kubernetes 1.17.2 kubeadm部署 证书修改为100年
[root@hs-k8s-master01 ~]# cd /data/
[root@hs-k8s-master01 data]# ls
docker
[root@hs-k8s-master01 data]# mkdir k8s
[root@hs-k8s-master01 data]# cd k8s/
[root@hs-k8s-master01 k8s]# ls
[root@hs-k8s-master01 k8s]# mkdir source_code
[root@hs-k8s-master01 k8s]# cd source_code/
[root@hs-k8s-master01 source_code]# rz [root@hs-k8s-master01 source_code]# tar xf kubernetes-1.17..tar.gz
[root@hs-k8s-master01 source_code]# ls
kubernetes-1.17. kubernetes-1.17..tar.gz
[root@hs-k8s-master01 source_code]# cd kubernetes-1.17./
[root@hs-k8s-master01 kubernetes-1.17.]# ls
api cluster Godeps logo pkg SUPPORT.md WORKSPACE
build cmd go.mod Makefile plugin test
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files README.md third_party
CHANGELOG-1.17.md CONTRIBUTING.md hack OWNERS SECURITY_CONTACTS translations
CHANGELOG.md docs LICENSE OWNERS_ALIASES staging vendor
[root@hs-k8s-master01 kubernetes-1.17.]#
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/c
client-go/ cloud-provider/ code-generator/ cri-api/
cli-runtime/ cluster-bootstrap/ component-base/ csi-translation-lib/
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/cli
client-go/ cli-runtime/
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/client-go/util/cert
cert/ certificate/
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./staging/src/k8s.io/client-go/util/cert/cert.go
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
[root@hs-k8s-master01 kubernetes-1.17.]# vim ./cmd/kubeadm/app/constants/constants.go
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull mirrorgooglecontainers/kube-cross:v1.12.10-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:37338->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull mirrorgooglecontainers/kube-cross:v1.12.10-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:4029->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gcrcontainer/kube-cross:v1.13.5-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:59440->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-cross:v1.13.5-
Error response from daemon: Get https://registry.cn-hangzhou.aliyuncs.com/v2/: dial tcp: lookup registry.cn-hangzhou.aliyuncs.com on 223.5.5.5:53: read udp 10.0.0.200:42909->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# dig @114.114.114.114 registry-.docker.io ; <<>> DiG 9.11.-P2-RedHat-9.11.-.P2.el7 <<>> @114.114.114.114 registry-.docker.io
; ( server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@hs-k8s-master01 kubernetes-1.17.]# docker version
Client: Docker Engine - Community
Version: 19.03.
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov ::
OS/Arch: linux/amd64
Experimental: false Server: Docker Engine - Community
Engine:
Version: 19.03.
API version: 1.40 (minimum version 1.12)
Go version: go1.12.10
Git commit: a872fc2f86
Built: Tue Oct ::
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.
