kubernetes 1.17.2 kubeadm部署 证书修改为100年
[root@hs-k8s-master01 ~]# cd /data/
[root@hs-k8s-master01 data]# ls
docker
[root@hs-k8s-master01 data]# mkdir k8s
[root@hs-k8s-master01 data]# cd k8s/
[root@hs-k8s-master01 k8s]# ls
[root@hs-k8s-master01 k8s]# mkdir source_code
[root@hs-k8s-master01 k8s]# cd source_code/
[root@hs-k8s-master01 source_code]# rz [root@hs-k8s-master01 source_code]# tar xf kubernetes-1.17..tar.gz
[root@hs-k8s-master01 source_code]# ls
kubernetes-1.17. kubernetes-1.17..tar.gz
[root@hs-k8s-master01 source_code]# cd kubernetes-1.17./
[root@hs-k8s-master01 kubernetes-1.17.]# ls
api cluster Godeps logo pkg SUPPORT.md WORKSPACE
build cmd go.mod Makefile plugin test
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files README.md third_party
CHANGELOG-1.17.md CONTRIBUTING.md hack OWNERS SECURITY_CONTACTS translations
CHANGELOG.md docs LICENSE OWNERS_ALIASES staging vendor
[root@hs-k8s-master01 kubernetes-1.17.]#
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/c
client-go/ cloud-provider/ code-generator/ cri-api/
cli-runtime/ cluster-bootstrap/ component-base/ csi-translation-lib/
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/cli
client-go/ cli-runtime/
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/client-go/util/cert
cert/ certificate/
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/client-go/util/cert/cert.go
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./cmd/kubeadm/app/constants/constants.go
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull mirrorgooglecontainers/kube-cross:v1.12.10-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:37338->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull mirrorgooglecontainers/kube-cross:v1.12.10-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:4029->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gcrcontainer/kube-cross:v1.13.5-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:59440->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-cross:v1.13.5-
Error response from daemon: Get https://registry.cn-hangzhou.aliyuncs.com/v2/: dial tcp: lookup registry.cn-hangzhou.aliyuncs.com on 223.5.5.5:53: read udp 10.0.0.200:42909->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# dig @114.114.114.114 registry-.docker.io ; <<>> DiG 9.11.-P2-RedHat-9.11.-.P2.el7 <<>> @114.114.114.114 registry-.docker.io
; ( server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@hs-k8s-master01 kubernetes-1.17.]# docker version
Client: Docker Engine - Community
Version: 19.03.
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov ::
OS/Arch: linux/amd64
Experimental: false Server: Docker Engine - Community
Engine:
Version: 19.03.
API version: 1.40 (minimum version 1.12)
Go version: go1.12.10
Git commit: a872fc2f86
Built: Tue Oct ::
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.
