更新一个10年有效期的 Kubernetes 证书

dirtysea 发表于 2023-6-8 18:02:12

更新一个10年有效期的 Kubernetes 证书

<div class="article-title" style="color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;"><h1 style="margin: 20px 20px 10px; text-align: center; font-size: 22px; line-height: 40px; color: rgb(30, 139, 195);">更新一个10年有效期的 Kubernetes 证书</h1></div><div class="info" style="margin-top: 10px; margin-bottom: 10px; text-align: center; color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;">时间:2022-10-07</div><div id="ads_under_title" style="margin-top: 10px; margin-bottom: 10px; text-align: center; color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;"><ins class="adsbygoogle common_ad_class" data-ad-client="ca-pub-9401041403549801" data-ad-slot="4032144190" data-full-width-responsive="true" data-adsbygoogle-status="done" data-ad-status="unfilled" style="width: 728px; height: 90px; display: inline-block;"><div id="aswift_0_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 90px; width: 728px; position: relative; visibility: visible; background-color: transparent; display: inline-block;"><iframe id="aswift_0" name="aswift_0" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="728" height="90" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=90&slotname=4032144190&adk=909515367&adf=577686739&pi=t.ma~as.4032144190&w=728&fwrn=4&fwrnh=100&lmt=1686217844&rafmt=12&format=728x90&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&fwr=0&fwrattr=true&rh=90&rw=728&sfro=1&wgl=1&dt=1686217844257&bpp=4&bdt=145&idt=173&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&correlator=2279773850106&frm=20&pv=2&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=427&ady=307&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=896&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7CpoeE%7C&abl=CS&pfx=0&fu=128&bc=23&ifi=1&uci=a!1&fsb=1&xpc=TCQXuRilqJ&p=http%3A//www.manongjc.com&dtd=182" data-google-container-id="a!1" data-load-complete="true" data-google-query-id="CJ7V6Zmzs_8CFQWglgod5DUMEg" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 728px; height: 90px;"></iframe></div></ins></div><div class="intro" style="margin-top: 8px; margin-right: auto; margin-left: auto; padding: 8px 16px; width: 826.188px; line-height: 35px; background: rgb(245, 252, 238); border: 1px solid rgb(220, 221, 221); color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px;">本文章向大家介绍更新一个10年有效期的 Kubernetes 证书，主要内容包括手动更新证书、用 Kubernetes 证书 API 更新证书、基本概念、基础应用、原理机制和需要注意的事项等，并结合实例形式分析了其使用技巧，希望通过本文能帮助到大家理解应用这部分内容。</div><div class="article-content" id="code_example" style="padding: 12px 15px; line-height: 30px; overflow: hidden; color: rgb(51, 51, 51); font-family: "Microsoft Yahei", 微软雅黑, arial, 宋体, sans-serif; font-size: 16px; height: auto !important;"><div id="article_left_top_banner" style="margin-top: 10px; margin-bottom: 10px; text-align: center;"><ins class="adsbygoogle common_ad_class" data-ad-client="ca-pub-9401041403549801" data-ad-slot="1516503570" data-adsbygoogle-status="done" data-ad-status="unfilled" style="width: 728px; height: 90px; display: inline-block;"><div id="aswift_1_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 90px; width: 728px; position: relative; visibility: visible; background-color: transparent; display: inline-block;"><iframe