Leif160519的blog
——————
目录
Kubernetes 集群维护(中)-K8s 集群证书续签(kubeadm)
Kubernetes 集群维护(中)-K8s 集群证书续签(kubeadm)
一、证书说明
ETCD证书
自签证书颁发机构(CA):
- ca.crt
- ca.key
etcd集群中相互通信使用的客户端证书:
- peer.crt
- peer.key
pod中定义Liveness探针使用的客户端证书:
- healthcheck-client.crt
- healthcheck-client.key
etcd节点服务端证书:
- server.crt
- server.key
K8S证书:
自签证书颁发机构(CA):
- ca.crt
- ca.key
apiserver组件服务端证书:
- apiserver.crt
- apiserver.key
apiserver连接etcd客户端证书:
- apiserver-etcd-client.crt
- apiserver-etcd-client.key
apiserver访问kubelet 客户端证书:
- apiserver-kubelet-client.crt
- apiserver-kubelet-client.key
汇聚层(aggregator)证书:
- front-proxy-ca.crt
- front-proxy-ca.key
代理端使用的客户端证书,用作代理用户与kube-apiserver 认证:
- front-proxy-client.crt
- front-proxy-client.key
二、证书续签
kubeadm签发的证书默认有效期为一年,若一年之内没有证书续签,一年之后,整个k8s集群都将不可用
解决kubeadm一年证书有效期?
- 官方推荐:一年之内升级一个k8s集群(kubeadm upgrade)
- 修改源码里面证书生成时间 http://github.com/kubernetes/kubernetes
- kubeadm alpha cert 命令管理证书
- 检查客户端证书过期时间:
kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 01, 2021 00:41 UTC 295d no
apiserver Jun 01, 2021 00:41 UTC 295d ca no
apiserver-etcd-client Jun 01, 2021 00:41 UTC 295d etcd-ca no
apiserver-kubelet-client Jun 01, 2021 00:41 UTC 295d ca no
controller-manager.conf Jun 01, 2021 00:41 UTC 295d no
etcd-healthcheck-client Jun 01, 2021 00:41 UTC 295d etcd-ca no
etcd-peer Jun 01, 2021 00:41 UTC 295d etcd-ca no
etcd-server Jun 01, 2021 00:41 UTC 295d etcd-ca no
front-proxy-client Jun 01, 2021 00:41 UTC 295d front-proxy-ca no
scheduler.conf Jun 01, 2021 00:41 UTC 295d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 30, 2030 00:41 UTC 9y no
etcd-ca May 30, 2030 00:41 UTC 9y no
front-proxy-ca May 30, 2030 00:41 UTC 9y no
根证书默认十年
- 查看当前目录所有证书有效时间:
ls /etc/kubernetes/pki/ |grep crt |xargs -I {} openssl x509 -text -in {} |grep Not
[root@k8s-master pki]# ls /etc/kubernetes/pki/ |grep crt |xargs -I {} openssl x509 -text -in {} |grep Not
Not Before: Jun 1 00:41:16 2020 GMT
Not After : Jun 1 00:41:16 2021 GMT
Not Before: Jun 1 00:41:17 2020 GMT
Not After : Jun 1 00:41:19 2021 GMT
Not Before: Jun 1 00:41:16 2020 GMT
Not After : Jun 1 00:41:16 2021 GMT
Not Before: Jun 1 00:41:16 2020 GMT
Not After : May 30 00:41:16 2030 GMT
Not Before: Jun 1 00:41:17 2020 GMT
Not After : May 30 00:41:17 2030 GMT
Not Before: Jun 1 00:41:17 2020 GMT
Not After : Jun 1 00:41:17 2021 GMT
- 续签所有证书(master执行):
kubeadm alpha certs renew all
cp /etc/kubernetes/admin.conf /root/.kube/config
#续签之后,重启master相关服务:kube-apiserver-k8s-master & kube-controller-manager-k8s-master & kube-scheduler-k8s-master
或者将/etc/kubernetes/manifests 文件夹重命名,等一会再改回去,上述pod也会重新构建
“The first 90% of the code accounts for the first 90% of the development time. The remaining 10% of the code accounts for the other 90% of the development time.” – Tom Cargill
标 题:Kubernetes 集群维护(中)-K8s 集群证书续签(kubeadm)作 者:Leif160519
出 处:https://github.icu/articles/2020/08/09/1596949888243.html
关于博主:坐标南京,运维工程师,如有问题探讨可以直接下方留言。
声援博主:如果您觉得文章对您有帮助,可以评论、订阅、收藏。您的鼓励是博主的最大动力!