GitCommit: fec3683
[root@hs-k8s-master01 kubernetes-1.17.]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@hs-k8s-master01 kubernetes-1.17.]#
[root@hs-k8s-master01 kubernetes-1.17.]# docekr search nginx
-bash: docekr: 未找到命令
[root@hs-k8s-master01 kubernetes-1.17.]# docker search nginx
Error response from daemon: Get https://index.docker.io/v1/search?q=nginx&n=25: dial tcp: lookup index.docker.io on 223.5.5.5:53: read udp 10.0.0.200:15999->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# mv /etc/sysconfig/network-scripts/ifcfg-eth1 /tmp/
[root@hs-k8s-master01 kubernetes-1.17.]# systemctl restart network
[root@hs-k8s-master01 kubernetes-1.17.]# hostname -I
20.0.0.200 172.17.0.1
[root@hs-k8s-master01 kubernetes-1.17.]# docker search nginx
Error response from daemon: Get https://index.docker.io/v1/search?q=nginx&n=25: dial tcp: lookup index.docker.io on 223.5.5.5:53: read udp 20.0.0.200:45441->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
bc51dd8edc1b: Downloading [=> ] .7kB/.09MB
66ba67045f57: Downloading [=> ] .7kB/.88MB
bf317aa10aa5: Download complete
^C
[root@hs-k8s-master01 kubernetes-1.17.]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@hs-k8s-master01 kubernetes-1.17.]#
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5-
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 20.0.0.200:61687->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# dig @114.114.114.114 registry-.docker.io ; <<>> DiG 9.11.-P2-RedHat-9.11.-.P2.el7 <<>> @114.114.114.114 registry-.docker.io
; ( server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
;; flags: qr rd ra; QUERY: , ANSWER: , AUTHORITY: , ADDITIONAL: ;; OPT PSEUDOSECTION:
; EDNS: version: , flags:; udp:
;; QUESTION SECTION:
;registry-.docker.io. IN A ;; ANSWER SECTION:
registry-.docker.io. IN A 34.197.189.129
registry-.docker.io. IN A 34.228.211.243
registry-.docker.io. IN A 34.199.77.19
registry-.docker.io. IN A 3.226.66.79
registry-.docker.io. IN A 34.201.196.144
registry-.docker.io. IN A 34.232.31.24
registry-.docker.io. IN A 34.199.40.84
registry-.docker.io. IN A 3.224.75.242 ;; Query time: msec
;; SERVER: 114.114.114.114#(114.114.114.114)
;; WHEN: 一 2月 :: CST
;; MSG SIZE rcvd: [root@hs-k8s-master01 kubernetes-1.17.]# vim /etc/hosts
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5-
Error response from daemon: Get https://registry-1.docker.io/v2/gccontainer/kube-cross/manifests/v1.13.5-1: Get https://auth.docker.io/token?scope=repository%3Agccontainer%2Fkube-cross%3Apull&service=registry.docker.io: dial tcp: lookup auth.docker.io on 223.5.5.5:53: read udp 20.0.0.200:31167->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
[root@hs-k8s-master01 kubernetes-1.17.]# systemctl restart network
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5-
Error response from daemon: pull access denied for gccontainer/kube-cross, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gccontainer/kube-cross:v1.13.5
Error response from daemon: pull access denied for gccontainer/kube-cross, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@hs-k8s-master01 kubernetes-1.17.]# docker pull gcrcontainer/kube-cross:v1.13.5- 查看网上的资料主要有两个地方需要修改 vim ./staging/src/k8s.io/client-go/util/cert/cert.go
# 这个方法里面NotAfter: now.Add(duration365d * ).UTC()
# 默认有效期就是10年,改成100年
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * ).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
} certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
} vim ./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
# 这个方法里面看到NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
# 参数里面是一个常量kubeadmconstants.CertificateValidity
# 所以这里可以不修改,我去看看源码能不能找到这个常量的赋值位置
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == {
return nil, errors.New("must specify at least one ExtKeyUsage")
} certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
结果在这里找到kubeadmconstants.CertificateValidity的定义 vim ./cmd/kubeadm/app/constants/constants.go
// 就是这个常量定义CertificateValidity,我改成*100年
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp" // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * * * // CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
源代码改好了,接下来就是编译kubeadm了 [root@hs-k8s-master01 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb , : UTC 364d no
apiserver Feb , : UTC 364d ca no
apiserver-etcd-client Feb , : UTC 364d etcd-ca no
apiserver-kubelet-client Feb , : UTC 364d ca no
controller-manager.conf Feb , : UTC 364d no
etcd-healthcheck-client Feb , : UTC 364d etcd-ca no
etcd-peer Feb , : UTC 364d etcd-ca no
etcd-server Feb , : UTC 364d etcd-ca no
front-proxy-client Feb , : UTC 364d front-proxy-ca no
scheduler.conf Feb , : UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan , : UTC 9y no
etcd-ca Jan , : UTC 9y no
front-proxy-ca Jan , : UTC 9y no [root@hs-k8s-master01 ~]# cd /data/k8s/
[root@hs-k8s-master01 k8s]# ls
source_code yaml
[root@hs-k8s-master01 k8s]# cd source_code/
[root@hs-k8s-master01 source_code]# ls
kubernetes-1.17. kubernetes-1.17..tar.gz
[root@hs-k8s-master01 source_code]# cd kubernetes-1.17./
[root@hs-k8s-master01 kubernetes-1.17.]# ls
api cluster Godeps logo OWNERS_ALIASES staging vendor
build cmd go.mod Makefile pkg SUPPORT.md WORKSPACE
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files plugin test
CHANGELOG-1.17.md CONTRIBUTING.md hack _output README.md third_party
CHANGELOG.md docs LICENSE OWNERS SECURITY_CONTACTS translations
[root@hs-k8s-master01 kubernetes-1.17.]# cd _output/
[root@hs-k8s-master01 _output]# ls
APIEXTENSIONS_violations.report bin CODEGEN_violations.report KUBE_violations.report local SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# ll
总用量
-rw-r--r-- root root 2月 : APIEXTENSIONS_violations.report
lrwxrwxrwx root root 2月 : bin -> /go/src/k8s.io/kubernetes/_output/local/bin/linux/amd64
-rw-r--r-- root root 2月 : CODEGEN_violations.report
-rw-r--r-- root root 2月 : KUBE_violations.report
drwxr-xr-x root root 2月 : local
-rw-r--r-- root root 2月 : SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# cd local/
[root@hs-k8s-master01 local]# ls
bin go
[root@hs-k8s-master01 local]# cd bin/
[root@hs-k8s-master01 bin]# ls
linux
[root@hs-k8s-master01 bin]# cd linux/
[root@hs-k8s-master01 linux]# ls
amd64
[root@hs-k8s-master01 linux]# cd amd64/
[root@hs-k8s-master01 amd64]# ls
conversion-gen deepcopy-gen defaulter-gen go2make go-bindata kubeadm openapi-gen
[root@hs-k8s-master01 amd64]#
[root@hs-k8s-master01 amd64]# cd ../../
[root@hs-k8s-master01 bin]# ls
linux
[root@hs-k8s-master01 bin]# cd ../
[root@hs-k8s-master01 local]# ls
bin go
[root@hs-k8s-master01 local]# cd ..
[root@hs-k8s-master01 _output]# ls
APIEXTENSIONS_violations.report bin CODEGEN_violations.report KUBE_violations.report local SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# cd ..
[root@hs-k8s-master01 kubernetes-1.17.]# ls
api cluster Godeps logo OWNERS_ALIASES staging vendor
build cmd go.mod Makefile pkg SUPPORT.md WORKSPACE
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files plugin test
CHANGELOG-1.17.md CONTRIBUTING.md hack _output README.md third_party
CHANGELOG.md docs LICENSE OWNERS SECURITY_CONTACTS translations
[root@hs-k8s-master01 kubernetes-1.17.]# cp /usr/bin/kubeadm{,.bak}
[root@hs-k8s-master01 kubernetes-1.17.]# cp _output/local/bin/linux/amd64/kubeadm
[root@hs-k8s-master01 kubernetes-1.17.]# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
cp:是否覆盖"/usr/bin/kubeadm"? y
[root@hs-k8s-master01 kubernetes-1.17.]# cd /etc/kubernetes/pki/
[root@hs-k8s-master01 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf gcrcontainer-kube-cross:v1.13.5-.tar kubelet.conf manifests pki scheduler.conf
