帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e

解决:

1.安装GO语言环境:

[root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz

[root@k8s-master software]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local

[root@k8s-master software]# vim /etc/profile   # 最后面添加如下信息

# go语言环境变量

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master software]# source /etc/profile

2.Kubernetes源码下载与更改证书策略:(保证跟当前版本一样,我这里是1.23.1,可以先用kubectl version查看当前版本)

wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.23.1.zip (修改版本号直接下载对应版本即可,tag里可能没有,但不影响下载)

mkdir k8s

unzip v1.23.1.zip -d /root/k8s

cd /root/k8s/kubernetes-1.23.1/

cd cmd/kubeadm/app/util/pkiutil

#更改配置文件并备份:

cp pki_helpers.go pki_helpers.go.bak

vim pki_helpers.go

#在636行左右

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {

     const effectyear = time.Hour * 24 * 365 * 50 #添加此行,我这里是改成50年

     serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))

     if err != nil {

             return nil, err

     }

     if len(cfg.CommonName) == 0 {

             return nil, errors.New("must specify a CommonName")

     }

     keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature

     if isCA {

             keyUsage |= x509.KeyUsageCertSign

     }

     RemoveDuplicateAltNames(&cfg.AltNames)

//      notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()#在go语言中,变量如果没引用会报错,所以需要注释此变量及下面的判断

//      if cfg.NotAfter != nil {

//              notAfter = *cfg.NotAfter

//      }

     certTmpl := x509.Certificate{

             Subject: pkix.Name{

                     CommonName:   cfg.CommonName,

                     Organization: cfg.Organization,

             },

             DNSNames:              cfg.AltNames.DNSNames,

             IPAddresses:           cfg.AltNames.IPs,

             SerialNumber:          serial,

             NotBefore:             caCert.NotBefore,

           //  NotAfter:              notAfter,  #注释此行

             NotAfter:              time.Now().Add(effectyear).UTC(),#添加此行

             KeyUsage:              keyUsage,

             ExtKeyUsage:           cfg.Usages,

# 注意路径,开始编译

root@master01:~/k8s/kubernetes-1.23.1/cmd/kubeadm/app/util/pkiutil# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# make WHAT=cmd/kubeadm GOFLAGS=-v

+++ [0914 11:30:04] Building go targets for linux/amd64:

 cmd/kubeadm

> static build CGO_ENABLED=0: k8s.io/kubernetes/cmd/kubeadm

k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs

k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod

k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal

k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane

k8s.io/kubernetes/cmd/kubeadm/app/phases/etcd

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/init

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/join

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/reset

k8s.io/kubernetes/cmd/kubeadm/app/phases/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/upgrade/node

k8s.io/kubernetes/cmd/kubeadm/app/cmd/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd

k8s.io/kubernetes/cmd/kubeadm/app

k8s.io/kubernetes/cmd/kubeadm

#备份之前的证书

cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old

#备份之前的kubeadm

mv /usr/bin/kubeadm /usr/bin/kubeadm.old

#把编译过的kubeadm拷贝过来

root@master01:/etc/kubernetes/pki# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# cp _output/bin/kubeadm /usr/bin/

#添加执行权限

root@master01:~/k8s/kubernetes-1.23.1# chmod 755 /usr/bin/kubeadm

#kubeadm的版本不一样,编译的命令也不一样,参考链接:https://www.cnblogs.com/sysin/p/15675772.html

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs renew all

[renew] Reading configuration from the cluster...

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 12:18:40.867177  165896 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healthcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

#重启master组件容器并验证(这步可以不执行,生产环境不要执行!会重启服务。)

root@master01:~/k8s/kubernetes-1.23.1# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

019ecea9f270

0bde6fe9ea90

3cd6f8f17ae6

58abb3209def

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 13:10:19.423400  182208 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver                  Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver-etcd-client      Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

apiserver-kubelet-client   Sep 01, 2072 04:18 UTC   49y             ca                      no

controller-manager.conf    Sep 01, 2072 04:18 UTC   49y             ca                      no

etcd-healthcheck-client    Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-peer                  Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-server                Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

front-proxy-client         Sep 01, 2072 04:18 UTC   49y             front-proxy-ca          no

scheduler.conf             Sep 01, 2072 04:18 UTC   49y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Sep 11, 2032 02:07 UTC   9y              no

etcd-ca                 Sep 11, 2032 02:07 UTC   9y              no

front-proxy-ca          Sep 11, 2032 02:07 UTC   9y              no

更换K8S证书可用期的更多相关文章

  1. kubernetes实战(十六):k8s高可用集群平滑升级 v1.11.x 到v1.12.x

    1.基本概念 升级之后所有的containers会重启,因为hash值会变. 不可跨版本升级. 2.升级Master节点 当前版本 [root@k8s-master01 ~]# kubeadm ver ...

