更新一个10年有效期的 Kubernetes 证书
<div class="article-title" style="color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;"><h1 style="margin: 20px 20px 10px; text-align: center; font-size: 22px; line-height: 40px; color: rgb(30, 139, 195);">更新一个10年有效期的 Kubernetes 证书</h1></div><div class="info" style="margin-top: 10px; margin-bottom: 10px; text-align: center; color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;">时间:2022-10-07</div><div id="ads_under_title" style="margin-top: 10px; margin-bottom: 10px; text-align: center; color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;"><ins class="adsbygoogle common_ad_class" data-ad-client="ca-pub-9401041403549801" data-ad-slot="4032144190" data-full-width-responsive="true" data-adsbygoogle-status="done" data-ad-status="unfilled" style="width: 728px; height: 90px; display: inline-block;"><div id="aswift_0_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 90px; width: 728px; position: relative; visibility: visible; background-color: transparent; display: inline-block;"><iframe id="aswift_0" name="aswift_0" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="728" height="90" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=90&slotname=4032144190&adk=909515367&adf=577686739&pi=t.ma~as.4032144190&w=728&fwrn=4&fwrnh=100&lmt=1686217844&rafmt=12&format=728x90&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&fwr=0&fwrattr=true&rh=90&rw=728&sfro=1&wgl=1&dt=1686217844257&bpp=4&bdt=145&idt=173&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&correlator=2279773850106&frm=20&pv=2&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=427&ady=307&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=896&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7CpoeE%7C&abl=CS&pfx=0&fu=128&bc=23&ifi=1&uci=a!1&fsb=1&xpc=TCQXuRilqJ&p=http%3A//www.manongjc.com&dtd=182" data-google-container-id="a!1" data-load-complete="true" data-google-query-id="CJ7V6Zmzs_8CFQWglgod5DUMEg" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 728px; height: 90px;"></iframe></div></ins></div><div class="intro" style="margin-top: 8px; margin-right: auto; margin-left: auto; padding: 8px 16px; width: 826.188px; line-height: 35px; background: rgb(245, 252, 238); border: 1px solid rgb(220, 221, 221); color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;">本文章向大家介绍更新一个10年有效期的 Kubernetes 证书,主要内容包括手动更新证书、用 Kubernetes 证书 API 更新证书、基本概念、基础应用、原理机制和需要注意的事项等,并结合实例形式分析了其使用技巧,希望通过本文能帮助到大家理解应用这部分内容。</div><div class="article-content" id="code_example" style="padding: 12px 15px; line-height: 30px; overflow: hidden; color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px; height: auto !important;"><div id="article_left_top_banner" style="margin-top: 10px; margin-bottom: 10px; text-align: center;"><ins class="adsbygoogle common_ad_class" data-ad-client="ca-pub-9401041403549801" data-ad-slot="1516503570" data-adsbygoogle-status="done" data-ad-status="unfilled" style="width: 728px; height: 90px; display: inline-block;"><div id="aswift_1_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 90px; width: 728px; position: relative; visibility: visible; background-color: transparent; display: inline-block;"><iframe id="aswift_1" name="aswift_1" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="728" height="90" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=90&slotname=1516503570&adk=61531810&adf=3996677496&pi=t.ma~as.1516503570&w=728&lmt=1686217844&rafmt=12&format=728x90&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&wgl=1&dt=1686217844261&bpp=1&bdt=148&idt=194&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&prev_fmts=728x90&correlator=2279773850106&frm=20&pv=1&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=427&ady=552&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=896&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7CpoeE%7C&abl=CS&pfx=0&fu=256&bc=23&ifi=2&uci=a!2&fsb=1&xpc=JvWXh9KP9X&p=http%3A//www.manongjc.com&dtd=198" data-google-container-id="a!2" data-load-complete="true" data-google-query-id="CP_x6Zmzs_8CFYfDlgodHrQJ4g" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 728px; height: 90px;"></iframe></div></ins></div><p style="margin-top: 20px; margin-bottom: 20px;">使用 kubeadm 安装 kubernetes 集群非常方便,但是也有一个比较烦人的问题就是默认的证书有效期只有一年时间,所以需要考虑证书升级的问题,本文的演示集群版本为 v1.16.2 版本,不保证下面的操作对其他版本也适用,<strong>在操作之前一定要先对证书目录进行备份,防止操作错误进行回滚</strong>。本文主要介绍两种方式来更新集群证书。</p><h3 id="%E6%89%8B%E5%8A%A8%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" name="%E6%89%8B%E5%8A%A8%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" style="margin-top: 20px; margin-bottom: 20px; border-bottom: 1px solid rgb(228, 232, 235); position: relative; color: rgb(30, 139, 195); font-size: 16px;">手动更新证书</h3><p style="margin-top: 20px; margin-bottom: 20px;">由 kubeadm 生成的客户端证书默认只有一年有效期,我们可以通过 <code>check-expiration</code> 命令来检查证书是否过期:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs <span class="hljs-operator"><span class="hljs-keyword" style="color: rgb(170, 13, 145);">check</span>-expirationCERTIFICATE EXPIRES RESIDUAL <span class="hljs-keyword" style="color: rgb(170, 13, 145);">TIME</span> EXTERNALLY MANAGED