[root@hs-k8s-master01 kubernetes]# ll
总用量
-rw------- root root 2月 : admin.conf
-rw------- root root 2月 : controller-manager.conf
-rw-r--r-- root root 2月 : gcrcontainer-kube-cross:v1.13.5-.tar
-rw------- root root 2月 : kubelet.conf
drwxr-xr-x root root 2月 : manifests
drwxr-xr-x root root 2月 : pki
-rw------- root root 2月 : scheduler.conf
[root@hs-k8s-master01 kubernetes]# rm -f gcrcontainer-kube-cross\:v1.13.5-.tar
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@hs-k8s-master01 kubernetes]#
[root@hs-k8s-master01 kubernetes]# ll
总用量
-rw------- root root 2月 : admin.conf
-rw------- root root 2月 : controller-manager.conf
-rw------- root root 2月 : kubelet.conf
drwxr-xr-x root root 2月 : manifests
drwxr-xr-x root root 2月 : pki
-rw------- root root 2月 : scheduler.conf
[root@hs-k8s-master01 kubernetes]# mkdir pki.bak
[root@hs-k8s-master01 kubernetes]# ll
总用量
-rw------- root root 2月 : admin.conf
-rw------- root root 2月 : controller-manager.conf
-rw------- root root 2月 : kubelet.conf
drwxr-xr-x root root 2月 : manifests
drwxr-xr-x root root 2月 : pki
drwxr-xr-x root root 2月 : pki.bak
-rw------- root root 2月 : scheduler.conf
[root@hs-k8s-master01 kubernetes]# vm pki/* pki.bak/
-bash: vm: 未找到命令
[root@hs-k8s-master01 kubernetes]# mv pki/* pki.bak/
[root@hs-k8s-master01 kubernetes]# ll
总用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 6 2月 3 16:57 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]#
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ls
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' Error checking external CA condition for ca certificate authority: failure loading certificate for CA: couldn't load the certificate file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory
To see the stack trace of this error execute with --v=5 or higher
[root@hs-k8s-master01 kubernetes]# ll
总用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 6 2月 3 16:57 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cp pki.bak/* pki/
cp: 略过目录"pki.bak/etcd"
[root@hs-k8s-master01 kubernetes]# ll
总用量 36
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 4096 2月 3 16:58 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.key sa.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-client.crt sa.pub
apiserver-etcd-client.key apiserver-kubelet-client.key front-proxy-ca.crt front-proxy-client.key
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki pki.bak scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki.bak/
[root@hs-k8s-master01 pki.bak]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@hs-k8s-master01 pki.bak]# cd etcd/
[root@hs-k8s-master01 etcd]# ls
ca.crt ca.key healthcheck-client.crt healthcheck-client.key peer.crt peer.key server.crt server.key
[root@hs-k8s-master01 etcd]# cd ..
[root@hs-k8s-master01 pki.bak]# cd ..
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ll
总用量 56
-rw-r--r-- 1 root root 1241 2月 3 16:58 apiserver.crt
-rw-r--r-- 1 root root 1090 2月 3 16:58 apiserver-etcd-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-etcd-client.key
-rw------- 1 root root 1675 2月 3 16:58 apiserver.key
-rw-r--r-- 1 root root 1099 2月 3 16:58 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 2月 3 16:58 ca.crt
-rw------- 1 root root 1675 2月 3 16:58 ca.key
-rw-r--r-- 1 root root 1038 2月 3 16:58 front-proxy-ca.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 2月 3 16:58 front-proxy-client.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-client.key
-rw------- 1 root root 1675 2月 3 16:58 sa.key
-rw------- 1 root root 451 2月 3 16:58 sa.pub
[root@hs-k8s-master01 pki]# mkdir etcd
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# cd pki.bak/
[root@hs-k8s-master01 pki.bak]# mv etcd/* ../pki/etcd/
[root@hs-k8s-master01 pki.bak]# cd ..
