k8s1.18.15更新证书

  1. kubeadm安装的集群默认签发证书有效期为1年,ca证书为10年
# 查看证书有效期命令
kubeadm alpha certs check-expiration
  1. 有2种方式更新证书

1)执行命令一年更新一次(多master每台都执行)

# 备份文件
cp -a /etc/kubernetes /etc/kubernetes_`date +%Y%m%d`
# 更新证书
kubeadm alpha certs renew all

2)重新编译kubeadm,更新源码里的证书时间

下载k8s对应版本的源码包

wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.18.15.tar.gz

修改 CA 有效期为 100 年(默认为 10 年)

// vim ./staging/src/k8s.io/client-go/util/cert/cert.go

func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
                // NotAfter:              now.Add(duration365d * 10).UTC(),
                NotAfter:              now.Add(duration365d * 100).UTC(),     ########## 此处修改时间
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)

修改证书有效期为 100 年(默认为 1 年)

//vim ./cmd/kubeadm/app/constants/constants.go

const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        // CertificateValidity = time.Hour * 24 * 365
        CertificateValidity = time.Hour * 24 * 365 * 100   ##### 此处修改时间

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"

安装go环境

wget https://golang.org/dl/go1.13.15.linux-amd64.tar.gz
tar -zxvf go1.13.15.linux-amd64.tar.gz  -C /usr/local

# 编辑/etc/profile文件添加如下:
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin

#生效
source /etc/profile

编译kubeadm

# 有gcc,rsync报错需要安装
yum -y install make gcc rsync

# Permission denied报错需要授权
 chmod +x _output/bin/prerelease-lifecycle-gen

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译完产物在 _output/bin/kubeadm 目录下,

# (所有master都要更新)
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
#chmod +x /usr/bin/kubeadm

# 验证版本
kubeadm version

更新证书

# 备份证书 (所有master节点都执行)
cp -a /etc/kubernetes/pki /etc/kubernetes/pki_`date +%Y%m%d`

# 更新证书 (需要修改master连接ip为当前主机ip, 所有master都要执行)
kubeadm alpha certs renew all

# 更新config文件
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

参考文档
https://blog.csdn.net/netgc/article/details/106456770
https://zyh.cool/posts/55da993d/
https://segmentfault.com/a/1190000039799593
https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/