k8s踩坑记录——证书一年有效期
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s踩坑记录——证书一年有效期相关的知识,希望对你有一定的参考价值。
依照https://github.com/strongit/kubeadm-ha/ 安装步骤,kubeadm init安装后的集群存在证书过期问题。现修复如下:思路如下,
1、保留ca.crt ca.key front-proxy-ca.crt front-proxy-ca.key,根证书有效期十年
2、openssl重新签注
3、kubeadm alpha phase 生成config
[[email protected] pki]# cat csr.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = CN
ST = BeiJing
L = BeiJing
O = k8s
OU = System
CN = kubernetes
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = k8s-master01
DNS.7 = k8s-master02
DNS.8 = k8s-master03
IP.1 = 10.96.0.1
IP.2 = 100.82.200.190
IP.3 = 100.82.200.184
IP.4 = 100.82.200.187
IP.5 = 100.82.200.194
IP.6 = 10.220.8.184
IP.7 = 10.220.8.187
IP.8 = 10.220.8.190
IP.9 = 10.220.8.194
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
[email protected]_names
openssl genrsa -out apiserver.key 2048
openssl req -new -key apiserver.key -out apiserver.csr -config csr.conf
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 10000 -extensions v3_ext -extfile csr.conf
openssl x509 -noout -text -in ./apiserver.crt |grep "Not"
openssl genrsa -out apiserver-kubelet-client.key 2048
openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -config csr.conf
openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
openssl x509 -noout -text -in ./apiserver-kubelet-client.crt |grep "Not"
openssl genrsa -out front-proxy-client.key 2048
openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -config csr.conf
openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
openssl x509 -noout -text -in ./front-proxy-client.crt |grep "Not"
kubeadm alpha phase certs all --config kubeadm-config.yaml
kubeadm alpha phase kubelet config write-to-disk --config kubeadm-config.yaml
kubeadm alpha phase kubelet write-env-file --config kubeadm-config.yaml
kubeadm alpha phase kubeconfig kubelet --config kubeadm-config.yaml
kubeadm alpha phase kubeconfig all --config kubeadm-config.yaml
kubeadm alpha phase controlplane all --config kubeadm-config.yaml
systemctl restart kubelet
kubeadm alpha phase mark-master --config kubeadm-config.yaml
cp /etc/kubernetes/admin.conf ~/.kube/config
重启集群后,执行kubelet logs pods XXXX -n kube-system报错如下:Error from server (Forbidden): Forbidden (user=kubernetes, verb=get, resource=nodes, subresource=proxy) ( pods/log kube-scheduler-k8s-master01)
解决方案:kubectl create clusterrolebinding system:kubernetes --clusterrole=cluster-admin --user=system:kubernetes
以上是关于k8s踩坑记录——证书一年有效期的主要内容,如果未能解决你的问题,请参考以下文章