[root@hs-k8s-master01 kubernetes]# ll
总用量 36
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 3 root root 4096 2月 3 16:59 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ll
总用量 56
-rw-r--r-- 1 root root 1241 2月 3 16:58 apiserver.crt
-rw-r--r-- 1 root root 1090 2月 3 16:58 apiserver-etcd-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-etcd-client.key
-rw------- 1 root root 1675 2月 3 16:58 apiserver.key
-rw-r--r-- 1 root root 1099 2月 3 16:58 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 2月 3 16:58 ca.crt
-rw------- 1 root root 1675 2月 3 16:58 ca.key
drwxr-xr-x 2 root root 162 2月 3 16:59 etcd
-rw-r--r-- 1 root root 1038 2月 3 16:58 front-proxy-ca.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 2月 3 16:58 front-proxy-client.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-client.key
-rw------- 1 root root 1675 2月 3 16:58 sa.key
-rw------- 1 root root 451 2月 3 16:58 sa.pub
[root@hs-k8s-master01 pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@hs-k8s-master01 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 10, 2120 08:59 UTC 99y no
apiserver Jan 10, 2120 08:59 UTC 99y ca no
apiserver-etcd-client Jan 10, 2120 08:59 UTC 99y etcd-ca no
apiserver-kubelet-client Jan 10, 2120 08:59 UTC 99y ca no
controller-manager.conf Jan 10, 2120 08:59 UTC 99y no
etcd-healthcheck-client Jan 10, 2120 08:59 UTC 99y etcd-ca no
etcd-peer Jan 10, 2120 08:59 UTC 99y etcd-ca no
etcd-server Jan 10, 2120 08:59 UTC 99y etcd-ca no
front-proxy-client Jan 10, 2120 08:59 UTC 99y front-proxy-ca no
scheduler.conf Jan 10, 2120 08:59 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 31, 2030 07:17 UTC 9y no
etcd-ca Jan 31, 2030 07:17 UTC 9y no
front-proxy-ca Jan 31, 2030 07:17 UTC 9y no [root@bs-k8s-master02 ~]# cp /usr/bin/kubeadm{,.bak}
[root@hs-k8s-master01 pki]# scp /usr/bin/kubeadm 20.0.0.201:/usr/bin/kubeadm
[root@bs-k8s-master02 ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@bs-k8s-master02 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 10, 2120 09:03 UTC 99y no
apiserver Jan 10, 2120 09:03 UTC 99y ca no
apiserver-etcd-client Jan 10, 2120 09:03 UTC 99y etcd-ca no
apiserver-kubelet-client Jan 10, 2120 09:03 UTC 99y ca no
controller-manager.conf Jan 10, 2120 09:03 UTC 99y no
etcd-healthcheck-client Jan 10, 2120 09:03 UTC 99y etcd-ca no
etcd-peer Jan 10, 2120 09:04 UTC 99y etcd-ca no
etcd-server Jan 10, 2120 09:04 UTC 99y etcd-ca no
front-proxy-client Jan 10, 2120 09:04 UTC 99y front-proxy-ca no
scheduler.conf Jan 10, 2120 09:04 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 31, 2030 07:17 UTC 9y no
etcd-ca Jan 31, 2030 07:17 UTC 9y no
front-proxy-ca Jan 31, 2030 07:17 UTC 9y no 同理 master03
kubernetes 1.17.2 kubeadm部署 证书修改为100年的更多相关文章
- 使用kubernetes 官网工具kubeadm部署kubernetes(使用阿里云镜像)
系列目录 kubernetes简介 Kubernetes节点架构图: kubernetes组件架构图: 准备基础环境 我们将使用kubeadm部署3个节点的 Kubernetes Cluster,整体 ...
- kubeadm使用外部etcd部署kubernetes v1.17.3 高可用集群
文章转载自:https://mp.weixin.qq.com/s?__biz=MzI1MDgwNzQ1MQ==&mid=2247483891&idx=1&sn=17dcd7cd ...
- 附025.kubeadm部署Kubernetes更新证书
一 查看证书 1.1 查看过期时间-方式一 1 [root@master01 ~]# tree /etc/kubernetes/pki/ 2 [root@master01 ~]# for tls in ...
