6.5 修改 Kubernetes 证书使用时间

查看 kubeadm 的go语言版本信息

kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.6", GitCommit:"72c30166b2105cd7d3350f2c28a219e6abcd79eb", GitTreeState:"clean", BuildDate:"2020-01-18T23:29:13Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"linux/amd64"}

1. 安装 golang

根据kubeadm的版本信息可以看到go语言的版本为1.13.5,下载go-1.13.5版本

golang国内访问站点:https://golang.google.cn/dl/

wget https://studygolang.com/dl/golang/go1.13.5.linux-amd64.tar.gz

2. 克隆 kubernetes 仓库

git clone https://github.com/kubernetes/kubernetes
cd kubernetes
git checkout -b remotes/origin/release-1.16.6 v1.16.6

3. 重新编译 kubeadm

以下操作在 Kubernetes 1.15 以上版本试用

通过 pki_hekpers.go 可以看到 NotAfter 这个参数定义了有效期常量 kubeadmconstants.CertificateValidity

cat cmd/kubeadm/app/util/pkiutil/pki_helpers.go
...
    certTmpl := x509.Certificate{
        Subject: pkix.Name{
            CommonName:   cfg.CommonName,
            Organization: cfg.Organization,
        },
        DNSNames:     cfg.AltNames.DNSNames,
        IPAddresses:  cfg.AltNames.IPs,
        SerialNumber: serial,
        NotBefore:    caCert.NotBefore,
        NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
        KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
        ExtKeyUsage:  cfg.Usages,
    }
...

找到对应的文件 constants.go 

vim cmd/kubeadm/app/constants/constants.go
...
const (
    // KubernetesDir is the directory Kubernetes owns for storing various configuration files
    KubernetesDir = "/etc/kubernetes"
    // ManifestsSubDirName defines directory name to store manifests
    ManifestsSubDirName = "manifests"
    // TempDirForKubeadm defines temporary directory for kubeadm
    // should be joined with KubernetesDir.
    TempDirForKubeadm = "tmp"

    // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
    CertificateValidity = time.Hour * 24 * 365 * 10 # 默认为 `time.Hour * 24 * 365`,也可以修改为你想要的时间 
...

重新编译

make all WHAT=cmd/kubeadm GOFLAGS=-v

4.替换原来的 kubeadm

mv /usr/bin/kubeadm{,.bak}
mv kubeadm /usr/local/bin

5.重新更新证书使用年限

cp -r /etc/kubernetes/pki{,.old}
cd /etc/kubernetes/pki
kubeadm alpha certs renew all --config=/root/kubeadm.yaml

查看证书

openssl x509 -in apiserver.crt -text -noout | grep NotAfter
Copyright © huangzhongde.cn 2021 all right reserved,powered by Gitbook该文件修订时间: 2022-01-28 00:02:24

results matching ""

    No results matching ""