GitCommit: fec3683
[root@hs-k8s-master01 kubernetes-1.17.]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@hs-k8s-master01 kubernetes-1.17.]#
[root@hs-k8s-master01 kubernetes-1.17.]# docekr search nginx
-bash: docekr: 未找到命令
[root@hs-k8s-master01 kubernetes-1.17.]# docker search nginx
Error response from daemon: Get https://index.docker.io/v1/search?q=nginx&n=25: dial tcp: lookup index.docker.io on 223.5.5.5:53: read udp 10.0.0.200:15999->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# mv /etc/sysconfig/network-scripts/ifcfg-eth1 /tmp/
[root@hs-k8s-master01 kubernetes-1.17.]# systemctl restart network
[root@hs-k8s-master01 kubernetes-1.17.]# hostname -I
20.0.0.200 172.17.0.1
[root@hs-k8s-master01 kubernetes-1.17.]# docker search nginx
Error response from daemon: Get https://index.docker.io/v1/search?q=nginx&n=25: dial tcp: lookup index.docker.io on 223.5.5.5:53: read udp 20.0.0.200:45441->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
bc51dd8edc1b: Downloading [=> ] .7kB/.09MB
66ba67045f57: Downloading [=> ] .7kB/.88MB
bf317aa10aa5: Download complete
^C
[root@hs-k8s-master01 kubernetes-1.17.]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@hs-k8s-master01 kubernetes-1.17.]#
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 20.0.0.200:61687->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# dig @114.114.114.114 registry-.docker.io ; <<>> DiG 9.11.-P2-RedHat-9.11.-.P2.el7 <<>> @114.114.114.114 registry-.docker.io
; ( server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
;; flags: qr rd ra; QUERY: , ANSWER: , AUTHORITY: , ADDITIONAL: ;; OPT PSEUDOSECTION:
; EDNS: version: , flags:; udp:
;; QUESTION SECTION:
;registry-.docker.io. IN A ;; ANSWER SECTION:
registry-.docker.io. IN A 34.197.189.129
registry-.docker.io. IN A 34.228.211.243
registry-.docker.io. IN A 34.199.77.19
registry-.docker.io. IN A 3.226.66.79
registry-.docker.io. IN A 34.201.196.144
registry-.docker.io. IN A 34.232.31.24
registry-.docker.io. IN A 34.199.40.84
registry-.docker.io. IN A 3.224.75.242 ;; Query time: msec
;; SERVER: 114.114.114.114#(114.114.114.114)
;; WHEN: 一 2月 :: CST
;; MSG SIZE rcvd: [root@hs-k8s-master01 kubernetes-1.17.]# vim /etc/hosts
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5-
Error response from daemon: Get https://registry-1.docker.io/v2/gccontainer/kube-cross/manifests/v1.13.5-1: Get https://auth.docker.io/token?scope=repository%3Agccontainer%2Fkube-cross%3Apull&service=registry.docker.io: dial tcp: lookup auth.docker.io on 223.5.5.5:53: read udp 20.0.0.200:31167->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
[root@hs-k8s-master01 kubernetes-1.17.]# systemctl restart network
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5-
Error response from daemon: pull access denied for gccontainer/kube-cross, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5
Error response from daemon: pull access denied for gccontainer/kube-cross, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gcrcontainer/kube-cross:v1.13.5- 查看网上的资料主要有两个地方需要修改 vim ./staging/src/k8s.io/client-go/util/cert/cert.go
# 这个方法里面NotAfter: now.Add(duration365d * ).UTC()
# 默认有效期就是10年,改成100年
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * ).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
} certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
} vim ./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
# 这个方法里面看到NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
# 参数里面是一个常量kubeadmconstants.CertificateValidity
# 所以这里可以不修改,我去看看源码能不能找到这个常量的赋值位置
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == {
return nil, errors.New("must specify at least one ExtKeyUsage")
} certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
