Kubernetes SSL

Kubernetes v1.18 编译 kubeadmin 修改证书有效期到 100 年

Posted by sysin on 2019-08-15
Estimated Reading Time 7 Minutes
Words 1.5k In Total

点击访问腾讯云官方网站

请访问原文链接:Kubernetes v1.23 编译 kubeadmin 修改证书有效期到 100 年,查看最新版。原创作品,转载请保留出处。

作者主页:www.sysin.org

抄袭者 maczqq_23930765hanzheng260561728 请远离本站!!!

kubeadm 默认证书为一年,一年过期后,会导致api service不可用,使用过程中会出现:x509: certificate has expired or is not yet valid.

Google 建议通过不停更新版本来自动更新证书,太坑^_^

可以在初始化群集之前重新编译kubeadm,证书有效期自动为100年。

1. 获取源码

访问:https://github.com/kubernetes/kubernetes/releases,下载特定版本源码

1
2
3
4
wget https://github.com/kubernetes/kubernetes/archive/v1.18.0.tar.gz
tar -zxvf v1.18.0.tar.gz
mv kubernetes-1.18.0 kubernetes
cd kubernetes

或者使用 git 获取

1
2
3
4
# yum install git
git clone https://github.com/kubernetes/kubernetes.git
cd kubernetes
git checkout -b remotes/origin/release-1.18 v1.18.0

2. 修改证书有效期

查看网上的资料主要有两个地方需要修改

修改 CA 有效期为 100 年(默认为 10 年)

vim ./staging/src/k8s.io/client-go/util/cert/cert.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// 这个方法里面NotAfter:              now.Add(duration365d * 10).UTC()
// 默认有效期就是10年,改成100年 (sysin)
// 按/NotAfter查找
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
                // NotAfter:              now.Add(duration365d * 10).UTC(),
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}

修改证书有效期为 100 年(默认为 1 年)

vim ./cmd/kubeadm/app/constants/constants.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// 就是这个常量定义CertificateValidity,改成*100年 (sysin)
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        // CertificateValidity = time.Hour * 24 * 365
        CertificateValidity = time.Hour * 24 * 365 * 100

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"

git验证,修改的内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
git diff

diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go
index 75adf43..54f25fa 100644
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@@ -44,7 +44,7 @@ const (
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
-       CertificateValidity = time.Hour * 24 * 365
+       CertificateValidity = time.Hour * 24 * 365 * 100

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go
index 9fd097a..865d6bb 100644
--- a/staging/src/k8s.io/client-go/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/util/cert/cert.go
@@ -63,7 +63,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
-               NotAfter:              now.Add(duration365d * 10).UTC(),
+               NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,

源代码改好了,接下来就是编译kubeadm了

3. 编译

3.1 Docker镜像编译(推荐)

  • 查看 kube-cross 的 TAG 版本号
1
2
3
cat ./build/build-image/cross/VERSION

v1.13.8-1

这里我们可以使用官方容器对代码进行编译:k8s.gcr.io/kube-cross:v1.13.6-1(当前只有1.13.6而不是1.13.8,未知)

  • 拉取镜像

无法翻墙可以用下面的替代镜像:

1
docker pull gcrcontainer/kube-cross:v1.13.6-1

或者:’docker pull registry.aliyuncs.com/google_containers/kube-cross:v1.13.6-1’

  • 编译
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# docker run --rm -v <你修改后的代码目录>:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross bash
docker run --rm -v /root/kubernetes:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.13.6-1 bash

cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

# 退出容器
exit

#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
#chmod +x /usr/bin/kubeadm

# 验证版本
kubeadm version

3.2 本机编

环境需求参看官方文档

3.2.1 软件包准备

CentOS:

1
2
yum install gcc make -y
yum install rsync jq -y

Ubuntu:

1
2
sudo apt install build-essential #(Following command will install essential commands like gcc, make etc.)
sudo apt install rsync jq -y

3.2.2 GoLang 环境

查看 kube-cross 的 TAG 版本号

1
2
3
# cat ./build/build-image/cross/VERSION

v1.13.8-1
  • 安装Go环境:
1
2
3
4
5
6
7
8
9
10
11
wget https://dl.google.com/go/go1.13.8.linux-amd64.tar.gz
tar zxvf go1.13.8.linux-amd64.tar.gz  -C /usr/local

# 编辑/etc/profile文件添加如下:
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin

#生效
source /etc/profile
  • 验证:
1
2
go version
go version go1.13.8 linux/amd64
  • 编译:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm

4. 执行命令更新证书

可以先备份证书,证书在/etc/kubernetes/pki

  • 检查证书到期时间
1
kubeadm alpha certs check-expiration
  • 续订证书,查看可以使用的参数
1
2
3
4
5
6
7
8
9
10
11
12
13
kubeadm alpha certs renew --help
Available Commands:
  admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
  all                      Renew all available certificates
  apiserver                Renew the certificate for serving the Kubernetes API
  apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
  apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
  controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
  etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
  etcd-peer                Renew the certificate for etcd nodes to communicate with each other
  etcd-server              Renew the certificate for serving etcd
  front-proxy-client       Renew the certificate for the front proxy client
  scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
  • 续订全部证书
1
kubeadm alpha certs renew all
  • 再次查看证书有效期,全部都100年了
1
kubeadm alpha certs check-expiration

5. 下载

已经修改好的 kubeadm 下载(1.17.0、1.18.0、1.19.0,1.20.0, 持续更新中):

百度网盘链接:https://sysin.org/blog/kubernetes-kubeadmin-cert-100y/

捐助本站 ❤️ Donate

促销信息:

>> 阿里云:新用户2核2G仅需9元/月,1核2G云服务器仅需87元/年(限时优惠,不定期更新)

>> 腾讯云:1核2G云服务器首年50元,爆款2核4G带宽8M只要74元/年(限时优惠,不定期更新)

如果文章中使用的内容或图片侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有所帮助,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!

支付宝赞赏 微信赞赏

赞赏一下

特色标签
Kubernetes SSL
网站链接
ESC