帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e

解决:

1.安装GO语言环境:

[root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz

[root@k8s-master software]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local

[root@k8s-master software]# vim /etc/profile   # 最后面添加如下信息

# go语言环境变量

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master software]# source /etc/profile

2.Kubernetes源码下载与更改证书策略:(保证跟当前版本一样,我这里是1.23.1,可以先用kubectl version查看当前版本)

wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.23.1.zip (修改版本号直接下载对应版本即可,tag里可能没有,但不影响下载)

mkdir k8s

unzip v1.23.1.zip -d /root/k8s

cd /root/k8s/kubernetes-1.23.1/

cd cmd/kubeadm/app/util/pkiutil

#更改配置文件并备份:

cp pki_helpers.go pki_helpers.go.bak

vim pki_helpers.go

#在636行左右

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {

     const effectyear = time.Hour * 24 * 365 * 50 #添加此行,我这里是改成50年

     serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))

     if err != nil {

             return nil, err

     }

     if len(cfg.CommonName) == 0 {

             return nil, errors.New("must specify a CommonName")

     }

     keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature

     if isCA {

             keyUsage |= x509.KeyUsageCertSign

     }

     RemoveDuplicateAltNames(&cfg.AltNames)

//      notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()#在go语言中,变量如果没引用会报错,所以需要注释此变量及下面的判断

//      if cfg.NotAfter != nil {

//              notAfter = *cfg.NotAfter

//      }

     certTmpl := x509.Certificate{

             Subject: pkix.Name{

                     CommonName:   cfg.CommonName,

                     Organization: cfg.Organization,

             },

             DNSNames:              cfg.AltNames.DNSNames,

             IPAddresses:           cfg.AltNames.IPs,

             SerialNumber:          serial,

             NotBefore:             caCert.NotBefore,

           //  NotAfter:              notAfter,  #注释此行

             NotAfter:              time.Now().Add(effectyear).UTC(),#添加此行

             KeyUsage:              keyUsage,

             ExtKeyUsage:           cfg.Usages,

# 注意路径,开始编译

root@master01:~/k8s/kubernetes-1.23.1/cmd/kubeadm/app/util/pkiutil# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# make WHAT=cmd/kubeadm GOFLAGS=-v

+++ [0914 11:30:04] Building go targets for linux/amd64:

 cmd/kubeadm

> static build CGO_ENABLED=0: k8s.io/kubernetes/cmd/kubeadm

k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs

k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod

k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal

k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane

k8s.io/kubernetes/cmd/kubeadm/app/phases/etcd

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/init

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/join

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/reset

k8s.io/kubernetes/cmd/kubeadm/app/phases/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/upgrade/node

k8s.io/kubernetes/cmd/kubeadm/app/cmd/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd

k8s.io/kubernetes/cmd/kubeadm/app

k8s.io/kubernetes/cmd/kubeadm

#备份之前的证书

cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old

#备份之前的kubeadm

mv /usr/bin/kubeadm /usr/bin/kubeadm.old

#把编译过的kubeadm拷贝过来

root@master01:/etc/kubernetes/pki# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# cp _output/bin/kubeadm /usr/bin/

#添加执行权限

root@master01:~/k8s/kubernetes-1.23.1# chmod 755 /usr/bin/kubeadm

#kubeadm的版本不一样,编译的命令也不一样,参考链接:https://www.cnblogs.com/sysin/p/15675772.html

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs renew all

[renew] Reading configuration from the cluster...

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 12:18:40.867177  165896 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healthcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

#重启master组件容器并验证(这步可以不执行,生产环境不要执行!会重启服务。)

root@master01:~/k8s/kubernetes-1.23.1# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

019ecea9f270

0bde6fe9ea90

3cd6f8f17ae6

58abb3209def

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 13:10:19.423400  182208 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver                  Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver-etcd-client      Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

apiserver-kubelet-client   Sep 01, 2072 04:18 UTC   49y             ca                      no

controller-manager.conf    Sep 01, 2072 04:18 UTC   49y             ca                      no

etcd-healthcheck-client    Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-peer                  Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-server                Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

front-proxy-client         Sep 01, 2072 04:18 UTC   49y             front-proxy-ca          no

scheduler.conf             Sep 01, 2072 04:18 UTC   49y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Sep 11, 2032 02:07 UTC   9y              no

etcd-ca                 Sep 11, 2032 02:07 UTC   9y              no

front-proxy-ca          Sep 11, 2032 02:07 UTC   9y              no

更换K8S证书可用期的更多相关文章

  1. kubernetes实战(十六):k8s高可用集群平滑升级 v1.11.x 到v1.12.x

    1.基本概念 升级之后所有的containers会重启,因为hash值会变. 不可跨版本升级. 2.升级Master节点 当前版本 [root@k8s-master01 ~]# kubeadm ver ...

