证书更新

  • 默认证书一年有效期
  • 一旦证书过期,使用kubectl时会出现如下提示:`Unable to connect to the server: x509: certificate has expired or is not yet valid`

查看证书过期情况

 [root@k8s-test-master- ~]# kubeadm alpha certs check-expiration

 CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED

 admin.conf Jul ,  : UTC 364d no

 apiserver Jul ,  : UTC 364d no

 apiserver-etcd-client Jul ,  : UTC 364d no

 apiserver-kubelet-client Jul ,  : UTC 364d no

 controller-manager.conf Jul ,  : UTC 364d no

 etcd-healthcheck-client Jul ,  : UTC 364d no

 etcd-peer Jul ,  : UTC 364d no

 etcd-server Jul ,  : UTC 364d no

 front-proxy-client Jul ,  : UTC 364d no

 scheduler.conf Jul ,  : UTC 364d no

 # 查看根CA证书的有效期(十年)

 [root@k8s-test-master- pki]# cd /etc/kubernetes/pki

 [root@k8s-test-master- pki]# ls | grep ca.crt | xargs -I {} openssl x509 -text -in {} | grep "Not After"

 Not After : Jul  ::  GMT

 Not After : Jul  ::  GMT

证书目录结构

[root@k8s-test-master- pki]# pwd

/etc/kubernetes/pki

[root@k8s-test-master- pki]# tree .

.

├── apiserver.crt

├── apiserver-etcd-client.crt

├── apiserver-etcd-client.key

├── apiserver.key

├── apiserver-kubelet-client.crt

├── apiserver-kubelet-client.key

├── ca.crt

├── ca.key

├── etcd

│   ├── ca.crt

│   ├── ca.key

│   ├── healthcheck-client.crt

│   ├── healthcheck-client.key

│   ├── peer.crt

│   ├── peer.key

│   ├── server.crt

│   └── server.key

├── front-proxy-ca.crt

├── front-proxy-ca.key

├── front-proxy-client.crt

├── front-proxy-client.key

├── sa.key

└── sa.pub

 directory,  files

Kubernetes 集群根证书

/etc/kubernetes/pki/ca.crt

/etc/kubernetes/pki/ca.key

由此根证书签发的证书有:
  • 1,kube-apiserver 组件持有的服务端证书
  /etc/kubernetes/pki/apiserver.crt
  /etc/kubernetes/pki/apiserver.key
  • 2,kubelet 组件持有的客户端证书
  /etc/kubernetes/pki/apiserver-kubelet-client.crt
  /etc/kubernetes/pki/apiserver-kubelet-client.key
kubelet 上一般不会明确指定服务端证书, 而是只指定 ca 根证书, 让 kubelet 根据本地主机信息自动生成服务端证书并保存到配置的cert-dir文件夹中。

汇聚层(aggregator)证书

/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/front-proxy-ca.key
由此根证书签发的证书只有一组:
  • 1,代理端使用的客户端证书, 用作代用户与 kube-apiserver 认证
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/front-proxy-client.key

etcd 集群根证书

/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/ca.key
由此根证书签发机构签发的证书有:
  • 1,etcd server 持有的服务端证书
/etc/kubernetes/pki/etcd/server.crt
/etc/kubernetes/pki/etcd/server.key
  • 2,peer 集群中节点互相通信使用的客户端证书
/etc/kubernetes/pki/etcd/peer.crt
/etc/kubernetes/pki/etcd/peer.key
  • 3,pod 中定义 Liveness 探针使用的客户端证书
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/etcd/healthcheck-client.key
  • 4,配置在 kube-apiserver 中用来与 etcd server 做双向认证的客户端证书
/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.key