  2. .Net Core2.1 秒杀项目一步步实现CI/CD(Centos7.2)系列一:k8s高可用集群搭建总结以及部署API到k8s

    前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署的,这个集群差不多搞了一周时间,关于k8s的知识点,我也是刚入门,这方面的知识建议参考博客园 ...

  3. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  4. python安装二进制k8s高可用 版本1.13.0

    一.所有安装包.脚本.脚本说明.下载链接:https://pan.baidu.com/s/1kHaesJJuMQ5cG-O_nvljtg 提取码:kkv6 二.脚本安装说明 1.脚本说明: 本实验为三 ...

  5. 阿里云搭建k8s高可用集群(1.17.3)

    首先准备5台centos7 ecs实例最低要求2c4G 开启SLB(私网) 这里我们采用堆叠拓扑的方式构建高可用集群,因为k8s 集群etcd采用了raft算法保证集群一致性,所以高可用必须保证至少3 ...

  6. kubeadm实现k8s高可用集群环境部署与配置

    高可用架构 k8s集群的高可用实际是k8s各核心组件的高可用,这里使用主备模式,架构如下: 主备模式高可用架构说明: 核心组件 高可用模式 高可用实现方式 apiserver 主备 keepalive ...

  7. 【葵花宝典】lvs+keepalived部署kubernetes(k8s)高可用集群

    一.部署环境 1.1 主机列表 主机名 Centos版本 ip docker version flannel version Keepalived version 主机配置 备注 lvs-keepal ...

  8. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  9. 一、k8s介绍(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

  10. 三、k8s集群可用性验证与调参(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

随机推荐

  1. 第五十三篇:Vue安装Element ui

    好家伙,之前写的一篇过时了,用不了了,更新一波 (已新建一个vue项目) 1. 在项目目录下执行:npm i element-ui -S 2. 在main.js中写入 import ElementUI ...

  2. openstack中Cinder组件简解

    一,Cinder组件介绍 概念 cinder组件作用: 块存储服务,为运行实例提供稳定的数据块存储服务 块存储服务,提供对 volume 从创建到删除整个生命周期的管理 二,常用操作 1.Volume ...

  3. helm安装csi-driver-smb-v1.9.0

    Application version v1.9.0 Chart version v1.9.0 获取chart包 helm repo add csi-driver-smb https://raw.gi ...

  4. day03-代码实现02

    多用户即时通讯系统03 4.编码实现02 4.2功能实现-拉取在线用户 4.2.1思路分析 客户端想要知道在线用户列表,就要向服务器发送请求(Message),因为只有服务器端保持着所有与客户端相连接 ...

  5. 关于kibana启动时有几个warning警告信息的解决办法

    启动kibana时会有几个warning信息,具体如下: 针对xpack这几个相关的,在kibana.yml文件中新增如下三个配置即可: # 注意:参数值至少32位,否则启动会报错提示 xpack.e ...

  6. 痞子衡嵌入式:一个关于Segger J-Flash在Micron Flash固定区域下载校验失败的故事(SR寄存器BP[x:0]位)

    大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家讲的是一个关于Segger J-Flash在Micron Flash固定区域下载校验失败的故事. 痞子衡最近在支持一个 i.MXRT1170 欧 ...

  7. Vue+vant移动端处理弹窗不能滑动问题

    自己在做项目开发时,使用vantUI组件,在项目中遇到了弹窗组件里面当内容过多时,会出现滚动卡顿或者不能滚动问题,开始一直以为是自己的样式写的有问题,检查下来才发现并不是,而是弹窗组件的问题,于是找到 ...

  8. 简析 Linux 的 CPU 时间

    从 CPU 时间说起... 下面这个是 top 命令的界面,相信大家应该都不陌生. top - 19:01:38 up 91 days, 23:06, 1 user, load average: 0. ...

  9. vue2使用组件进行父子互相传值的sync语法糖方法和原生方法

    原生方法:(事件名可以不在props通道里) 子类通过props通道绑定父类里data里的jjjjjj(@:fefefeff='jjjjjjjjjjjjj') 父组件通过监听fefeff事件来把子类传 ...

  10. 华为路由器vrrp(虚拟路由器冗余协议)基本配置命令

    vrrp(虚拟路由器冗余协议)基本配置 int g0/0/0 vrrp vrid 1 virtual-ip 172.16.1.254 创建VRRP备份组,备份组号为1,配置虚拟IP为172.16.1. ...