admin.conf Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver-etcd-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver-kubelet-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
controller-manager.conf Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-healthcheck-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-peer Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-<span class="hljs-keyword" style="color: rgb(170, 13, 145);">server</span> Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
front-proxy-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
scheduler.conf Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">07</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2020</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">59</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">73</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span></span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">该命令显示 <code>/etc/kubernetes/pki</code> 文件夹中的客户端证书以及 kubeadm 使用的 <code>KUBECONFIG</code> 文件中嵌入的客户端证书的到期时间/剩余时间。</p><blockquote style="margin: 15px auto; padding: 10px 15px 5px; border-width: 1px 1px 1px 3px; border-style: solid; border-color: rgb(214, 214, 214); border-image: initial; background-color: rgb(253, 253, 253); font-size: 12px;"><p style="margin-top: 20px; margin-bottom: 20px;"><code>kubeadm</code> 不能管理由外部 CA 签名的证书,如果是外部得证书,需要自己手动去管理证书的更新。</p></blockquote><p style="margin-top: 20px; margin-bottom: 20px;">另外需要说明的是上面的列表中没有包含 <code>kubelet.conf</code>,因为 kubeadm 将 kubelet 配置为自动更新证书。</p><p style="margin-top: 20px; margin-bottom: 20px;">另外 kubeadm 会在控制面板升级的时候自动更新所有证书,所以使用 kubeadm 搭建得集群最佳的做法是经常升级集群,这样可以确保你的集群保持最新状态并保持合理的安全性。但是对于实际的生产环境我们可能并不会去频繁得升级集群,所以这个时候我们就需要去手动更新证书。</p><p style="margin-top: 20px; margin-bottom: 20px;">要手动更新证书也非常方便,我们只需要通过 <code>kubeadm alpha certs renew</code> 命令即可更新你的证书,这个命令用 CA(或者 front-proxy-CA )证书和存储在 <code>/etc/kubernetes/pki</code> 中的密钥执行更新。</p><blockquote style="margin: 15px auto; padding: 10px 15px 5px; border-width: 1px 1px 1px 3px; border-style: solid; border-color: rgb(214, 214, 214); border-image: initial; background-color: rgb(253, 253, 253); font-size: 12px;"><p style="margin-top: 20px; margin-bottom: 20px;">如果你运行了一个高可用的集群,这个命令需要在所有控制面板节点上执行。</p></blockquote><p style="margin-top: 20px; margin-bottom: 20px;">接下来我们来更新我们的集群证书,下面的操作都是在 master 节点上进行,首先备份原有证书:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby"><span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>mkdir /etc/kubernetes.bak
<span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>cp -r /etc/kubernetes/pki/ <span class="hljs-regexp" style="color: rgb(0, 136, 0);">/etc/kubernetes</span>.bak
<span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>cp /etc/kubernetes/*.conf /etc/kubernetes.bak</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">然后备份 etcd 数据目录:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs coffeescript">$ cp -r /<span class="hljs-reserved">var</span>/lib/etcd /<span class="hljs-reserved">var</span>/lib/etcd.bak</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">接下来执行更新证书的命令:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs renew all <span class="hljs-comment" style="color: rgb(0, 106, 0);">--config=kubeadm.yaml</span>
kubeadm alpha certs renew all <span class="hljs-comment" style="color: rgb(0, 106, 0);">--config=kubeadm.yaml</span>
certificate embedded in the kubeconfig file for the admin to <span class="hljs-operator"><span class="hljs-keyword" style="color: rgb(170, 13, 145);">use</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">and</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> kubeadm itself renewed
certificate <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> serving the Kubernetes API renewed
certificate the apiserver uses <span class="hljs-keyword" style="color: rgb(170, 13, 145);">to</span> access etcd renewed