  2. .Net Core2.1 秒杀项目一步步实现CI/CD(Centos7.2)系列一:k8s高可用集群搭建总结以及部署API到k8s

    前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署的,这个集群差不多搞了一周时间,关于k8s的知识点,我也是刚入门,这方面的知识建议参考博客园 ...

  3. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  4. python安装二进制k8s高可用 版本1.13.0

    一.所有安装包.脚本.脚本说明.下载链接:https://pan.baidu.com/s/1kHaesJJuMQ5cG-O_nvljtg 提取码:kkv6 二.脚本安装说明 1.脚本说明: 本实验为三 ...

  5. 阿里云搭建k8s高可用集群(1.17.3)

    首先准备5台centos7 ecs实例最低要求2c4G 开启SLB(私网) 这里我们采用堆叠拓扑的方式构建高可用集群,因为k8s 集群etcd采用了raft算法保证集群一致性,所以高可用必须保证至少3 ...

  6. kubeadm实现k8s高可用集群环境部署与配置

    高可用架构 k8s集群的高可用实际是k8s各核心组件的高可用,这里使用主备模式,架构如下: 主备模式高可用架构说明: 核心组件 高可用模式 高可用实现方式 apiserver 主备 keepalive ...

  7. 【葵花宝典】lvs+keepalived部署kubernetes(k8s)高可用集群

    一.部署环境 1.1 主机列表 主机名 Centos版本 ip docker version flannel version Keepalived version 主机配置 备注 lvs-keepal ...

  8. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  9. 一、k8s介绍(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

  10. 三、k8s集群可用性验证与调参(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

随机推荐

  1. ELK技术-Logstash

    1.背景 1.1 简介 Logstash 是一个功能强大的工具,可与各种部署集成. 它提供了大量插件,可帮助业务做解析,丰富,转换和缓冲来自各种来源的数据. Logstash 是一个数据流引擎 它是用 ...

  2. awk5个使用场景

    awk简介 首先要知道awk的使用场景,需了解awk有哪些优势与短板. 关于个人近期学习awk总结其优势: awk对文本的处理运算效率同比其他工具效率高很多(比shell的for循环高10倍以上,运算 ...

  3. KingbaseES R6 集群主机锁冲突导致的主备切换案例

    ​ 案例说明: 主库在业务高峰期间,客户执行建表等DDL操作,主库产生"AccessExclusiveLock "锁,导致大量的事务产生锁冲突,大量的会话堆积,客户端session ...

  4. gem5 使用记录,对例子中helloobject的理解

    gem5中有一个 hello的例子,不是hello world那个,在src/learning-gem5/part2里面,这是虽然是个简单的例子但包含的要素挺多挺全. 整个结构是src下面有一个hel ...

  5. 【Tool】Idea快捷键

    Windows Ctrl + F12: 查找当前类中的方法 Ctrl + N: 查找类 Ctrl + Alt + H: 查看方法调用关系 Ctrl + H: 查看类的继承关系 Alt + F7:查找类 ...

  6. (数据科学学习手札143)为geopandas添加gdb文件写出功能

    本文示例代码已上传至我的Github仓库https://github.com/CNFeffery/DataScienceStudyNotes 1 简介 大家好我是费老师,很多读者朋友跟随着我先前写作的 ...

  7. MySQL读写分离之——ProxySQL

    文章转载自:https://blog.csdn.net/u012280685/article/details/113520692?spm=1001.2014.3001.5501 实现一个简单的读写分离 ...

  8. Logstash:运用 memcache 过滤器进行大规模的数据丰富

    文章转载自:https://blog.csdn.net/UbuntuTouch/article/details/106915969 理论上也可以使用redis,有待实践

  9. PostgreSQL 选择数据库

    数据库的命令窗口 PostgreSQL 命令窗口中,我们可以命令提示符后面输入 SQL 语句: postgres=# 使用 \l 用于查看已经存在的数据库: postgres=# \l List of ...

  10. Opengl ES之纹理贴图

    纹理可以理解为一个二维数组,它可以存储大量的数据,这些数据可以发送到着色器上.一般情况下我们所说的纹理是表示一副2D图,此时纹理存储的数据就是这个图的像素数据. 所谓的纹理贴图,就是使用Opengl将 ...