id="aswift_1" name="aswift_1" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="728" height="90" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=90&slotname=1516503570&adk=61531810&adf=3996677496&pi=t.ma~as.1516503570&w=728&lmt=1686217844&rafmt=12&format=728x90&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&wgl=1&dt=1686217844261&bpp=1&bdt=148&idt=194&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&prev_fmts=728x90&correlator=2279773850106&frm=20&pv=1&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=427&ady=552&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=896&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7CpoeE%7C&abl=CS&pfx=0&fu=256&bc=23&ifi=2&uci=a!2&fsb=1&xpc=JvWXh9KP9X&p=http%3A//www.manongjc.com&dtd=198" data-google-container-id="a!2" data-load-complete="true" data-google-query-id="CP_x6Zmzs_8CFYfDlgodHrQJ4g" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 728px; height: 90px;"></iframe></div></ins></div>使用 kubeadm 安装 kubernetes 集群非常方便，但是也有一个比较烦人的问题就是默认的证书有效期只有一年时间，所以需要考虑证书升级的问题，本文的演示集群版本为 v1.16.2 版本，不保证下面的操作对其他版本也适用，在操作之前一定要先对证书目录进行备份，防止操作错误进行回滚。本文主要介绍两种方式来更新集群证书。<h3 id="%E6%89%8B%E5%8A%A8%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" name="%E6%89%8B%E5%8A%A8%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" style="margin-top: 20px; margin-bottom: 20px; border-bottom: 1px solid rgb(228, 232, 235); position: relative; color: rgb(30, 139, 195); font-size: 16px;">手动更新证书</h3>由 kubeadm 生成的客户端证书默认只有一年有效期，我们可以通过 <code>check-expiration</code> 命令来检查证书是否过期：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Nov 07, 2020 11:59 UTC 73d no
apiserver Nov 07, 2020 11:59 UTC 73d no
apiserver-etcd-client Nov 07, 2020 11:59 UTC 73d no
apiserver-kubelet-client Nov 07, 2020 11:59 UTC 73d no
controller-manager.conf Nov 07, 2020 11:59 UTC 73d no
etcd-healthcheck-client Nov 07, 2020 11:59 UTC 73d no
etcd-peer Nov 07, 2020 11:59 UTC 73d no
etcd-server Nov 07, 2020 11:59 UTC 73d no
front-proxy-client Nov 07, 2020 11:59 UTC 73d no
scheduler.conf Nov 07, 2020 11:59 UTC 73d no</code></pre></div>该命令显示 <code>/etc/kubernetes/pki</code> 文件夹中的客户端证书以及 kubeadm 使用的 <code>KUBECONFIG</code> 文件中嵌入的客户端证书的到期时间/剩余时间。<blockquote style="margin: 15px auto; padding: 10px 15px 5px; border-width: 1px 1px 1px 3px; border-style: solid; border-color: rgb(214, 214, 214); border-image: initial; background-color: rgb(253, 253, 253); font-size: 12px;"><code>kubeadm</code> 不能管理由外部 CA 签名的证书，如果是外部得证书，需要自己手动去管理证书的更新。</blockquote>另外需要说明的是上面的列表中没有包含 <code>kubelet.conf</code>，因为 kubeadm 将 kubelet 配置为自动更新证书。另外 kubeadm 会在控制面板升级的时候自动更新所有证书，所以使用 kubeadm 搭建得集群最佳的做法是经常升级集群，这样可以确保你的集群保持最新状态并保持合理的安全性。但是对于实际的生产环境我们可能并不会去频繁得升级集群，所以这个时候我们就需要去手动更新证书。要手动更新证书也非常方便，我们只需要通过 <code>kubeadm alpha certs renew</code> 命令即可更新你的证书，这个命令用 CA（或者 front-proxy-CA ）证书和存储在 <code>/etc/kubernetes/pki</code> 中的密钥执行更新。<blockquote style="margin: 15px auto; padding: 10px 15px 5px; border-width: 1px 1px 1px 3px; border-style: solid; border-color: rgb(214, 214, 214); border-image: initial; background-color: rgb(253, 253, 253); font-size: 12px;">如果你运行了一个高可用的集群，这个命令需要在所有控制面板节点上执行。</blockquote>接下来我们来更新我们的集群证书，下面的操作都是在 master 节点上进行，首先备份原有证书：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby">$ mkdir /etc/kubernetes.bak
$ cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
$ cp /etc/kubernetes/*.conf /etc/kubernetes.bak</code></pre></div>然后备份 etcd 数据目录：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs coffeescript">$ cp -r /var/lib/etcd /var/lib/etcd.bak</code></pre></div>接下来执行更新证书的命令：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs renew all --config=kubeadm.yaml
kubeadm alpha certs renew all --config=kubeadm.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed</code></pre></div>通过上面的命令证书就一键更新完成了，这个时候查看上面的证书可以看到过期时间已经是一年后的时间了：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Aug 26, 2021 03:47 UTC 364d no
apiserver Aug 26, 2021 03:47 UTC 364d no
apiserver-etcd-client Aug 26, 2021 03:47 UTC 364d no
apiserver-kubelet-client Aug 26, 2021 03:47 UTC 364d no
controller-manager.conf Aug 26, 2021 03:47 UTC 364d no
etcd-healthcheck-client Aug 26, 2021 03:47 UTC 364d no