- kubeadm部署高可用集群Kubernetes 1.14.1版本
Kubernetes高可用集群部署 部署架构: Master 组件: kube-apiserver Kubernetes API,集群的统一入口,各组件协调者,以HTTP API提供接口服务,所有对象 ...
- 附012.Kubeadm部署高可用Kubernetes
一 kubeadm介绍 1.1 概述 参考<附003.Kubeadm部署Kubernetes>. 1.2 kubeadm功能 参考<附003.Kubeadm部署Kubernetes& ...
- 使用kubeadm部署K8S v1.17.0集群
kubeadm部署K8S集群 安装前的准备 集群机器 172.22.34.34 K8S00 172.22.34.35 K8S01 172.22.34.36 K8S02 注意: 本文档中的 etcd . ...
- [转帖]CentOS 7 使用kubeadm 部署 Kubernetes
CentOS 7 使用kubeadm 部署 Kubernetes 关闭swap 执行swapoff临时关闭swap. 重启后会失效,若要永久关闭,可以编辑/etc/fstab文件,将其中swap分 ...
- 002.使用kubeadm安装kubernetes 1.17.0
一 环境准备 1.1 环境说明 master 192.168.132.131 docker-server1 node1 192.168.132.132 doc ...
- 02 . Kubeadm部署Kubernetes及简单应用
kubeadm部署Kubernetes kubeadm简介 # kubeadm是一位高中生的作品,他叫Lucas Kaldstrom,芬兰人,17岁用业余时间完成的一个社区项目: # kubeadm的 ...
随机推荐
- iframe多层嵌套时,Jquery获取元素
在项目中,尤其是后台管理项目,会使用到iframe嵌套的网页,说起iframe,真的是个让人头疼的东西,能避开是最好避开.不然要请随身备好氧气瓶哈(因为管理和调试过程中往往会被气缺氧!!!哈哈哈~~~ ...
- Python函数基础进阶
函数参数的另一种使用方式 def print_info(name,age): print("Name: %s" %name) print("age: %d" % ...
- dom4j+反射实现bean与xml的相互转换
由于目前在工作中一直用的dom4j+反射实现bean与xml的相互转换,记录一下,如果有不正确的地方欢迎大家指正~~~ 一.反射机制 在此工具类中使用到了反射技术,所以提前也看了一些知识点,例如:ht ...
- 关于SQL
set nocount on 作用 阻止在结果集中返回显示受t-sql语句影响的行计数信息 set nocount on 不返回计数,set nocount off 返回计数 即使当set nocou ...
- es 分词器介绍
按照单词切分,不做处理 GET _analyze { "analyzer": "standard", "text": "2 run ...
- java调用exe
前言:最近做了一个Java跨平台开启,关闭,重启nginx的功能,在Java操作exe上遇到了一些问题,下面是对这个问题一个总结 一.Java操作exe的三种方式 (1)Runtime.getRunt ...
- python脚本监听nginx是否运行
import sys import time import os import logging from logging.handlers import RotatingFileHandler imp ...
- kaggle赛题Digit Recognizer:利用TensorFlow搭建神经网络(附上K邻近算法模型预测)
一.前言 kaggle上有传统的手写数字识别mnist的赛题,通过分类算法,将图片数据进行识别.mnist数据集里面,包含了42000张手写数字0到9的图片,每张图片为28*28=784的像素,所以整 ...
- 【Fine学习笔记】python 文件l操作方法整理
python脚本可以对excel进行创建.读.写.保存成指定文件名,保存到指定路径的操作.整理了以下处理方法: 首先区别几个操作方式: "r" 以读方式打开,只能读文件 , 如 ...
- Python 基础之正则之一 单字符,多字符匹配及开头结尾匹配
一.正则表达式之单个字符匹配 格式:lst = re.findall(正则表达式,要匹配的字符串)预定义字符集 匹配内容 .匹配任意字符,除了换行符\n \d匹配数字 \D匹配非数字 \w匹配字母或数 ...