signature=480ed9b4309c4160d73ee6155654c6c4,k8s证书可用年限修改

转载 于 2021-05-29 10:56:04 发布 · 618 阅读 · 0
文章标签:

#signature=480ed9b4309c4160d73ee6155654c6c4

本文详细介绍了如何在Kubernetes环境中修改证书的有效期限,从证书文件查看、源码修改、编译到实际操作,包括kubeadm的证书更新步骤,帮助管理员延长API服务器等关键组件证书的有效期至10年。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

证书可用年限修改

[root@k8s-master pki]# pwd

/etc/kubernetes/pki

当前系统中所有的证书:

[root@k8s-master pki]# ls

apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key

apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key

apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub

[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 6240184568644574489 (0x569996cda2ef1d19)

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN=kubernetes

Validity

Not Before: Nov 24 04:13:28 2020 GMT

Not After : Nov 24 04:13:29 2021 GMT

Subject: CN=kube-apiserver

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a4:e4:45:4e:6b:31:9b:87:bf:c0:e1:05:85:de:

1e:82:34:a2:95:a2:a2:cc:69:32:71:c1:39:be:0d:

5b:17:08:4b:d9:16:e5:b7:dd:c8:e8:7f:14:06:75:

3f:63:35:2b:50:04:84:5f:00:cb:c1:80:e0:9a:ec:

5d:6f:54:f2:fd:99:44:7e:96:26:87:8d:ea:1b:cd:

ef:8d:93:2f:71:fa:35:36:1d:7e:2a:be:5f:d0:3c:

50:c2:f3:ab:76:e8:5d:83:14:06:68:6e:b2:67:6e:

6b:e7:47:a5:80:c1:1c:15:c9:2f:2f:fb:81:03:1d:

cd:f5:55:d7:35:57:e9:60:60:14:30:d7:92:c1:73:

27:0e:1f:aa:13:45:54:78:e3:11:80:59:9c:cf:84:

d1:cc:4e:7e:f7:7e:23:74:0a:ff:31:62:19:77:06:

57:c5:91:e9:6c:e6:f2:31:66:64:00:bc:7d:0f:39:

6e:2a:7f:a7:7b:20:fc:5e:e0:41:03:a5:f3:3b:56:

73:68:4d:63:5b:27:b6:a2:dc:9b:41:e6:bb:e9:53:

8e:29:ce:c5:f2:46:70:a4:84:81:5a:bb:42:91:1b:

4b:1d:61:b9:a7:4a:95:78:a5:a3:44:bb:ed:3d:15:

20:6e:68:af:2f:92:6c:64:c1:3c:25:27:04:44:0a:

7a:19

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Alternative Name:

DNS:k8s-master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:10.10.21.8

Signature Algorithm: sha256WithRSAEncryption

3f:4c:21:0b:a6:98:71:f8:18:07:07:07:c9:f5:0b:51:6f:29:

9f:35:dc:4a:da:62:55:a6:1b:2e:85:3e:22:b8:f8:83:cf:5e:

a1:17:e3:b6:4e:c9:29:7e:b1:62:18:41:92:cc:8a:b4:9c:3d:

d2:2d:84:27:d1:c9:61:cf:cb:15:03:30:fa:42:98:3a:a0:07:

b1:8e:ff:1e:d1:f9:f7:75:a6:d2:3d:c4:60:18:d9:f2:5a:9f:

e8:26:d0:c8:94:31:40:ed:a3:28:ab:30:b4:be:88:fc:a3:4c:

47:bf:7f:59:8c:0b:c3:ed:bd:e9:2d:67:27:b7:2e:e2:c6:03:

cc:74:2b:07:17:91:18:b2:e2:d5:0c:e6:a5:58:95:7a:5f:f2:

