来源:https://www.cnblogs.com/itzgr/p/13370185.html
頁:
[1]