Kubernetes SSL

Kubernetes v1.19 编译 kubeadmin 修改证书有效期到 100年

Posted by sysin on 2019-09-02
Estimated Reading Time 7 Minutes
Words 1.5k In Total
Viewed Times

点击访问腾讯云官方网站

请访问原文链接:Kubernetes v1.18 编译 kubeadmin 修改证书有效期到 100 年,查看最新版。原创作品,转载请保留出处。

作者:gc(at)sysin.org,主页:www.sysin.org

Kubernetes 1.19, August 26, 2020

原有方法继续有效!

kubeadm 默认证书为一年,一年过期后,会导致 api service 不可用,使用过程中会出现:x509: certificate has expired or is not yet valid.

Google 建议通过不停更新版本来自动更新证书,太坑^_^

可以在初始化群集之前重新编译 kubeadm,证书有效期自动为 100年。

已经修改好的 kubeadm 下载(1.17.0、1.18.0、1.19.0):

百度网盘链接:https://pan.baidu.com/s/1EabyIm2fO4Rj5HOP_f5e9g 提取码:klom

1. 获取源码

访问:https://github.com/kubernetes/kubernetes/releases,下载特定版本源码

1
2
3
4
wget https://github.com/kubernetes/kubernetes/archive/v1.19.0.tar.gz
tar -zxvf v1.19.0.tar.gz
mv kubernetes-1.19.0 kubernetes
cd kubernetes

2. 修改证书有效期

查看网上的资料主要有两个地方需要修改

修改 CA 有效期为 100年(默认为 10年)

vim ./staging/src/k8s.io/client-go/util/cert/cert.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// 这个方法里面NotAfter:              now.Add(duration365d * 10).UTC()
// 默认有效期就是10年,改成100年
// 输入/NotAfter查找,回车定位
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
                // NotAfter:              now.Add(duration365d * 10).UTC(),
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}

修改证书有效期为 100年(默认为 1年)

vim ./cmd/kubeadm/app/constants/constants.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// 就是这个常量定义CertificateValidity,改成*100年
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        // CertificateValidity = time.Hour * 24 * 365
        CertificateValidity = time.Hour * 24 * 365 * 100

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"

源代码改好了,接下来就是编译 kubeadm 了

3. 编译

3.1 Docker 镜像编译

  • 查看 kube-cross 的 TAG 版本号
1
2
3
# cat ./build/build-image/cross/VERSION

v1.15.0-1

这里我们可以使用官方容器对代码进行编译:k8s.gcr.io/kube-cross:v1.15.0-1

  • 拉取镜像
1
docker pull k8s.gcr.io/kube-cross:v1.15.0-1

无法文明上网,也没有找到替代镜像,可以直接跳过,使用本机编译。

  • 编译
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# docker run --rm -v <你修改后的代码目录>:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross bash
docker run --rm -v /root/kubernetes:/go/src/k8s.io/kubernetes -it k8s.gcr.io/kube-cross:v1.15.0-1 bash

cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

# 退出容器
exit

#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
#chmod +x /usr/bin/kubeadm

# 验证版本
kubeadm version

3.2 本机编译

环境需求参看官方文档

3.2.1 软件包准备

CentOS:

1
2
yum install gcc make -y
yum install rsync jq -y

Ubuntu:

1
2
sudo apt install build-essential #(Following command will install essential commands like gcc, make etc.)
sudo apt install rsync jq -y

3.2.2 GoLang 环境

查看 kube-cross 的 TAG 版本号

1
2
3
# cat ./build/build-image/cross/VERSION

v1.15.0-1
  • 安装 Go 环境:
1
2
3
4
5
6
7
8
9
10
11
12
13
wget https://dl.google.com/go/go1.15.linux-amd64.tar.gz
## 或者
# wget https://golang.google.cn/dl/go1.15.linux-amd64.tar.gz
tar zxvf go1.15.linux-amd64.tar.gz  -C /usr/local

# 编辑/etc/profile文件添加如下:
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin

#生效
source /etc/profile
  • 验证:
1
2
go version
go version go1.15 linux/amd64
  • 编译:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
1
2
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"archive", BuildDate:"2020-09-01T04:36:15Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

4、执行命令更新证书

可以先备份证书,证书在 /etc/kubernetes/pki

  • 检查证书到期时间
1
kubeadm alpha certs check-expiration

输出如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 08, 2120 05:35 UTC   99y                                     no
apiserver                  Aug 08, 2120 05:35 UTC   99y             ca                      no
apiserver-etcd-client      Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Aug 08, 2120 05:35 UTC   99y             ca                      no
controller-manager.conf    Aug 08, 2120 05:35 UTC   99y                                     no
etcd-healthcheck-client    Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
etcd-peer                  Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
etcd-server                Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
front-proxy-client         Aug 08, 2120 05:35 UTC   99y             front-proxy-ca          no
scheduler.conf             Aug 08, 2120 05:35 UTC   99y                                     no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 08, 2120 05:35 UTC   99y             no
etcd-ca                 Aug 08, 2120 05:35 UTC   99y             no
front-proxy-ca          Aug 08, 2120 05:35 UTC   99y             no
  • 续订证书,查看可以使用的参数
1
2
3
4
5
6
7
8
9
10
11
12
13
kubeadm alpha certs renew --help
Available Commands:
  admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
  all                      Renew all available certificates
  apiserver                Renew the certificate for serving the Kubernetes API
  apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
  apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
  controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
  etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
  etcd-peer                Renew the certificate for etcd nodes to communicate with each other
  etcd-server              Renew the certificate for serving etcd
  front-proxy-client       Renew the certificate for the front proxy client
  scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
  • 续订全部证书
1
kubeadm alpha certs renew all

  • 再次查看证书有效期,全部都 100年了

    kubeadm alpha certs check-expiration

参考文章:

https://blog.csdn.net/fuck487/article/details/102759523

https://www.cnblogs.com/skymyyang/p/11093686.html

捐助本站 ❤️ Donate

促销信息:

>> 阿里云:新用户2核2G仅需9元/月,1核2G云服务器仅需87元/年

>> 腾讯云:1核2G云服务器首年50元,爆款2核4G带宽8M只要74元/年

如果文章中使用的内容或图片侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有所帮助,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!

支付宝打赏 微信打赏

赞赏一下

visitors: 1000000
FEATURED TAGS
Kubernetes SSL
SITE LINKS
ESC