Serveice Account秘钥

这组的密钥对儿仅提供给 kube-controller-manager 使用. kube-controller-manager 通过 sa.key 对 token 进行签名, master 节点通过公钥 sa.pub 进行签名的验证.
API Server的authenticating环节支持多种身份校验方式:client cert、bearer token、static password auth等,这些方式中有一种方式通过authenticating(Kubernetes API Server会逐个方式尝试),那么身份校验就会通过。一旦API Server发现client发起的request使用的是service account token的方式,API Server就会自动采用signed bearer token方式进行身份校验。而request就会使用携带的service account token参与验证。该token是API Server在创建service account时用API server启动参数:–service-account-key-file的值签署(sign)生成的。如果–service-account-key-file未传入任何值,那么将默认使用–tls-private-key-file的值,即API Server的私钥(server.key)。
通过authenticating后,API Server将根据Pod username所在的group:system:serviceaccounts和system:serviceaccounts:(NAMESPACE)的权限对其进行authority 和admission control两个环节的处理。在这两个环节中,cluster管理员可以对service account的权限进行细化设置。
/etc/kubernetes/pki/sa.key
/etc/kubernetes/pki/sa.pub
kubeadm 创建的集群, kube-proxy ,flannel,coreDNS是以 pod 形式运行的, 在 pod 中, 直接使用 service account 与 kube-apiserver 进行认证, 此时就不需要再单独为 kube-proxy 创建证书

更新证书

生成集群配置的yaml文件

 kubeadm config view > /root/kubeadm.yaml
 
  • kubeadm.yaml
 apiServer:

   extraArgs:

     authorization-mode: Node,RBAC

   timeoutForControlPlane: 4m0s

 apiVersion: kubeadm.k8s.io/v1beta2

 certificatesDir: /etc/kubernetes/pki

 clusterName: kubernetes-test

 controlPlaneEndpoint: 10.8.28.200:6443

 controllerManager: {}

 dns:

   type: CoreDNS

 etcd:

   local:

     dataDir: /data/etcd

 imageRepository: k8s.gcr.io

 kind: ClusterConfiguration

 kubernetesVersion: v1.15.1

 networking:

   dnsDomain: cluster.local

   podSubnet: 192.168.0.0/16

   serviceSubnet: 10.96.0.0/12

 scheduler: {}

证书更新使用帮助

[root@k8s-test-master- ~]# kubeadm alpha certs renew --help

This command is not meant to be run on its own. See list of available subcommands.

Usage:

  kubeadm alpha certs renew [flags]

  kubeadm alpha certs renew [command]

Available Commands:

  admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself

  all                      Renew all available certificates

  apiserver                Renew the certificate for serving the Kubernetes API

  apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd

  apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet

  controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use

  etcd-healthcheck-client  Renew the certificate for liveness probes to healtcheck etcd

  etcd-peer                Renew the certificate for etcd nodes to communicate with each other

  etcd-server              Renew the certificate for serving etcd

  front-proxy-client       Renew the certificate for the front proxy client

  scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

更新证书操作

每个Master操作
kubeadm alpha certs renew all --config=/root/kubeadm.yaml

# (也可以逐个更新)

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healtcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed

# 再次查询证书期限

[root@k8s-test-master- ~]# kubeadm alpha certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

admin.conf                 Jul ,  : UTC   364d            no

apiserver                  Jul ,  : UTC   364d            no

apiserver-etcd-client      Jul ,  : UTC   364d            no

apiserver-kubelet-client   Jul ,  : UTC   364d            no

controller-manager.conf    Jul ,  : UTC   364d            no

etcd-healthcheck-client    Jul ,  : UTC   364d            no

etcd-peer                  Jul ,  : UTC   364d            no

etcd-server                Jul ,  : UTC   364d            no

front-proxy-client         Jul ,  : UTC   364d            no

scheduler.conf             Jul ,  : UTC   364d            no

# 在三台Master上执行重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器,使证书生效

docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

kubeadm安装集群系列-4.证书更新的更多相关文章

  1. kubeadm安装集群系列(kubeadm 1.15.1)

    kubeadm已经进入GA阶段,所以尝试使用kubeadm从零开始安装高可用的Kubernetes集群,并记录下过程和所有坑 本文基于kubeadm 1.15.1 目录 kubeadm安装集群系列-1 ...

  2. kubeadm安装集群系列-2.Master高可用

    Master高可用安装 VIP负载均衡可以使用haproxy+keepalive实现,云上用户可以使用对应的ULB实现 准备kubeadm-init.yaml文件 apiVersion: kubead ...

