k8s 证书过期解决

Posted hanwei666

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s 证书过期解决相关的知识,希望对你有一定的参考价值。

下载kubernetest 源码

apt -get install git 

git clone https://github.com/kubernetes/kubernetes.git,

切换分支

cd kubernetes && git checkout -b remotes/origin/release-1.13 v1.13.0

下载docker编译环境

https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2  在dockerhub 下载相应的版本

docker pull gcrcontainer/kube-cross:v1.9.1-1 
docker run --rm -v /root/kubernetes/:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.9.1-1 bash

修改源码

vim  /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go

maxAge := time.Hour * 24 * 365   #修改前       

NotAfter:     time.Now().Add(duration365d).UTC()

 maxAge := time.Hour * 24 * 365 * 50  #修改后   给证书期限为50年

NotAfter:     time.Now().Add(duration365d * 50).UTC()

 

编译

cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
拷贝编译的文件
cp ./_output/local/bin/linux/amd64/kubeadm 

 

master  

备份证书和配置文件

技术图片
#!/usr/bin/env bash
set -e
sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.crt /etc/kubernetes/pki/front-proxy-ca.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.key /etc/kubernetes/pki/front-proxy-ca.key.old
sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old
sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old
sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
View Code

 

拷贝编译后的kubeadm

cp kubeadm /usr/bin/

创建kubeadm-conf.yaml 文件

技术图片
cat > /tmp/kubeadm-conf.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
networking:
  podSubnet: 192.169.0.0/16
  serviceSubnet: 10.96.0.0/12
#apiServerCertSANs:
#- master01
#- master02
#- master03
#- 172.16.2.1
#- 172.16.2.2
#- 172.16.2.3
#- 172.16.2.100
#etcd:
#  endpoints:
#     - http://192.168.188.160:2379
#     - http://192.168.188.161:2379
#     - http://192.168.188.162:2379
#token: 2wt8ap.ev8cvrpuzt81zwm7
#tokenTTL: "0"
kubernetesVersion: v1.11.5
#imageRepository:
api:
  advertiseAddress: 192.168.188.160
kubeletConfiguration:
  baseConfig:
    evictionHard:
      imagefs.available: 6Gi
      memory.available: 512Mi
      nodefs.available: 3Gi
EOF
View Code
技术图片
sudo kubeadm alpha phase certs apiserver --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-ca --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs apiserver-kubelet-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase kubeconfig all --config /tmp/kubeadm-conf.yaml
View Code
技术图片
sudo rm -rf $HOME/.kube
mkdir -p mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
View Code

查看证书时间

openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -dates

 

追加部分:

为了不要每年都更新客户端证书可以在/etc/kubernetes/manifests/kube-controller-manager.yaml的26行左右添加下面内容(主要空格对其):

     - --experimental-cluster-signing-duration=876000h0m0s

修改完成后,需要删除/var/lib/kubelet/pki/下的文件,重新启动kubelet服务就可以了

注意:如果为生成证书,请查看时间是否同步

技术图片

 

 

创建永久token

kubeadm token create --ttl 0

rm -rf /var/lib/kubelet/pki/*

sudo sed -i "s/56d5fi.18j8g4fgca4lf1a1/06cymx.d1vcolksn9uwthqz/g" /etc/kubernetes/bootstrap-kubelet.conf

systemctl restart kubelet

 

node

删除/var/lib/kubelet/pki/下的所有文件

rm -rf /var/lib/kubelet/pki/*

技术图片

 

 

替换/etc/kubernetes/bootstrap-kubelet.conf中的token(红色框的部分)为上面创建的token值

sudo sed -i "s/56d5fi.18j8g4fgca4lf1a1/06cymx.d1vcolksn9uwthqz/g" /etc/kubernetes/bootstrap-kubelet.conf

技术图片

 

 

重启kubelet 服务,systemctl restart kubelet

技术图片

 

 

检测是否成功,ls /var/lib/kubelet/pki/

技术图片

 

 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-cross:v1.7.5-2

https://www.cnblogs.com/skymyyang/p/11093686.html
https://www.cnblogs.com/kuku0223/p/10509637.html
https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2

以上是关于k8s 证书过期解决的主要内容,如果未能解决你的问题,请参考以下文章

2018-02-08 HTTPS证书问题、PKIX或者证书过期问题解决方案

k8s证书配置过期时间(默认1年,修改源码解决)

k8s证书过期说明

k8s 内存泄露?证书过期?盘他!

k8s 证书过期时间调整

OpenShift节点kubelet证书过期异常的解决步骤