Kubernetes-v1.19.3通过修改源码的方式完成CA根证书及普通证书续期(200年)
1、检查原有集群的证书情况
  • 检查集群证书情况
[root@kubernetes-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 03, 2021 15:25 UTC   364d                                    no      
apiserver                  Dec 03, 2021 15:25 UTC   364d            ca                      no      
apiserver-etcd-client      Dec 03, 2021 15:25 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Dec 03, 2021 15:25 UTC   364d            ca                      no      
controller-manager.conf    Dec 03, 2021 15:25 UTC   364d                                    no      
etcd-healthcheck-client    Dec 03, 2021 15:25 UTC   364d            etcd-ca                 no      
etcd-peer                  Dec 03, 2021 15:25 UTC   364d            etcd-ca                 no      
etcd-server                Dec 03, 2021 15:25 UTC   364d            etcd-ca                 no      
front-proxy-client         Dec 03, 2021 15:25 UTC   364d            front-proxy-ca          no      
scheduler.conf             Dec 03, 2021 15:25 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 01, 2030 15:25 UTC   9y              no      
etcd-ca                 Dec 01, 2030 15:25 UTC   9y              no      
front-proxy-ca          Dec 01, 2030 15:25 UTC   9y              no      
[root@kubernetes-master ~]# 

  • 重新生成证书kubeadm alpha certs renew all
[root@kubernetes-master ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@kubernetes-master ~]# 

使用命令kubeadm alpha certs check-expiration重新生成证书后,可以看到除了caetcd-cafront-proxy-ca三个ca证书未更新外,其余证书又延长到了一年后;下面开始编译源码并更改重新生成证书的期限;

2、安装golang
  • 下载golang安装包
https://golang.google.cn/dl/  国内使用此地址下载安装包 go1.15.5.linux-amd64.tar.gz
  • 安装golang
解压到指定目录
tar -zxf go1.13.5.linux-amd64.tar.gz -C /usr/local

配置环境变量(vi /etc/profile)
export GO111MODULE=on
export GOROOT=/usr/local/go 
export PATH=$PATH:$GOROOT/bin

使环境变量生效
source /etc/profile
  • 检查安装
[root@localhost local]# go version
go version go1.15.5 linux/amd64
[root@localhost local]# 
3、编译kubernetes
  • 下载kubernetes-v1.19.3源码包
从网址 https://github.com/kubernetes/kubernetes/releases 找到 v1.19.3源码包并下载(约32M),下载地址 https://codeload.github.com/kubernetes/kubernetes/tar.gz/v1.19.3
  • 解压
cd /project/
tar -zxvf v1.19.3.tar.gz
cd kubernetes-1.19.3
  • 修改ca根证书期限
编辑文件
vi ./staging/src/k8s.io/client-go/util/cert/cert.go
将now.Add(duration365d * 10).UTC()中的10年(默认)改为200年
  • 修改普通证书期限
编辑文件
vi ./cmd/kubeadm/app/constants/constants.go
将CertificateValidity参数增加乘200年(默认1年)
  • 编译
yum install gcc make -y
yum install rsync jq -y

此处只编译kubeadm即可,编译后的目录在_output/local/bin/linux/amd64/kubeadm(可另外编译kubelet或kubectl)
make all WHAT=cmd/kubeadm GOFLAGS=-v

4、使用新编译的命令完成证书续期
  • 替换kubeadm
备份原kubeadm命令后替换
[root@kubernetes-master ~]# which kubeadm
/usr/bin/kubeadm
[root@kubernetes-master ~]# mv /usr/bin/kubeadm /usr/bin/kubeadm_bk
[root@kubernetes-master ~]# chmod +x /usr/bin/kubeadm

替换后可使用命令kubeadm alpha certs renew all续期证书,但无法更改ca证书,集群需重建才可以;

  • 重新生成证书并检查
[root@kubernetes-master bin]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 16, 2220 16:31 UTC   199y                                    no      
apiserver                  Oct 16, 2220 16:31 UTC   199y            ca                      no      
apiserver-etcd-client      Oct 16, 2220 16:31 UTC   199y            etcd-ca                 no      
apiserver-kubelet-client   Oct 16, 2220 16:31 UTC   199y            ca                      no      
controller-manager.conf    Oct 16, 2220 16:31 UTC   199y                                    no      
etcd-healthcheck-client    Oct 16, 2220 16:31 UTC   199y            etcd-ca                 no      
etcd-peer                  Oct 16, 2220 16:31 UTC   199y            etcd-ca                 no      
etcd-server                Oct 16, 2220 16:31 UTC   199y            etcd-ca                 no      
front-proxy-client         Oct 16, 2220 16:31 UTC   199y            front-proxy-ca          no      
scheduler.conf             Oct 16, 2220 16:31 UTC   199y                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 16, 2220 16:31 UTC   199y            no      
etcd-ca                 Oct 16, 2220 16:31 UTC   199y            no      
front-proxy-ca          Oct 16, 2220 16:31 UTC   199y            no      
[root@kubernetes-master bin]# 
[root@kubernetes-master bin]# 
[root@kubernetes-master bin]# 

后续需继续研究如果在已经运行的集群中,并且保证不中断业务的情况下续期ca及其他相关证书


赞赏(Donation)
微信(Wechat Pay)

donation-wechatpay