etcd-peer Aug 26, 2021 03:47 UTC 364d no
etcd-server Aug 26, 2021 03:47 UTC 364d no
front-proxy-client Aug 26, 2021 03:47 UTC 364d no
scheduler.conf Aug 26, 2021 03:47 UTC 364d no</code></pre></div>然后记得更新下 kubeconfig 文件：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby">$ kubeadm init phase kubeconfig all --config kubeadm.yaml
Using kubeconfig folder "/etc/kubernetes"
Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"</code></pre></div>将新生成的 admin 配置文件覆盖掉原本的 admin 文件:<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby">$ mv $HOME/.kube/config $HOME/.kube/config.old
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ chown $(id -u):$(id -g) $HOME/.kube/config</code></pre></div>完成后重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器即可，我们可以查看 apiserver 的证书的有效期来验证是否更新成功：<div class="google-auto-placed ap_container" style="width: 888px; height: auto; clear: both; text-align: center;"><ins data-ad-format="auto" class="adsbygoogle adsbygoogle-noablate" data-ad-client="ca-pub-9401041403549801" data-adsbygoogle-status="done" data-ad-status="unfilled" style="display: block; margin: auto; background-color: transparent; height: 0px;"><div id="aswift_6_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 0px; width: 888px; position: relative; visibility: visible; background-color: transparent; display: inline-block; overflow: hidden; opacity: 0;"><iframe id="aswift_6" name="aswift_6" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="888" height="0" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=280&adk=2518444760&adf=1637950308&pi=t.aa~a.1377454617~i.49~rp.4&w=888&fwrn=4&fwrnh=100&lmt=1686217844&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=1867187456&ad_type=text_image&format=888x280&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&fwr=0&pra=3&rh=200&rw=888&rpe=1&resp_fmts=3&wgl=1&fa=27&dt=1686217844722&bpp=1&bdt=610&idt=-M&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&prev_fmts=728x90%2C728x90%2C300x250%2C300x600%2C0x0&nras=2&correlator=2279773850106&frm=20&pv=1&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=347&ady=3510&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=384&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=128&bc=23&ifi=7&uci=a!7&btvi=1&fsb=1&xpc=nIUpwjNeRA&p=http%3A//www.manongjc.com&dtd=6" data-google-container-id="a!7" data-load-complete="true" data-google-query-id="CObE95mzs_8CFQqelgodgSUH5Q" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 888px; height: 0px;"></iframe></div></ins></div><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs javascript">$ echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
notAfter=Aug 26 03:47:23 2021 GMT</code></pre></div>可以看到现在的有效期是一年过后的，证明已经更新成功了。<h3 id="%E7%94%A8-Kubernetes-%E8%AF%81%E4%B9%A6-API-%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" name="%E7%94%A8-Kubernetes-%E8%AF%81%E4%B9%A6-API-%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6" style="margin-top: 20px; margin-bottom: 20px; border-bottom: 1px solid rgb(228, 232, 235); position: relative; color: rgb(30, 139, 195); font-size: 16px;">用 Kubernetes 证书 API 更新证书</h3>除了上述的一键手动更新证书之外，还可以使用 Kubernetes 证书 API 执行手动证书更新。对于线上环境我们可能并不会去冒险经常更新集群或者去更新证书，这些毕竟是有风险的，所以我们希望生成的证书有效期足够长，虽然从安全性角度来说不推荐这样做，但是对于某些场景下一个足够长的证书有效期也是非常有必要的。有很多管理员就是去手动更改 kubeadm 的源码为10年，然后重新编译来创建集群，这种方式虽然可以达到目的，但是不推荐使用这种方式，特别是当你想要更新集群的时候，还得用新版本进行更新。其实 Kubernetes 提供了一种 API 的方式可以来帮助我们生成一个足够长证书有效期。要使用内置的 API 方式来签名，首先我们需要配置 kube-controller-manager 组件的 <code>--experimental-cluster-signing-duration</code> 参数，将其调整为10年，我们这里是 kubeadm 安装的集群，所以直接修改静态 Pod 的 yaml 文件即可:<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby">$ vi /etc/kubernetes/manifests/kube-controller-manager.yaml
......