certificate <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> the API <span class="hljs-keyword" style="color: rgb(170, 13, 145);">server</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">to</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">connect</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">to</span> kubelet renewed
certificate embedded <span class="hljs-keyword" style="color: rgb(170, 13, 145);">in</span> the kubeconfig file <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> the controller manager <span class="hljs-keyword" style="color: rgb(170, 13, 145);">to</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">use</span> renewed
certificate <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> liveness probes <span class="hljs-keyword" style="color: rgb(170, 13, 145);">to</span> healthcheck etcd renewed
certificate <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> etcd nodes <span class="hljs-keyword" style="color: rgb(170, 13, 145);">to</span> communicate <span class="hljs-keyword" style="color: rgb(170, 13, 145);">with</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">each</span> other renewed
certificate <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> serving etcd renewed
certificate <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> the front proxy client renewed
certificate embedded <span class="hljs-keyword" style="color: rgb(170, 13, 145);">in</span> the kubeconfig file <span class="hljs-keyword" style="color: rgb(170, 13, 145);">for</span> the scheduler manager <span class="hljs-keyword" style="color: rgb(170, 13, 145);">to</span> <span class="hljs-keyword" style="color: rgb(170, 13, 145);">use</span> renewed</span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">通过上面的命令证书就一键更新完成了,这个时候查看上面的证书可以看到过期时间已经是一年后的时间了:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs <span class="hljs-operator"><span class="hljs-keyword" style="color: rgb(170, 13, 145);">check</span>-expiration
CERTIFICATE EXPIRES RESIDUAL <span class="hljs-keyword" style="color: rgb(170, 13, 145);">TIME</span> EXTERNALLY MANAGED
admin.conf Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver-etcd-client Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver-kubelet-client Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
controller-manager.conf Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-healthcheck-client Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-peer Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-<span class="hljs-keyword" style="color: rgb(170, 13, 145);">server</span> Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
front-proxy-client Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
scheduler.conf Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">364</span>d <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span></span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">然后记得更新下 kubeconfig 文件:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby"><span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>kubeadm init phase kubeconfig all --config kubeadm.yaml
<span class="hljs-constant">Using</span> kubeconfig folder <span class="hljs-string" style="color: rgb(196, 26, 22);">"/etc/kubernetes"</span>
<span class="hljs-constant">Using</span> existing kubeconfig <span class="hljs-symbol" style="color: rgb(28, 0, 207);">file:</span> <span class="hljs-string" style="color: rgb(196, 26, 22);">"/etc/kubernetes/admin.conf"</span>
<span class="hljs-constant">Using</span> existing kubeconfig <span class="hljs-symbol" style="color: rgb(28, 0, 207);">file:</span> <span class="hljs-string" style="color: rgb(196, 26, 22);">"/etc/kubernetes/kubelet.conf"</span>
<span class="hljs-constant">Using</span> existing kubeconfig <span class="hljs-symbol" style="color: rgb(28, 0, 207);">file:</span> <span class="hljs-string" style="color: rgb(196, 26, 22);">"/etc/kubernetes/controller-manager.conf"</span>
<span class="hljs-constant">Using</span> existing kubeconfig <span class="hljs-symbol" style="color: rgb(28, 0, 207);">file:</span> <span class="hljs-string" style="color: rgb(196, 26, 22);">"/etc/kubernetes/scheduler.conf"</span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">将新生成的 admin 配置文件覆盖掉原本的 admin 文件:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby"><span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>mv <span class="hljs-variable" style="color: rgb(63, 110, 116);">$HOME</span>/.kube/config <span class="hljs-variable" style="color: rgb(63, 110, 116);">$HOME</span>/.kube/config.old
