[关闭]
@zhangyy 2020-04-04T10:54:44.000000Z 字数 1295 阅读 103

kubernetes 关于kubeadmin 部署的认证时间的修改

kubernetes系列


  • 一:kubernetes 关于kubeadmin 部署的认证时间的修改

一:kubernetes 关于kubeadmin 部署的认证时间的修改

1.1 查看kubeadmin的证书的可用时间

  1. cd /etc/kubernetes/pki
  2. openssl x509 -in apiserver.crt -text -noout
  3. ---
  4. Validity
  5. Not Before: Apr 2 02:42:39 2020 GMT
  6. Not After : Apr 2 02:42:39 2021 GMT
  7. ---
  8. apiserver 只有一年的默认时间使用期限
  9. -------------
  1. openssl x509 -in ca.crt -text -noout
  2. ---
  3. Validity
  4. Not Before: Apr 2 02:42:39 2020 GMT
  5. Not After : Mar 31 02:42:39 2030 GMT
  6. ----
  7. ca 的使用期限是 10

image_1e51bh3m113ku1ifg1kma1iq145a9.png-153.6kB

image_1e51bkfic1rr019g71iaabf76l3m.png-191.8kB

1.2 证书可用时限

1.2.1 go 环境部署

  1. wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz
  2. tar -zxvf go1.12.1.linux-amd64.tar.gz -C /usr/local
  3. vim /etc/profile
  4. ---
  5. export PATH=$PATH:/usr/local/go/bin
  6. ---
  7. source /etc/profile

image_1e51buseh1dhnt701aj01muk1oj41g.png-40.3kB

1.2.2 下载源码

  1. git clone https://github.com/kubernetes/kubernetes.git
  2. git checkout -b remotes/origin/release-1.15.1 v1.15.1

image_1e51eonuitvi9sf106v1ap11u0f1t.png-212.3kB

1.2.3 修改 Kubeadm 源码包更新证书策略

  1. vim staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前
  2. vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今
  3. ----
  4. ----
  5. const duration3650d = time.Hour * 24 * 365 * 10
  6. NotAfter: time.Now().Add(duration365d).UTC(),
  7. ----
  8. make WHAT=cmd/kubeadm GOFLAGS=-v
  9. cp _output/bin/kubeadm /root/kubeadm-new

image_1e51f69908ja1i2s13rc19flt5q2a.png-217.1kB

image_1e51g0fi81taa8c01rn91be2fc42n.png-226.3kB

image_1e51g3rp4ir71iet11h19h519mc34.png-217.9kB

image_1e51g6moc5ui1duo5at1jka109b3h.png-157.8kB

image_1e51g8e521u87d541enq22l1fn3u.png-39.2kB

  1. cp -p /usr/bin/kubeadmn /usr/bin/kubeadmn.old
  2. cp -p /root/kubeadm-new /usr/bin/kubeadm
  3. chmod +x /usr/bin/kubeadmn

image_1e51gj7j32j71jg5bbfnme7844r.png-173.6kB

  1. cd /etc/kubernetes/
  2. cp -ap pki pki.old

image_1e51gm33o15s0ean15ogm56197258.png-100.2kB

  1. cd /root/k8s-install/core
  2. kubeadm alpha certs renew all --config=./kubeadm-config.yaml

image_1e51hlktq1g02q1lucocj9104i5l.png-115.8kB


  1. openssl x509 -in apiserver.crt -text -noout
  2. 这样 证书的年限就改成了10年了

image_1e51ho88hpst181oh4hi321u7o62.png-158.2kB

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注