帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e

解决:

1.安装GO语言环境:

[root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz

[root@k8s-master software]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local

[root@k8s-master software]# vim /etc/profile   # 最后面添加如下信息

# go语言环境变量

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master software]# source /etc/profile

2.Kubernetes源码下载与更改证书策略:(保证跟当前版本一样,我这里是1.23.1,可以先用kubectl version查看当前版本)

wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.23.1.zip (修改版本号直接下载对应版本即可,tag里可能没有,但不影响下载)

mkdir k8s

unzip v1.23.1.zip -d /root/k8s

cd /root/k8s/kubernetes-1.23.1/

cd cmd/kubeadm/app/util/pkiutil

#更改配置文件并备份:

cp pki_helpers.go pki_helpers.go.bak

vim pki_helpers.go

#在636行左右

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {

     const effectyear = time.Hour * 24 * 365 * 50 #添加此行,我这里是改成50年

     serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))

     if err != nil {

             return nil, err

     }

     if len(cfg.CommonName) == 0 {

             return nil, errors.New("must specify a CommonName")

     }

     keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature

     if isCA {

             keyUsage |= x509.KeyUsageCertSign

     }

     RemoveDuplicateAltNames(&cfg.AltNames)

//      notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()#在go语言中,变量如果没引用会报错,所以需要注释此变量及下面的判断

//      if cfg.NotAfter != nil {

//              notAfter = *cfg.NotAfter

//      }

     certTmpl := x509.Certificate{

             Subject: pkix.Name{

                     CommonName:   cfg.CommonName,

                     Organization: cfg.Organization,

             },

             DNSNames:              cfg.AltNames.DNSNames,

             IPAddresses:           cfg.AltNames.IPs,

             SerialNumber:          serial,

             NotBefore:             caCert.NotBefore,

           //  NotAfter:              notAfter,  #注释此行

             NotAfter:              time.Now().Add(effectyear).UTC(),#添加此行

             KeyUsage:              keyUsage,

             ExtKeyUsage:           cfg.Usages,

# 注意路径,开始编译

root@master01:~/k8s/kubernetes-1.23.1/cmd/kubeadm/app/util/pkiutil# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# make WHAT=cmd/kubeadm GOFLAGS=-v

+++ [0914 11:30:04] Building go targets for linux/amd64:

 cmd/kubeadm

> static build CGO_ENABLED=0: k8s.io/kubernetes/cmd/kubeadm

k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs

k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod

k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal

k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane

k8s.io/kubernetes/cmd/kubeadm/app/phases/etcd

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/init

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/join

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/reset

k8s.io/kubernetes/cmd/kubeadm/app/phases/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/upgrade/node

k8s.io/kubernetes/cmd/kubeadm/app/cmd/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd

k8s.io/kubernetes/cmd/kubeadm/app

k8s.io/kubernetes/cmd/kubeadm

#备份之前的证书

cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old

#备份之前的kubeadm

mv /usr/bin/kubeadm /usr/bin/kubeadm.old

#把编译过的kubeadm拷贝过来

root@master01:/etc/kubernetes/pki# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# cp _output/bin/kubeadm /usr/bin/

#添加执行权限

root@master01:~/k8s/kubernetes-1.23.1# chmod 755 /usr/bin/kubeadm

#kubeadm的版本不一样,编译的命令也不一样,参考链接:https://www.cnblogs.com/sysin/p/15675772.html

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs renew all

[renew] Reading configuration from the cluster...

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 12:18:40.867177  165896 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healthcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

#重启master组件容器并验证(这步可以不执行,生产环境不要执行!会重启服务。)

root@master01:~/k8s/kubernetes-1.23.1# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

019ecea9f270

0bde6fe9ea90

3cd6f8f17ae6

58abb3209def

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 13:10:19.423400  182208 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver                  Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver-etcd-client      Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

apiserver-kubelet-client   Sep 01, 2072 04:18 UTC   49y             ca                      no

controller-manager.conf    Sep 01, 2072 04:18 UTC   49y             ca                      no

etcd-healthcheck-client    Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-peer                  Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-server                Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

front-proxy-client         Sep 01, 2072 04:18 UTC   49y             front-proxy-ca          no

scheduler.conf             Sep 01, 2072 04:18 UTC   49y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Sep 11, 2032 02:07 UTC   9y              no

etcd-ca                 Sep 11, 2032 02:07 UTC   9y              no

front-proxy-ca          Sep 11, 2032 02:07 UTC   9y              no

更换K8S证书可用期的更多相关文章

  1. kubernetes实战(十六):k8s高可用集群平滑升级 v1.11.x 到v1.12.x

    1.基本概念 升级之后所有的containers会重启,因为hash值会变. 不可跨版本升级. 2.升级Master节点 当前版本 [root@k8s-master01 ~]# kubeadm ver ...