<span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>cp -i /etc/kubernetes/admin.conf <span class="hljs-variable" style="color: rgb(63, 110, 116);">$HOME</span>/.kube/config
<span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>chown <span class="hljs-variable" style="color: rgb(63, 110, 116);">$(</span>id -u)<span class="hljs-symbol" style="color: rgb(28, 0, 207);">:</span><span class="hljs-variable" style="color: rgb(63, 110, 116);">$(</span>id -g) <span class="hljs-variable" style="color: rgb(63, 110, 116);">$HOME</span>/.kube/config</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">完成后重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器即可,我们可以查看 apiserver 的证书的有效期来验证是否更新成功:</p><div class="google-auto-placed ap_container" style="width: 888px; height: auto; clear: both; text-align: center;"><ins data-ad-format="auto" class="adsbygoogle adsbygoogle-noablate" data-ad-client="ca-pub-9401041403549801" data-adsbygoogle-status="done" data-ad-status="unfilled" style="display: block; margin: auto; background-color: transparent; height: 0px;"><div id="aswift_6_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 0px; width: 888px; position: relative; visibility: visible; background-color: transparent; display: inline-block; overflow: hidden; opacity: 0;"><iframe id="aswift_6" name="aswift_6" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="888" height="0" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=280&adk=2518444760&adf=1637950308&pi=t.aa~a.1377454617~i.49~rp.4&w=888&fwrn=4&fwrnh=100&lmt=1686217844&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=1867187456&ad_type=text_image&format=888x280&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&fwr=0&pra=3&rh=200&rw=888&rpe=1&resp_fmts=3&wgl=1&fa=27&dt=1686217844722&bpp=1&bdt=610&idt=-M&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&prev_fmts=728x90%2C728x90%2C300x250%2C300x600%2C0x0&nras=2&correlator=2279773850106&frm=20&pv=1&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=347&ady=3510&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=384&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=128&bc=23&ifi=7&uci=a!7&btvi=1&fsb=1&xpc=nIUpwjNeRA&p=http%3A//www.manongjc.com&dtd=6" data-google-container-id="a!7" data-load-complete="true" data-google-query-id="CObE95mzs_8CFQqelgodgSUH5Q" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 888px; height: 0px;"></iframe></div></ins></div><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs javascript">$ echo | openssl s_client -showcerts -connect <span class="hljs-number" style="color: rgb(28, 0, 207);">127.0</span><span class="hljs-number" style="color: rgb(28, 0, 207);">.0</span><span class="hljs-number" style="color: rgb(28, 0, 207);">.1</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">6443</span> -servername api <span class="hljs-number" style="color: rgb(28, 0, 207);">2</span>><span class="hljs-regexp" style="color: rgb(0, 136, 0);">/dev/</span><span class="hljs-literal" style="color: rgb(170, 13, 145);">null</span> | openssl x509 -noout -enddate
notAfter=Aug <span class="hljs-number" style="color: rgb(28, 0, 207);">26</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">03</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">47</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">23</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">2021</span> GMT</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">可以看到现在的有效期是一年过后的,证明已经更新成功了。</p><h3 id="%E7%94%A8-Kubernetes-%E8%AF%81%E4%B9%A6-API-%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" name="%E7%94%A8-Kubernetes-%E8%AF%81%E4%B9%A6-API-%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" style="margin-top: 20px; margin-bottom: 20px; border-bottom: 1px solid rgb(228, 232, 235); position: relative; color: rgb(30, 139, 195); font-size: 16px;">用 Kubernetes 证书 API 更新证书</h3><p style="margin-top: 20px; margin-bottom: 20px;">除了上述的一键手动更新证书之外,还可以使用 Kubernetes 证书 API 执行手动证书更新。对于线上环境我们可能并不会去冒险经常更新集群或者去更新证书,这些毕竟是有风险的,所以我们希望生成的证书有效期足够长,虽然从安全性角度来说不推荐这样做,但是对于某些场景下一个足够长的证书有效期也是非常有必要的。有很多管理员就是去手动更改 kubeadm 的源码为10年,然后重新编译来创建集群,这种方式虽然可以达到目的,但是不推荐使用这种方式,特别是当你想要更新集群的时候,还得用新版本进行更新。其实 Kubernetes 提供了一种 API 的方式可以来帮助我们生成一个足够长证书有效期。要使用内置的 API 方式来签名,首先我们需要配置 kube-controller-manager 组件的 <code>--experimental-cluster-signing-duration</code> 参数,将其调整为10年,我们这里是 kubeadm 安装的集群,所以直接修改静态 Pod 的 yaml 文件即可:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby"><span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>vi /etc/kubernetes/manifests/kube-controller-manager.yaml
......