结果在这里找到kubeadmconstants.CertificateValidity的定义 vim ./cmd/kubeadm/app/constants/constants.go
// 就是这个常量定义CertificateValidity,我改成*100年
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp" // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * * * // CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
源代码改好了,接下来就是编译kubeadm了 [root@hs-k8s-master01 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb , : UTC 364d no
apiserver Feb , : UTC 364d ca no
apiserver-etcd-client Feb , : UTC 364d etcd-ca no
apiserver-kubelet-client Feb , : UTC 364d ca no
controller-manager.conf Feb , : UTC 364d no
etcd-healthcheck-client Feb , : UTC 364d etcd-ca no
etcd-peer Feb , : UTC 364d etcd-ca no
etcd-server Feb , : UTC 364d etcd-ca no
front-proxy-client Feb , : UTC 364d front-proxy-ca no
scheduler.conf Feb , : UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan , : UTC 9y no
etcd-ca Jan , : UTC 9y no
front-proxy-ca Jan , : UTC 9y no [root@hs-k8s-master01 ~]# cd /data/k8s/
[root@hs-k8s-master01 k8s]# ls
source_code yaml
[root@hs-k8s-master01 k8s]# cd source_code/
[root@hs-k8s-master01 source_code]# ls
kubernetes-1.17. kubernetes-1.17..tar.gz
[root@hs-k8s-master01 source_code]# cd kubernetes-1.17./
[root@hs-k8s-master01 kubernetes-1.17.]# ls
api cluster Godeps logo OWNERS_ALIASES staging vendor
build cmd go.mod Makefile pkg SUPPORT.md WORKSPACE
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files plugin test
CHANGELOG-1.17.md CONTRIBUTING.md hack _output README.md third_party
CHANGELOG.md docs LICENSE OWNERS SECURITY_CONTACTS translations
[root@hs-k8s-master01 kubernetes-1.17.]# cd _output/
[root@hs-k8s-master01 _output]# ls
APIEXTENSIONS_violations.report bin CODEGEN_violations.report KUBE_violations.report local SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# ll
总用量
-rw-r--r-- root root 2月 : APIEXTENSIONS_violations.report
lrwxrwxrwx root root 2月 : bin -> /go/src/k8s.io/kubernetes/_output/local/bin/linux/amd64
-rw-r--r-- root root 2月 : CODEGEN_violations.report
-rw-r--r-- root root 2月 : KUBE_violations.report
drwxr-xr-x root root 2月 : local
-rw-r--r-- root root 2月 : SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# cd local/
[root@hs-k8s-master01 local]# ls
bin go
[root@hs-k8s-master01 local]# cd bin/
[root@hs-k8s-master01 bin]# ls
linux
[root@hs-k8s-master01 bin]# cd linux/
[root@hs-k8s-master01 linux]# ls
amd64
[root@hs-k8s-master01 linux]# cd amd64/
[root@hs-k8s-master01 amd64]# ls
conversion-gen deepcopy-gen defaulter-gen go2make go-bindata kubeadm openapi-gen
[root@hs-k8s-master01 amd64]#
[root@hs-k8s-master01 amd64]# cd ../../
[root@hs-k8s-master01 bin]# ls
linux
[root@hs-k8s-master01 bin]# cd ../
[root@hs-k8s-master01 local]# ls
bin go
[root@hs-k8s-master01 local]# cd ..
[root@hs-k8s-master01 _output]# ls
APIEXTENSIONS_violations.report bin CODEGEN_violations.report KUBE_violations.report local SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# cd ..
[root@hs-k8s-master01 kubernetes-1.17.]# ls
api cluster Godeps logo OWNERS_ALIASES staging vendor
build cmd go.mod Makefile pkg SUPPORT.md WORKSPACE
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files plugin test
CHANGELOG-1.17.md CONTRIBUTING.md hack _output README.md third_party
CHANGELOG.md docs LICENSE OWNERS SECURITY_CONTACTS translations
[root@hs-k8s-master01 kubernetes-1.17.]# cp /usr/bin/kubeadm{,.bak}
[root@hs-k8s-master01 kubernetes-1.17.]# cp _output/local/bin/linux/amd64/kubeadm
[root@hs-k8s-master01 kubernetes-1.17.]# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
cp:是否覆盖"/usr/bin/kubeadm"? y
[root@hs-k8s-master01 kubernetes-1.17.]# cd /etc/kubernetes/pki/
[root@hs-k8s-master01 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf gcrcontainer-kube-cross:v1.13.5-.tar kubelet.conf manifests pki scheduler.conf
