帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e

解决:

1.安装GO语言环境:

[root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz

[root@k8s-master software]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local

[root@k8s-master software]# vim /etc/profile   # 最后面添加如下信息

# go语言环境变量

export PATH=$PATH:/usr/local/go/bin

[root@k8s-master software]# source /etc/profile

2.Kubernetes源码下载与更改证书策略:(保证跟当前版本一样,我这里是1.23.1,可以先用kubectl version查看当前版本)

wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.23.1.zip (修改版本号直接下载对应版本即可,tag里可能没有,但不影响下载)

mkdir k8s

unzip v1.23.1.zip -d /root/k8s

cd /root/k8s/kubernetes-1.23.1/

cd cmd/kubeadm/app/util/pkiutil

#更改配置文件并备份:

cp pki_helpers.go pki_helpers.go.bak

vim pki_helpers.go

#在636行左右

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {

     const effectyear = time.Hour * 24 * 365 * 50 #添加此行,我这里是改成50年

     serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))

     if err != nil {

             return nil, err

     }

     if len(cfg.CommonName) == 0 {

             return nil, errors.New("must specify a CommonName")

     }

     keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature

     if isCA {

             keyUsage |= x509.KeyUsageCertSign

     }

     RemoveDuplicateAltNames(&cfg.AltNames)

//      notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()#在go语言中,变量如果没引用会报错,所以需要注释此变量及下面的判断

//      if cfg.NotAfter != nil {

//              notAfter = *cfg.NotAfter

//      }

     certTmpl := x509.Certificate{

             Subject: pkix.Name{

                     CommonName:   cfg.CommonName,

                     Organization: cfg.Organization,

             },

             DNSNames:              cfg.AltNames.DNSNames,

             IPAddresses:           cfg.AltNames.IPs,

             SerialNumber:          serial,

             NotBefore:             caCert.NotBefore,

           //  NotAfter:              notAfter,  #注释此行

             NotAfter:              time.Now().Add(effectyear).UTC(),#添加此行

             KeyUsage:              keyUsage,

             ExtKeyUsage:           cfg.Usages,

# 注意路径,开始编译

root@master01:~/k8s/kubernetes-1.23.1/cmd/kubeadm/app/util/pkiutil# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# make WHAT=cmd/kubeadm GOFLAGS=-v

+++ [0914 11:30:04] Building go targets for linux/amd64:

 cmd/kubeadm

> static build CGO_ENABLED=0: k8s.io/kubernetes/cmd/kubeadm

k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs

k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod

k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig

k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal

k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane

k8s.io/kubernetes/cmd/kubeadm/app/phases/etcd

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/init

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/join

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/reset

k8s.io/kubernetes/cmd/kubeadm/app/phases/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/upgrade/node

k8s.io/kubernetes/cmd/kubeadm/app/cmd/upgrade

k8s.io/kubernetes/cmd/kubeadm/app/cmd

k8s.io/kubernetes/cmd/kubeadm/app

k8s.io/kubernetes/cmd/kubeadm

#备份之前的证书

cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old

#备份之前的kubeadm

mv /usr/bin/kubeadm /usr/bin/kubeadm.old

#把编译过的kubeadm拷贝过来

root@master01:/etc/kubernetes/pki# cd /root/k8s/kubernetes-1.23.1/

root@master01:~/k8s/kubernetes-1.23.1# cp _output/bin/kubeadm /usr/bin/

#添加执行权限

root@master01:~/k8s/kubernetes-1.23.1# chmod 755 /usr/bin/kubeadm

#kubeadm的版本不一样,编译的命令也不一样,参考链接:https://www.cnblogs.com/sysin/p/15675772.html

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs renew all

[renew] Reading configuration from the cluster...

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 12:18:40.867177  165896 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healthcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

#重启master组件容器并验证(这步可以不执行,生产环境不要执行!会重启服务。)

root@master01:~/k8s/kubernetes-1.23.1# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

019ecea9f270

0bde6fe9ea90

3cd6f8f17ae6

58abb3209def

root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

W0914 13:10:19.423400  182208 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver                  Sep 01, 2072 04:18 UTC   49y             ca                      no

apiserver-etcd-client      Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

apiserver-kubelet-client   Sep 01, 2072 04:18 UTC   49y             ca                      no

controller-manager.conf    Sep 01, 2072 04:18 UTC   49y             ca                      no

etcd-healthcheck-client    Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-peer                  Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

etcd-server                Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no

front-proxy-client         Sep 01, 2072 04:18 UTC   49y             front-proxy-ca          no

scheduler.conf             Sep 01, 2072 04:18 UTC   49y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Sep 11, 2032 02:07 UTC   9y              no

etcd-ca                 Sep 11, 2032 02:07 UTC   9y              no

front-proxy-ca          Sep 11, 2032 02:07 UTC   9y              no

更换K8S证书可用期的更多相关文章

  1. kubernetes实战(十六):k8s高可用集群平滑升级 v1.11.x 到v1.12.x

    1.基本概念 升级之后所有的containers会重启,因为hash值会变. 不可跨版本升级. 2.升级Master节点 当前版本 [root@k8s-master01 ~]# kubeadm ver ...