<span class="hljs-symbol" style="color: rgb(28, 0, 207);">spec:</span>
<span class="hljs-symbol" style="color: rgb(28, 0, 207);">containers:</span>
- <span class="hljs-symbol" style="color: rgb(28, 0, 207);">command:</span>
- kube-controller-manager
<span class="hljs-comment" style="color: rgb(0, 106, 0);"># 设置证书有效期为 10 年</span>
- --experimental-cluster-signing-duration=<span class="hljs-number" style="color: rgb(28, 0, 207);">87600</span>h
- --client-ca-file=<span class="hljs-regexp" style="color: rgb(0, 136, 0);">/etc/kubernetes</span><span class="hljs-regexp" style="color: rgb(0, 136, 0);">/pki/ca</span>.crt
......</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">修改完成后 kube-controller-manager 会自动重启生效。然后我们需要使用下面的命令为 Kubernetes 证书 API 创建一个证书签名请求。如果您设置例如 <code>cert-manager</code> 等外部签名者,则会自动批准证书签名请求(CSRs)。否者,您必须使用 <code>kubectl certificate</code> 命令手动批准证书。以下 kubeadm 命令输出要批准的证书名称,然后等待批准发生:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs renew all <span class="hljs-comment" style="color: rgb(0, 106, 0);">--use-api --config kubeadm.yaml &</span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">输出类似于以下内容:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs css"><span class="hljs-attr_selector" style="color: rgb(0, 136, 0);"></span> 2890
<span class="hljs-attr_selector" style="color: rgb(0, 136, 0);"></span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Certificate</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">request</span> "<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-kubernetes-admin-pn99f</span>" <span class="hljs-tag" style="color: rgb(0, 0, 0);">created</span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">然后接下来我们需要去手动批准证书:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby"><span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>kubectl get csr
<span class="hljs-constant">NAME</span> <span class="hljs-constant">AGE</span> <span class="hljs-constant">REQUESTOR</span> <span class="hljs-constant">CONDITION</span>
kubeadm-cert-kubernetes-admin-pn99f <span class="hljs-number" style="color: rgb(28, 0, 207);">64</span>s kubernetes-admin <span class="hljs-constant">Pending</span>
<span class="hljs-comment" style="color: rgb(0, 106, 0);"># 手动批准证书</span>
<span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>kubectl certificate approve kubeadm-cert-kubernetes-admin-pn99f
certificatesigningrequest.certificates.k8s.io/kubeadm-cert-kubernetes-admin-pn99f approved</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">用同样的方式为处于 Pending 状态的 csr 执行批准操作,直到所有的 csr 都批准完成为止。最后所有的 csr 列表状态如下所示:</p><div class="google-auto-placed ap_container" style="width: 888px; height: auto; clear: both; text-align: center;"><ins data-ad-format="auto" class="adsbygoogle adsbygoogle-noablate" data-ad-client="ca-pub-9401041403549801" data-adsbygoogle-status="done" data-ad-status="unfilled" style="display: block; margin: auto; background-color: transparent; height: 0px;"><div id="aswift_7_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 0px; width: 888px; position: relative; visibility: visible; background-color: transparent; display: inline-block; overflow: hidden; opacity: 0;"><iframe id="aswift_7" name="aswift_7" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="888" height="0" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=280&adk=2518444760&adf=3344557880&pi=t.aa~a.1377454617~i.73~rp.4&w=888&fwrn=4&fwrnh=100&lmt=1686217844&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=1867187456&ad_type=text_image&format=888x280&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&fwr=0&pra=3&rh=200&rw=888&rpe=1&resp_fmts=3&wgl=1&fa=27&dt=1686217844722&bpp=1&bdt=610&idt=1&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&prev_fmts=728x90%2C728x90%2C300x250%2C300x600%2C0x0%2C888x280&nras=3&correlator=2279773850106&frm=20&pv=1&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=347&ady=5231&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=384&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=128&bc=23&ifi=8&uci=a!8&btvi=2&fsb=1&xpc=o4bRmaavPR&p=http%3A//www.manongjc.com&dtd=11" data-google-container-id="a!8" data-load-complete="true" data-google-query-id="COy395mzs_8CFU_ClgodADIGiA" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 888px; height: 0px;"></iframe></div></ins></div><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs css">$ <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubectl</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">get</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">csr</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">NAME</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">AGE</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">REQUESTOR</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">CONDITION</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-front-proxy-client-llhrj</span> 