spec:
containers:
- command:
- kube-controller-manager
# 设置证书有效期为 10 年
- --experimental-cluster-signing-duration=87600h
- --client-ca-file=/etc/kubernetes/pki/ca.crt
......</code></pre></div>修改完成后 kube-controller-manager 会自动重启生效。然后我们需要使用下面的命令为 Kubernetes 证书 API 创建一个证书签名请求。如果您设置例如 <code>cert-manager</code> 等外部签名者，则会自动批准证书签名请求（CSRs）。否者，您必须使用 <code>kubectl certificate</code> 命令手动批准证书。以下 kubeadm 命令输出要批准的证书名称，然后等待批准发生：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs renew all --use-api --config kubeadm.yaml &</code></pre></div>输出类似于以下内容：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs css"> 2890
 Certificate request "kubeadm-cert-kubernetes-admin-pn99f" created</code></pre></div>然后接下来我们需要去手动批准证书：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby">$ kubectl get csr
NAME AGE REQUESTOR CONDITION
kubeadm-cert-kubernetes-admin-pn99f 64s kubernetes-admin Pending
# 手动批准证书
$ kubectl certificate approve kubeadm-cert-kubernetes-admin-pn99f
certificatesigningrequest.certificates.k8s.io/kubeadm-cert-kubernetes-admin-pn99f approved</code></pre></div>用同样的方式为处于 Pending 状态的 csr 执行批准操作，直到所有的 csr 都批准完成为止。最后所有的 csr 列表状态如下所示：<div class="google-auto-placed ap_container" style="width: 888px; height: auto; clear: both; text-align: center;"><ins data-ad-format="auto" class="adsbygoogle adsbygoogle-noablate" data-ad-client="ca-pub-9401041403549801" data-adsbygoogle-status="done" data-ad-status="unfilled" style="display: block; margin: auto; background-color: transparent; height: 0px;"><div id="aswift_7_host" tabindex="0" title="Advertisement" aria-label="Advertisement" style="border: none; height: 0px; width: 888px; position: relative; visibility: visible; background-color: transparent; display: inline-block; overflow: hidden; opacity: 0;"><iframe id="aswift_7" name="aswift_7" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation" width="888" height="0" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" src="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9401041403549801&output=html&h=280&adk=2518444760&adf=3344557880&pi=t.aa~a.1377454617~i.73~rp.4&w=888&fwrn=4&fwrnh=100&lmt=1686217844&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=1867187456&ad_type=text_image&format=888x280&url=http%3A%2F%2Fwww.manongjc.com%2Fdetail%2F61-swsgdvkfxuitmgk.html&fwr=0&pra=3&rh=200&rw=888&rpe=1&resp_fmts=3&wgl=1&fa=27&dt=1686217844722&bpp=1&bdt=610&idt=1&shv=r20230606&mjsv=m202306010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Db3259055b4651ff1-22d5acd616d70043%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZrFvKdq441CEIRJ9OKfN3MS1rk-g&gpic=UID%3D00000b655f6d480b%3AT%3D1666087292%3ART%3D1686216735%3AS%3DALNI_MZJZn-FjsVdDxM9XGInkr2NGqMZpw&prev_fmts=728x90%2C728x90%2C300x250%2C300x600%2C0x0%2C888x280&nras=3&correlator=2279773850106&frm=20&pv=1&ga_vid=1330103958.1686217844&ga_sid=1686217844&ga_hid=530861798&ga_fc=0&u_tz=480&u_his=1&u_h=1080&u_w=1920&u_ah=1080&u_aw=1920&u_cd=24&u_sd=1&adx=347&ady=5231&biw=1903&bih=1009&scr_x=0&scr_y=1901&eid=44759876%2C44759927%2C44759837%2C31074198%2C44788441%2C44793497%2C44792404&oid=2&pvsid=1963144825673044&tmod=336333680&uas=0&nvt=2&ref=https%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DzvpwIaFOUersFeoUY2XLRnT5CfbRdVOkhUBbOoJ-43CDPqPFJX49I-36v2EZAXKsWYSy16uyj5PGfzCXF7e50a%26wd%3D%26eqid%3Dc9095136000026470000000464819feb&fc=384&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1080%2C1920%2C1009&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=128&bc=23&ifi=8&uci=a!8&btvi=2&fsb=1&xpc=o4bRmaavPR&p=http%3A//www.manongjc.com&dtd=11" data-google-container-id="a!8" data-load-complete="true" data-google-query-id="COy395mzs_8CFU_ClgodADIGiA" style="left: 0px; position: absolute; top: 0px; border-width: 0px; border-style: initial; width: 888px; height: 0px;"></iframe></div></ins></div><div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs css">$ kubectl get csr