  3. kubeadm安装集群系列-3.添加工作节点

    添加工作节点 worker通过kubeadm join加入集群,加入所需的集群的token默认24小时过期 查看Token kubeadm token list # 如果失效创建一个新的 kubead ...

  4. kubeadm安装集群系列-1.基础服务安装

    基础服务 本文基于centos7.5部署 规划 10.8.28.200 master-VIP 10.8.31.84 k8s-test-master-1 10.8.152.149 k8s-test-ma ...

  5. kubeadm安装集群系列-5.其他操作

    常用的一些操作记录 imagePullSecrets kubectl -n [namespace] create secret docker-registry regsecret --docker-s ...

  6. Kubeadm安装的K8S集群1年证书过期问题的解决思路

    这个问题,很多使用使用kubeadm的用户都会遇到. 网上也有类似的帖子,从源代码编译这种思路, 在生产环境,有些不现实. 还是使用kubeadm的命令操作,比较自然一点. 当然,自行生成一套证书,也 ...

  7. mycat数据库集群系列之数据库多实例安装

    mycat数据库集群系列之数据库多实例安装 最近在梳理数据库集群的相关操作,现在花点时间整理一下关于mysql数据库集群的操作总结,恰好你又在看这一块,供一份参考.本次系列终结大概包括以下内容:多数据 ...

  8. Kubernetes学习之路(八)之Kubeadm部署集群

    一.环境说明 节点名称 ip地址 部署说明 Pod 网段 Service网段 系统说明 k8s-master 192.168.56.11 docker.kubeadm.kubectl.kubelet ...

  9. Kubernetes 使用kubeadm创建集群

    镜像下载.域名解析.时间同步请点击 阿里巴巴开源镜像站 实践环境 CentOS-7-x86_64-DVD-1810 Docker 19.03.9 Kubernetes version: v1.20.5 ...

随机推荐

  1. 洛谷P1233 木棍加工【单调栈】

    题目:https://www.luogu.org/problemnew/show/P1233 题意: 有n根木棍,每根木棍有长度和宽度. 现在要求按某种顺序加工木棍,如果前一根木棍的长度和宽度都大于现 ...

  2. [Algorithm] Max Chars Problem

    // --- Directions // Given a string, return the character that is most // commonly used in the strin ...

  3. 【转】别人写的pe代码

    // PEOperate.cpp: implementation of the PEOperate class. // //////////////////////////////////////// ...

  4. PHP mysqli_fetch_lengths() 函数

    mysqli_fetch_lengths() 函数返回结果集中的字段长度. <?php // 假定数据库用户名:root,密码:123456,数据库:RUNOOB $con=mysqli_con ...

  5. hdu 5572 An Easy Physics Problem 圆+直线

    An Easy Physics Problem Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/ ...

  6. 数论之同余性质 线性同余方程&拔山盖世BSGS&中国剩余定理

    先记录一下一些概念和定理 同余:给定整数a,b,c,若用c不停的去除a和b最终所得余数一样,则称a和b对模c同余,记做a≡b (mod c),同余满足自反性,对称性,传递性 定理1: 若a≡b (mo ...

  7. P4779 【模板】单源最短路径(标准版)题解

    原题链接 https://www.luogu.org/problemnew/show/P4779 若还未食用弱化版的同学请先做这个qwq https://www.luogu.org/problemne ...

  8. ACM之路(17)—— 博弈论

    博弈论这方面网上资料庞大,我觉得我不可能写的比他们好,就转载一下我觉得写的不错的博客好了. 首先是三大博弈:巴什博奕,威佐夫博奕,尼姆博奕.博客:三大基本博弈. 然后是强大的sg函数和sg定理:SG. ...

  9. hadoop HA+Federation(高可用联邦)搭建配置(二)

    hadoop HA+Federation(高可用联邦)搭建配置(二) 标签(空格分隔): hadoop core-site.xml <?xml version="1.0" e ...

  10. 【CF671D】 Roads in Yusland(对偶问题,左偏树)

    传送门 洛谷翻译 CodeForces Solution emmm,先引入一个对偶问题的概念 \(max(c^Tx|Ax \leq b)=min(b^Ty|A^Ty \ge c)\) 考虑这个式子的现 ...