30<span class="hljs-tag" style="color: rgb(0, 0, 0);">s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-kube-apiserver-2s6kf</span> 2<span class="hljs-tag" style="color: rgb(0, 0, 0);">m43s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-kube-apiserver-etcd-client-t9pkx</span> 2<span class="hljs-tag" style="color: rgb(0, 0, 0);">m7s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-kube-apiserver-kubelet-client-pjbjm</span> 108<span class="hljs-tag" style="color: rgb(0, 0, 0);">s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-kube-etcd-healthcheck-client-8dcn8</span> 64<span class="hljs-tag" style="color: rgb(0, 0, 0);">s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-kubernetes-admin-pn99f</span> 4<span class="hljs-tag" style="color: rgb(0, 0, 0);">m29s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-system</span><span class="hljs-pseudo" style="color: rgb(0, 0, 0);">:kube-controller-manager-mr86h</span> 79<span class="hljs-tag" style="color: rgb(0, 0, 0);">s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-system</span><span class="hljs-pseudo" style="color: rgb(0, 0, 0);">:kube-scheduler-t8lnw</span> 17<span class="hljs-tag" style="color: rgb(0, 0, 0);">s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-ydzs-master-cqh4s</span> 52<span class="hljs-tag" style="color: rgb(0, 0, 0);">s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span>
<span class="hljs-tag" style="color: rgb(0, 0, 0);">kubeadm-cert-ydzs-master-lvbr5</span> 41<span class="hljs-tag" style="color: rgb(0, 0, 0);">s</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">kubernetes-admin</span> <span class="hljs-tag" style="color: rgb(0, 0, 0);">Approved</span>,<span class="hljs-tag" style="color: rgb(0, 0, 0);">Issued</span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">批准完成后检查证书的有效期:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs <span class="hljs-operator"><span class="hljs-keyword" style="color: rgb(170, 13, 145);">check</span>-expiration
CERTIFICATE EXPIRES RESIDUAL <span class="hljs-keyword" style="color: rgb(170, 13, 145);">TIME</span> EXTERNALLY MANAGED
admin.conf Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">53</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">54</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver-etcd-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">53</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
apiserver-kubelet-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">54</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
controller-manager.conf Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">54</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-healthcheck-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">53</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-peer Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">53</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
etcd-<span class="hljs-keyword" style="color: rgb(170, 13, 145);">server</span> Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">54</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
front-proxy-client Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">54</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span>
scheduler.conf Nov <span class="hljs-number" style="color: rgb(28, 0, 207);">05</span>, <span class="hljs-number" style="color: rgb(28, 0, 207);">2029</span> <span class="hljs-number" style="color: rgb(28, 0, 207);">11</span>:<span class="hljs-number" style="color: rgb(28, 0, 207);">53</span> UTC <span class="hljs-number" style="color: rgb(28, 0, 207);">9</span>y <span class="hljs-keyword" style="color: rgb(170, 13, 145);">no</span></span></code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">我们可以看到已经延长小10年了,这是因为 ca 证书的有效期只有10年。</p><p style="margin-top: 20px; margin-bottom: 20px;">但是现在我们还不能直接重启控制面板的几个组件,这是因为使用 kubeadm 安装的集群对应的 etcd 默认是使用的 <code>/etc/kubernetes/pki/etcd/ca.crt</code> 这个证书进行前面的,而上面我们用命令 <code>kubectl certificate approve</code> 批准过后的证书是使用的默认的 <code>/etc/kubernetes/pki/ca.crt</code> 证书进行签发的,所以我们需要替换 etcd 中的 ca 机构证书:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs coffeescript"><span class="hljs-comment" style="color: rgb(0, 106, 0);"># 先拷贝静态 Pod 资源清单</span>
$ cp -r <span class="hljs-regexp" style="color: rgb(0, 136, 0);">/etc/kubernetes/manifests/</span> /etc/kubernetes/manifests.bak
$ vi /etc/kubernetes/manifests/etcd.yaml
......