[root@hs-k8s-master01 kubernetes]# ll
总用量
-rw------- root root 2月 : admin.conf
-rw------- root root 2月 : controller-manager.conf
-rw-r--r-- root root 2月 : gcrcontainer-kube-cross:v1.13.5-.tar
-rw------- root root 2月 : kubelet.conf
drwxr-xr-x root root 2月 : manifests
drwxr-xr-x root root 2月 : pki
-rw------- root root 2月 : scheduler.conf
[root@hs-k8s-master01 kubernetes]# rm -f gcrcontainer-kube-cross\:v1.13.5-.tar
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@hs-k8s-master01 kubernetes]#
[root@hs-k8s-master01 kubernetes]# ll
总用量
-rw------- root root 2月 : admin.conf
-rw------- root root 2月 : controller-manager.conf
-rw------- root root 2月 : kubelet.conf
drwxr-xr-x root root 2月 : manifests
drwxr-xr-x root root 2月 : pki
-rw------- root root 2月 : scheduler.conf
[root@hs-k8s-master01 kubernetes]# mkdir pki.bak
[root@hs-k8s-master01 kubernetes]# ll
总用量
-rw------- root root 2月 : admin.conf
-rw------- root root 2月 : controller-manager.conf
-rw------- root root 2月 : kubelet.conf
drwxr-xr-x root root 2月 : manifests
drwxr-xr-x root root 2月 : pki
drwxr-xr-x root root 2月 : pki.bak
-rw------- root root 2月 : scheduler.conf
[root@hs-k8s-master01 kubernetes]# vm pki/* pki.bak/
-bash: vm: 未找到命令
[root@hs-k8s-master01 kubernetes]# mv pki/* pki.bak/
[root@hs-k8s-master01 kubernetes]# ll
总用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 6 2月 3 16:57 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]#
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ls
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' Error checking external CA condition for ca certificate authority: failure loading certificate for CA: couldn't load the certificate file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory
To see the stack trace of this error execute with --v=5 or higher
[root@hs-k8s-master01 kubernetes]# ll
总用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 6 2月 3 16:57 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cp pki.bak/* pki/
cp: 略过目录"pki.bak/etcd"
[root@hs-k8s-master01 kubernetes]# ll
总用量 36
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 4096 2月 3 16:58 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.key sa.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-client.crt sa.pub
apiserver-etcd-client.key apiserver-kubelet-client.key front-proxy-ca.crt front-proxy-client.key
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki pki.bak scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki.bak/
[root@hs-k8s-master01 pki.bak]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@hs-k8s-master01 pki.bak]# cd etcd/
[root@hs-k8s-master01 etcd]# ls
ca.crt ca.key healthcheck-client.crt healthcheck-client.key peer.crt peer.key server.crt server.key
[root@hs-k8s-master01 etcd]# cd ..
[root@hs-k8s-master01 pki.bak]# cd ..
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ll
总用量 56
-rw-r--r-- 1 root root 1241 2月 3 16:58 apiserver.crt
-rw-r--r-- 1 root root 1090 2月 3 16:58 apiserver-etcd-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-etcd-client.key
-rw------- 1 root root 1675 2月 3 16:58 apiserver.key
-rw-r--r-- 1 root root 1099 2月 3 16:58 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 2月 3 16:58 ca.crt
-rw------- 1 root root 1675 2月 3 16:58 ca.key
-rw-r--r-- 1 root root 1038 2月 3 16:58 front-proxy-ca.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 2月 3 16:58 front-proxy-client.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-client.key
-rw------- 1 root root 1675 2月 3 16:58 sa.key
-rw------- 1 root root 451 2月 3 16:58 sa.pub
[root@hs-k8s-master01 pki]# mkdir etcd
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# cd pki.bak/
[root@hs-k8s-master01 pki.bak]# mv etcd/* ../pki/etcd/
[root@hs-k8s-master01 pki.bak]# cd ..