82:5b:5b:b3:c8:8f:50:f4:3e:ef:d1:cc:73:16:c0:5d:1e:83:

b9:38:fd:83:ab:e5:bd:f3:ea:7e:79:a5:1d:eb:49:b8:08:a1:

a8:cf:88:b2:9b:45:82:74:92:fd:02:ae:c9:49:b4:e5:74:fc:

d9:33:af:ba:f3:5b:d5:9e:f7:7d:c9:ff:e3:72:0e:83:41:4c:

22:fb:07:49:a6:e5:bc:df:3c:ff:6c:05:94:59:31:a3:e7:d3:

3d:8b:27:6c:3f:7e:4f:78:d6:ab:7b:bd:79:83:e7:77:b7:ef:

6f:ee:d8:2d

[root@k8s-master pki]# mkdir /data

下载到/data

[root@k8s-master data]# tar -zxvf go1.15.6.linux-amd64.tar.gz -C /usr/local/

[root@k8s-master data]# ls /usr/local/go

api CONTRIBUTING.md favicon.ico misc README.md src

AUTHORS CONTRIBUTORS lib PATENTS robots.txt test

bin doc LICENSE pkg SECURITY.md VERSION

[root@k8s-master data]# vi /etc/profile

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master data]# source /etc/profile

[root@k8s-master pki]# go version

go version go1.15.6 linux/amd64

下载源码

[root@k8s-master pki]# cd /data

[root@k8s-master data]# git clone https://github.com/kubernetes/kubernetes.git

[root@k8s-master data]# cd kubernetes

[root@k8s-master kubernetes]# kubeadm version

kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

[root@k8s-master kubernetes]# git checkout -b remotes/origin/release-1.15.1 v1.15.1

Checking out files: 100% (19533/19533), done.

Switched to a new branch 'remotes/origin/release-1.15.1'

修改 Kubeadm 源码包更新证书策略

vi staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前

vi cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今

[root@k8s-master kubernetes]# vi cmd/kubeadm/app/util/pkiutil/pki_helpers.go

修改如下

const duration3650d = time.Hour 24 365 * 10

NotAfter: time.Now().Add(duration3650d).UTC(),

38e6b6ce3a0e7fb64bf74ad95a86298f.png

[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v

有报错,最后选择go1.12.9.linux-amd64.tar.gz

删除原来的go

[root@k8s-master data]# rm -rf /usr/local/go

下载go1.12.9.linux-amd64.tar.gz到/data

[root@k8s-master data]# tar -zxvf go1.12.9.linux-amd64.tar.gz -C /usr/local/

[root@k8s-master data]# ls /usr/local/go

api CONTRIBUTING.md favicon.ico misc README.md src

AUTHORS CONTRIBUTORS lib PATENTS robots.txt test

bin doc LICENSE pkg SECURITY.md VERSION

[root@k8s-master data]# vi /etc/profile

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master data]# source /etc/profile

[root@k8s-master data]# go version

go version go1.12.9 linux/amd64

[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v

没有报错就是成功了。

[root@k8s-master kubernetes]# cp _output/bin/kubeadm /root/

更新 kubeadm

[root@k8s-master kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old

[root@k8s-master kubernetes]# cd

[root@k8s-master ~]# pwd

/root

[root@k8s-master ~]# cp kubeadm /usr/bin/

cp: overwrite ‘/usr/bin/kubeadm’? y

[root@k8s-master ~]# chmod a+x /usr/bin/kubeadm

更新各节点证书至 Master 节点

[root@k8s-master ~]# cd /etc/kubernetes/

[root@k8s-master kubernetes]# cp -r pki/ pki.old

[root@k8s-master kubernetes]# cd

[root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/kubeadm-config.yaml

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healtcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

[root@k8s-master ~]# cd /etc/kubernetes/pki

[root@k8s-master pki]# ls

apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub

apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key

[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout | grep Not

Not Before: Nov 24 04:13:28 2020 GMT

Not After : Dec 12 07:59:15 2030 GMT

证书时间已经是10年。

孤雁寒窗
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值