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">spec</span>:
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">containers</span>:
- <span class="hljs-attribute" style="color: rgb(28, 0, 207);">command</span>:
- etcd
<span class="hljs-comment" style="color: rgb(0, 106, 0);"># 修改为 CA 文件</span>
- --peer-trusted-ca-file=/etc/kubernetes/pki/ca.crt
- --trusted-ca-file=/etc/kubernetes/pki/ca.crt
......
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">volumeMounts</span>:
- <span class="hljs-attribute" style="color: rgb(28, 0, 207);">mountPath</span>: /<span class="hljs-reserved">var</span>/lib/etcd
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">name</span>: etcd-data
- <span class="hljs-attribute" style="color: rgb(28, 0, 207);">mountPath</span>: /etc/kubernetes/pki<span class="hljs-comment" style="color: rgb(0, 106, 0);"># 更改证书目录</span>
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">name</span>: etcd-certs
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">volumes</span>:
- <span class="hljs-attribute" style="color: rgb(28, 0, 207);">hostPath</span>:
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">path</span>: /etc/kubernetes/pki<span class="hljs-comment" style="color: rgb(0, 106, 0);"># 将 pki 目录挂载到 etcd 中去</span>
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">type</span>: DirectoryOrCreate
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">name</span>: etcd-certs
- <span class="hljs-attribute" style="color: rgb(28, 0, 207);">hostPath</span>:
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">path</span>: /<span class="hljs-reserved">var</span>/lib/etcd
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">type</span>: DirectoryOrCreate
<span class="hljs-attribute" style="color: rgb(28, 0, 207);">name</span>: etcd-data
......</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">由于 kube-apiserver 要连接 etcd 集群,所以也需要重新修改对应的 etcd ca 文件:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby"><span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>vi /etc/kubernetes/manifests/kube-apiserver.yaml
......
<span class="hljs-symbol" style="color: rgb(28, 0, 207);">spec:</span>
<span class="hljs-symbol" style="color: rgb(28, 0, 207);">containers:</span>
- <span class="hljs-symbol" style="color: rgb(28, 0, 207);">command:</span>
- kube-apiserver
<span class="hljs-comment" style="color: rgb(0, 106, 0);"># 将etcd ca文件修改为默认的ca.crt文件</span>
- --etcd-cafile=<span class="hljs-regexp" style="color: rgb(0, 136, 0);">/etc/kubernetes</span><span class="hljs-regexp" style="color: rgb(0, 136, 0);">/pki/ca</span>.crt
......</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">除此之外还需要替换 <code>requestheader-client-ca-file</code> 文件,默认是 <code>/etc/kubernetes/pki/front-proxy-ca.crt</code> 文件,现在也需要替换成默认的 CA 文件,否则使用聚合 API,比如安装了 metrics-server 后执行 <code>kubectl top</code> 命令就会报错:</p><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby"><span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>cp /etc/kubernetes/pki/ca.crt /etc/kubernetes/pki/front-proxy-ca.crt
<span class="hljs-variable" style="color: rgb(63, 110, 116);">$ </span>cp /etc/kubernetes/pki/ca.key /etc/kubernetes/pki/front-proxy-ca.key</code></pre></div><p style="margin-top: 20px; margin-bottom: 20px;">由于是静态 Pod,修改完成后上面的组件都会自动重启生效。由于我们当前版本的 kubelet 默认开启了证书自动轮转,所以 kubelet 的证书也不用再去管理了,这样我就将证书更新成10有效期了。<strong>在操作之前一定要先对证书目录进行备份,防止操作错误进行回滚</strong>。</p><p style="margin-top: 20px; margin-bottom: 20px;">原文链接: https://www.qikqiak.com/post/update-k8s-10y-expire-certs/</p></div>
页:
[1]