  2. .Net Core2.1 秒杀项目一步步实现CI/CD(Centos7.2)系列一:k8s高可用集群搭建总结以及部署API到k8s

    前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署的,这个集群差不多搞了一周时间,关于k8s的知识点,我也是刚入门,这方面的知识建议参考博客园 ...

  3. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  4. python安装二进制k8s高可用 版本1.13.0

    一.所有安装包.脚本.脚本说明.下载链接:https://pan.baidu.com/s/1kHaesJJuMQ5cG-O_nvljtg 提取码:kkv6 二.脚本安装说明 1.脚本说明: 本实验为三 ...

  5. 阿里云搭建k8s高可用集群(1.17.3)

    首先准备5台centos7 ecs实例最低要求2c4G 开启SLB(私网) 这里我们采用堆叠拓扑的方式构建高可用集群,因为k8s 集群etcd采用了raft算法保证集群一致性,所以高可用必须保证至少3 ...

  6. kubeadm实现k8s高可用集群环境部署与配置

    高可用架构 k8s集群的高可用实际是k8s各核心组件的高可用,这里使用主备模式,架构如下: 主备模式高可用架构说明: 核心组件 高可用模式 高可用实现方式 apiserver 主备 keepalive ...

  7. 【葵花宝典】lvs+keepalived部署kubernetes(k8s)高可用集群

    一.部署环境 1.1 主机列表 主机名 Centos版本 ip docker version flannel version Keepalived version 主机配置 备注 lvs-keepal ...

  8. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  9. 一、k8s介绍(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

  10. 三、k8s集群可用性验证与调参(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

随机推荐

  1. 关于使用docker volume挂载的注意事项

    Content 在用Docker进行持久化的存储的时候,有两种方式: 使用数据卷(volume) -v 容器绝对路径 或者 -v 已经创建的volume名称:容器绝对路径 2. 使用挂载点(共享宿主目 ...

  2. 第八十八篇:Vue keep-alive的使用 让组件"活下去""

    好家伙, 1.关于keep-alive 这是一个用于阻止组件自行销毁的插件 <!-- keep-alive可以把内部组件进行缓存,而不是销毁组件 --> 那么我们什么时候会用到他呢? 举个 ...

  3. HBase集群部署与基础命令

    HBase 集群部署 安装 hbase 之前需要先搭建好 hadoop 集群和 zookeeper 集群.hadoop 集群搭建可以参考:https://www.cnblogs.com/javammc ...

  4. KingbaseES blob 类型数据导入导出

    KingbaseES兼容了oracle的blob数据类型.通常是用来保存二进制形式的大数据,也可以用来保存其他类型的数据. 下面来验证一下各种数据存储在数据库中形式. 建表 create table ...

  5. git hooks在业务中的使用

    起因 最近公司项目发生了一起线上事故,最后排查下来是配置文件的问题.项目里application.yml文件内会用@build.time@记录打包时的时间,但是这个写法是build-helper-ma ...

  6. 注解@PostConstruct分析

    作用 1.注解@PostConstruct可以添加在类的方法上面,如果这个类被IOC容器托管,那么在对Bean进行初始化前的时候会调用被这个注解修饰的方法 被定义在哪里? 1.被定义在了CommonA ...

  7. 还不会Traefik?看这篇文章就够了!

    文章转载自:https://mp.weixin.qq.com/s/ImZG0XANFOYsk9InOjQPVA 提到Traefik,有些人可能并不熟悉,但是提到Nginx,应该都耳熟能详. 暂且我们把 ...

  8. css语言

    css:样式表.级联样式表.层叠样式表 css写在style标签里面,放在head标签中:大括号中写键值对语法 color:文字颜色 Font-family:字体 Font-size:字号 text- ...

  9. [笔记] CSP 初赛 部分知识整理

    几年前整理的东西,要不就发到网上吧 不过现在这些东西里面也有很多考得比以前少了 卡特兰数 \(f(i)=\sum_\limits{i=0}^{n-1}{f(i)f(n-i-1)}\) 其中\(f(0) ...

  10. Codeforces Round #708 (Div. 2)

    A题被hack,A题很简单,其实题目没看懂,直接看样例做的. B题题意是以为懂了,但是样例一直看不懂. 经验:要两两相加能被一个m整除数组sum最少,利用他们的余数就可以设为a[x], x是余数,如果 ...