  2. .Net Core2.1 秒杀项目一步步实现CI/CD(Centos7.2)系列一:k8s高可用集群搭建总结以及部署API到k8s

    前言:本系列博客又更新了,是博主研究很长时间,亲自动手实践过后的心得,k8s集群是购买了5台阿里云服务器部署的,这个集群差不多搞了一周时间,关于k8s的知识点,我也是刚入门,这方面的知识建议参考博客园 ...

  3. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  4. python安装二进制k8s高可用 版本1.13.0

    一.所有安装包.脚本.脚本说明.下载链接:https://pan.baidu.com/s/1kHaesJJuMQ5cG-O_nvljtg 提取码:kkv6 二.脚本安装说明 1.脚本说明: 本实验为三 ...

  5. 阿里云搭建k8s高可用集群(1.17.3)

    首先准备5台centos7 ecs实例最低要求2c4G 开启SLB(私网) 这里我们采用堆叠拓扑的方式构建高可用集群,因为k8s 集群etcd采用了raft算法保证集群一致性,所以高可用必须保证至少3 ...

  6. kubeadm实现k8s高可用集群环境部署与配置

    高可用架构 k8s集群的高可用实际是k8s各核心组件的高可用,这里使用主备模式,架构如下: 主备模式高可用架构说明: 核心组件 高可用模式 高可用实现方式 apiserver 主备 keepalive ...

  7. 【葵花宝典】lvs+keepalived部署kubernetes(k8s)高可用集群

    一.部署环境 1.1 主机列表 主机名 Centos版本 ip docker version flannel version Keepalived version 主机配置 备注 lvs-keepal ...

  8. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  9. 一、k8s介绍(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

  10. 三、k8s集群可用性验证与调参(第一章、k8s高可用集群安装)

    作者:北京小远 出处:http://www.cnblogs.com/bj-xy/ 参考课程:Kubernetes全栈架构师(电脑端购买优惠) 文档禁止转载,转载需标明出处,否则保留追究法律责任的权利! ...

随机推荐

  1. Linux虚拟机 RHEL8.0安装步骤

    一. 创建空白虚拟机 1.打开 VMware 虚拟机软件依次选择新建虚拟机并选择选择"自定义" 自定义功能更加全面,典型就是比较简单的配置 2.选择对应的 VMware 版本,此则 ...

  2. KingbaseES不同字符类型比较转换规则

    Postgresql 常用的字符数据类型的有char.varchar和text,其中 char 固定长度类型, varchar 和 text 是可变长度类型.这三种类型在进行比较时,会进行隐含的类型转 ...

  3. KingbaseES R6 集群在线删除standby节点

      案例环境: 操作系统:   [root@node1 ~]# cat /etc/centos-releaseCentOS Linux release 7.2.1511 (Core) ​数据库:tes ...

  4. VLDB'22 HiEngine极致RTO论文解读

    摘要:<Index Checkpoints for Instant Recovery in In-Memory Database Systems>是由华为云数据库创新Lab一作发表在数据库 ...

  5. bat查找文件

    举例如下 @dir > 1.txt /s /a /b d:\*.mp4 以后再作解释

  6. 【Azure 环境】Azure Resource Graph Explorer 中实现动态数组数据转换成多行记录模式 - mv-expand

    问题描述 想对Azure中全部VM的NSG资源进行收集,如果只是查看一个VM的NSG设定,可以在门户页面中查看表格模式,但是如果想把导出成表格,可以在Azure Resource Graph Expl ...

  7. ProxySQL 定时调度

    转载自:https://www.jianshu.com/p/410ff5897c27 Scheduler是 v1.2.0 引入的特性. ProxySQL的Scheduler是一个类似于定时任务系统(c ...

  8. 8_Quartz

    一. 引言 1.1 简介 Quartz: http://www.quartz-scheduler.org/ 是一个 定时任务调度框架 ,比如我们遇到这样的问题 想在30分钟后, 查看订单是否支付, 未 ...

  9. Go微服务实战 - 从0到1搭建一个类Instagram应用(持续更新)

    概要 近几年各大移动应用基本都有社区Community(或动态Moments)的功能,展现形式各不相同,比如 国内的有:微博.朋友圈.抖音.小红书.keep.绿洲.即刻等 国外的有:Instagram ...

  10. Maximum Entropy Population-Based Training for Zero-Shot Human-AI Coordination

    原文:https://www.cnblogs.com/Twobox/p/16791412.html 熵 熵:表述一个概率分布的不确定性.例如一个不倒翁和一个魔方抛到地上,看他们平稳后状态.很明显,魔方 ...