[root@hs-k8s-master01 kubernetes]# ll
总用量 36
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 3 root root 4096 2月 3 16:59 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ll
总用量 56
-rw-r--r-- 1 root root 1241 2月 3 16:58 apiserver.crt
-rw-r--r-- 1 root root 1090 2月 3 16:58 apiserver-etcd-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-etcd-client.key
-rw------- 1 root root 1675 2月 3 16:58 apiserver.key
-rw-r--r-- 1 root root 1099 2月 3 16:58 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 2月 3 16:58 ca.crt
-rw------- 1 root root 1675 2月 3 16:58 ca.key
drwxr-xr-x 2 root root 162 2月 3 16:59 etcd
-rw-r--r-- 1 root root 1038 2月 3 16:58 front-proxy-ca.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 2月 3 16:58 front-proxy-client.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-client.key
-rw------- 1 root root 1675 2月 3 16:58 sa.key
-rw------- 1 root root 451 2月 3 16:58 sa.pub
[root@hs-k8s-master01 pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@hs-k8s-master01 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 10, 2120 08:59 UTC 99y no
apiserver Jan 10, 2120 08:59 UTC 99y ca no
apiserver-etcd-client Jan 10, 2120 08:59 UTC 99y etcd-ca no
apiserver-kubelet-client Jan 10, 2120 08:59 UTC 99y ca no
controller-manager.conf Jan 10, 2120 08:59 UTC 99y no
etcd-healthcheck-client Jan 10, 2120 08:59 UTC 99y etcd-ca no
etcd-peer Jan 10, 2120 08:59 UTC 99y etcd-ca no
etcd-server Jan 10, 2120 08:59 UTC 99y etcd-ca no
front-proxy-client Jan 10, 2120 08:59 UTC 99y front-proxy-ca no
scheduler.conf Jan 10, 2120 08:59 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 31, 2030 07:17 UTC 9y no
etcd-ca Jan 31, 2030 07:17 UTC 9y no
front-proxy-ca Jan 31, 2030 07:17 UTC 9y no [root@bs-k8s-master02 ~]# cp /usr/bin/kubeadm{,.bak}
[root@hs-k8s-master01 pki]# scp /usr/bin/kubeadm 20.0.0.201:/usr/bin/kubeadm
[root@bs-k8s-master02 ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@bs-k8s-master02 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 10, 2120 09:03 UTC 99y no
apiserver Jan 10, 2120 09:03 UTC 99y ca no
apiserver-etcd-client Jan 10, 2120 09:03 UTC 99y etcd-ca no
apiserver-kubelet-client Jan 10, 2120 09:03 UTC 99y ca no
controller-manager.conf Jan 10, 2120 09:03 UTC 99y no
etcd-healthcheck-client Jan 10, 2120 09:03 UTC 99y etcd-ca no
etcd-peer Jan 10, 2120 09:04 UTC 99y etcd-ca no
etcd-server Jan 10, 2120 09:04 UTC 99y etcd-ca no
front-proxy-client Jan 10, 2120 09:04 UTC 99y front-proxy-ca no
scheduler.conf Jan 10, 2120 09:04 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 31, 2030 07:17 UTC 9y no
etcd-ca Jan 31, 2030 07:17 UTC 9y no
front-proxy-ca Jan 31, 2030 07:17 UTC 9y no 同理 master03
kubernetes 1.17.2 kubeadm部署 证书修改为100年的更多相关文章
- 使用kubernetes 官网工具kubeadm部署kubernetes(使用阿里云镜像)
系列目录 kubernetes简介 Kubernetes节点架构图: kubernetes组件架构图: 准备基础环境 我们将使用kubeadm部署3个节点的 Kubernetes Cluster,整体 ...
- kubeadm使用外部etcd部署kubernetes v1.17.3 高可用集群
文章转载自:https://mp.weixin.qq.com/s?__biz=MzI1MDgwNzQ1MQ==&mid=2247483891&idx=1&sn=17dcd7cd ...
- 附025.kubeadm部署Kubernetes更新证书
一 查看证书 1.1 查看过期时间-方式一 1 [root@master01 ~]# tree /etc/kubernetes/pki/ 2 [root@master01 ~]# for tls in ...
- kubeadm部署高可用集群Kubernetes 1.14.1版本
Kubernetes高可用集群部署 部署架构: Master 组件: kube-apiserver Kubernetes API,集群的统一入口,各组件协调者,以HTTP API提供接口服务,所有对象 ...