NAME AGE REQUESTOR CONDITION
kubeadm-cert-front-proxy-client-llhrj 30s kubernetes-admin Approved,Issued
kubeadm-cert-kube-apiserver-2s6kf 2m43s kubernetes-admin Approved,Issued
kubeadm-cert-kube-apiserver-etcd-client-t9pkx 2m7s kubernetes-admin Approved,Issued
kubeadm-cert-kube-apiserver-kubelet-client-pjbjm 108s kubernetes-admin Approved,Issued
kubeadm-cert-kube-etcd-healthcheck-client-8dcn8 64s kubernetes-admin Approved,Issued
kubeadm-cert-kubernetes-admin-pn99f 4m29s kubernetes-admin Approved,Issued
kubeadm-cert-system:kube-controller-manager-mr86h 79s kubernetes-admin Approved,Issued
kubeadm-cert-system:kube-scheduler-t8lnw 17s kubernetes-admin Approved,Issued
kubeadm-cert-ydzs-master-cqh4s 52s kubernetes-admin Approved,Issued
kubeadm-cert-ydzs-master-lvbr5 41s kubernetes-admin Approved,Issued</code></pre></div>批准完成后检查证书的有效期：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs sql">$ kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Nov 05, 2029 11:53 UTC 9y no
apiserver Nov 05, 2029 11:54 UTC 9y no
apiserver-etcd-client Nov 05, 2029 11:53 UTC 9y no
apiserver-kubelet-client Nov 05, 2029 11:54 UTC 9y no
controller-manager.conf Nov 05, 2029 11:54 UTC 9y no
etcd-healthcheck-client Nov 05, 2029 11:53 UTC 9y no
etcd-peer Nov 05, 2029 11:53 UTC 9y no
etcd-server Nov 05, 2029 11:54 UTC 9y no
front-proxy-client Nov 05, 2029 11:54 UTC 9y no
scheduler.conf Nov 05, 2029 11:53 UTC 9y no</code></pre></div>我们可以看到已经延长小10年了，这是因为 ca 证书的有效期只有10年。但是现在我们还不能直接重启控制面板的几个组件，这是因为使用 kubeadm 安装的集群对应的 etcd 默认是使用的 <code>/etc/kubernetes/pki/etcd/ca.crt</code> 这个证书进行前面的，而上面我们用命令 <code>kubectl certificate approve</code> 批准过后的证书是使用的默认的 <code>/etc/kubernetes/pki/ca.crt</code> 证书进行签发的，所以我们需要替换 etcd 中的 ca 机构证书:<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs coffeescript"># 先拷贝静态 Pod 资源清单
$ cp -r /etc/kubernetes/manifests/ /etc/kubernetes/manifests.bak
$ vi /etc/kubernetes/manifests/etcd.yaml
......
spec:
containers:
- command:
- etcd
# 修改为 CA 文件
- --peer-trusted-ca-file=/etc/kubernetes/pki/ca.crt
- --trusted-ca-file=/etc/kubernetes/pki/ca.crt
......
volumeMounts:
- mountPath: /var/lib/etcd
 name: etcd-data
- mountPath: /etc/kubernetes/pki# 更改证书目录
 name: etcd-certs
volumes:
- hostPath:
 path: /etc/kubernetes/pki# 将 pki 目录挂载到 etcd 中去
 type: DirectoryOrCreate
name: etcd-certs
- hostPath:
 path: /var/lib/etcd
 type: DirectoryOrCreate
name: etcd-data
......</code></pre></div>由于 kube-apiserver 要连接 etcd 集群，所以也需要重新修改对应的 etcd ca 文件：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby">$ vi /etc/kubernetes/manifests/kube-apiserver.yaml
......
spec:
containers:
- command:
- kube-apiserver
# 将etcd ca文件修改为默认的ca.crt文件
- --etcd-cafile=/etc/kubernetes/pki/ca.crt
......</code></pre></div>除此之外还需要替换 <code>requestheader-client-ca-file</code> 文件，默认是 <code>/etc/kubernetes/pki/front-proxy-ca.crt</code> 文件，现在也需要替换成默认的 CA 文件，否则使用聚合 API，比如安装了 metrics-server 后执行 <code>kubectl top</code> 命令就会报错：<div class="developer-code-block"><pre style="margin-top: 10px; padding: 0.5em; overflow-x: auto; background: rgb(221, 221, 221); color: rgb(73, 73, 73); text-size-adjust: none; border: 1px solid rgb(30, 140, 197); border-radius: 5px; font-size: 14px; word-break: break-all;"><code class="hljs ruby">$ cp /etc/kubernetes/pki/ca.crt /etc/kubernetes/pki/front-proxy-ca.crt
$ cp /etc/kubernetes/pki/ca.key /etc/kubernetes/pki/front-proxy-ca.key</code></pre></div>由于是静态 Pod，修改完成后上面的组件都会自动重启生效。由于我们当前版本的 kubelet 默认开启了证书自动轮转，所以 kubelet 的证书也不用再去管理了，这样我就将证书更新成10有效期了。在操作之前一定要先对证书目录进行备份，防止操作错误进行回滚。原文链接： https://www.qikqiak.com/post/update-k8s-10y-expire-certs/</div>

页: [1]

运维之家's Archiver

更新一个10年有效期的 Kubernetes 证书