- 附012.Kubeadm部署高可用Kubernetes
一 kubeadm介绍 1.1 概述 参考<附003.Kubeadm部署Kubernetes>. 1.2 kubeadm功能 参考<附003.Kubeadm部署Kubernetes& ...
- 使用kubeadm部署K8S v1.17.0集群
kubeadm部署K8S集群 安装前的准备 集群机器 172.22.34.34 K8S00 172.22.34.35 K8S01 172.22.34.36 K8S02 注意: 本文档中的 etcd . ...
- [转帖]CentOS 7 使用kubeadm 部署 Kubernetes
CentOS 7 使用kubeadm 部署 Kubernetes 关闭swap 执行swapoff临时关闭swap. 重启后会失效,若要永久关闭,可以编辑/etc/fstab文件,将其中swap分 ...
- 002.使用kubeadm安装kubernetes 1.17.0
一 环境准备 1.1 环境说明 master 192.168.132.131 docker-server1 node1 192.168.132.132 doc ...
- 02 . Kubeadm部署Kubernetes及简单应用
kubeadm部署Kubernetes kubeadm简介 # kubeadm是一位高中生的作品,他叫Lucas Kaldstrom,芬兰人,17岁用业余时间完成的一个社区项目: # kubeadm的 ...
随机推荐
- [Python] Tkinter的食用方法_01_简单界面
#开始 放假之后感觉整个人已经放飞自我了,完全不知道自己一天天在干什么,明明有很多的事情需要做,但是实际上每天啥都没做,,,虚度光阴... 晚上突然心烦意乱,开始思考今天一天都做了什么,感觉很有负罪感 ...
- C语言传递二维数组
方法一, 形参给出第二维的长度. 例如: #include <stdio.h> ] ) { int i; ; i < n; i++) printf("/nstr[%d] = ...
- 洛谷P1616疯狂的采药(完全背包)
题目背景 此题为NOIP2005普及组第三题的疯狂版. 此题为纪念LiYuxiang而生. 题目描述 LiYuxiang是个天资聪颖的孩子,他的梦想是成为世界上最伟大的医师.为此,他想拜附近最有威望的 ...
- 7 scrapy 初识
scrapy框架 框架介绍: Scrapy是一个为了爬取网站数据,提取结构性数据而编写的应用框架,非常出名,非常强悍.所谓的框架就是一个已经被集成了各种功能(高性能异步下载,队列,分布式,解析,持久化 ...
- LVS、Tomcat、Nginx、PHP优化项
一.LVS 性能调优的方法最佳实践1.最小化安装编译系统内核2.优化持久服务超时时间: 1)显示超时时间 #ipvsadm -Ln --timeout #Timeout (tcp t ...
- JavaSE复习~方法基础
方法的概念 方法:就是讲一个功能抽取出来,把代码单独定义在其中,形成一个单独的功能 我们需要这个功能的时候,就可以去调用,实现了代码的复用性,也解决了代码冗余的问题 方法的定义 定义的一般格式:jav ...
- Jmeter在windows系统下的安装
一.工具描述 apache jmeter是100%的java桌面应用程序,它被设计用来加载被测试软件功能特性.度量被测试软件的性能.设计jmeter的初衷是测试web应用, 后来又扩充了其它的功能.j ...
- 14. 深入解析Pod对象(一)
14. 深入解析Pod对象(一) """ 通过前面的讲解,大家应该都知道: Pod,而不是容器,它是 Kubernetes 项目中的最小编排单位.将这个设计落实到 API ...
- mybatis用mybatis-generator-core-1.3.5.jar自动生成实体类
原文出处:https://blog.csdn.net/shuoshuo_12345/article/details/80626241,本文只是个人总结而已! 方法1:在pom文件中添加依赖 只需在搭建 ...
- 关于null和空指针异常
1,null是一个标识符,用来表示不确定的对象,可以将null赋给引用类型变量,但不可以将null赋给基本类型变量 2,null本身不是对象,也不是object的实例,也不知道是什么类型 3,对于集合 ...