Leif160519's blog Leif160519's blog

——————

目录
Kubernetes 集群维护(中)-K8s 集群证书续签(kubeadm)
/    

Kubernetes 集群维护(中)-K8s 集群证书续签(kubeadm)

一、证书说明

ETCD证书

自签证书颁发机构(CA):

  • ca.crt
  • ca.key

etcd集群中相互通信使用的客户端证书:

  • peer.crt
  • peer.key

pod中定义Liveness探针使用的客户端证书:

  • healthcheck-client.crt
  • healthcheck-client.key

etcd节点服务端证书:

  • server.crt
  • server.key

K8S证书:

自签证书颁发机构(CA):

  • ca.crt
  • ca.key

apiserver组件服务端证书:

  • apiserver.crt
  • apiserver.key

apiserver连接etcd客户端证书:

  • apiserver-etcd-client.crt
  • apiserver-etcd-client.key

apiserver访问kubelet 客户端证书:

  • apiserver-kubelet-client.crt
  • apiserver-kubelet-client.key

汇聚层(aggregator)证书:

  • front-proxy-ca.crt
  • front-proxy-ca.key

代理端使用的客户端证书,用作代理用户与kube-apiserver 认证:

  • front-proxy-client.crt
  • front-proxy-client.key

二、证书续签

kubeadm签发的证书默认有效期为一年,若一年之内没有证书续签,一年之后,整个k8s集群都将不可用

解决kubeadm一年证书有效期?

  1. 官方推荐:一年之内升级一个k8s集群(kubeadm upgrade)
  2. 修改源码里面证书生成时间 http://github.com/kubernetes/kubernetes
  3. kubeadm alpha cert 命令管理证书
  • 检查客户端证书过期时间:
kubeadm alpha certs check-expiration 

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 01, 2021 00:41 UTC   295d                                    no      
apiserver                  Jun 01, 2021 00:41 UTC   295d            ca                      no      
apiserver-etcd-client      Jun 01, 2021 00:41 UTC   295d            etcd-ca                 no      
apiserver-kubelet-client   Jun 01, 2021 00:41 UTC   295d            ca                      no      
controller-manager.conf    Jun 01, 2021 00:41 UTC   295d                                    no      
etcd-healthcheck-client    Jun 01, 2021 00:41 UTC   295d            etcd-ca                 no      
etcd-peer                  Jun 01, 2021 00:41 UTC   295d            etcd-ca                 no      
etcd-server                Jun 01, 2021 00:41 UTC   295d            etcd-ca                 no      
front-proxy-client         Jun 01, 2021 00:41 UTC   295d            front-proxy-ca          no      
scheduler.conf             Jun 01, 2021 00:41 UTC   295d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      May 30, 2030 00:41 UTC   9y              no      
etcd-ca                 May 30, 2030 00:41 UTC   9y              no      
front-proxy-ca          May 30, 2030 00:41 UTC   9y              no

根证书默认十年

  • 查看当前目录所有证书有效时间:
ls /etc/kubernetes/pki/ |grep crt |xargs -I {} openssl x509 -text -in {} |grep Not 

[root@k8s-master pki]# ls /etc/kubernetes/pki/ |grep crt |xargs -I {} openssl x509 -text -in {} |grep Not 
            Not Before: Jun  1 00:41:16 2020 GMT
            Not After : Jun  1 00:41:16 2021 GMT
            Not Before: Jun  1 00:41:17 2020 GMT
            Not After : Jun  1 00:41:19 2021 GMT
            Not Before: Jun  1 00:41:16 2020 GMT
            Not After : Jun  1 00:41:16 2021 GMT
            Not Before: Jun  1 00:41:16 2020 GMT
            Not After : May 30 00:41:16 2030 GMT
            Not Before: Jun  1 00:41:17 2020 GMT
            Not After : May 30 00:41:17 2030 GMT
            Not Before: Jun  1 00:41:17 2020 GMT
            Not After : Jun  1 00:41:17 2021 GMT
  • 续签所有证书(master执行):
kubeadm alpha certs renew all

cp /etc/kubernetes/admin.conf /root/.kube/config

#续签之后,重启master相关服务:kube-apiserver-k8s-master & kube-controller-manager-k8s-master & kube-scheduler-k8s-master
或者将/etc/kubernetes/manifests 文件夹重命名,等一会再改回去,上述pod也会重新构建

“The first 90% of the code accounts for the first 90% of the development time. The remaining 10% of the code accounts for the other 90% of the development time.” – Tom Cargill

标  题Kubernetes 集群维护(中)-K8s 集群证书续签(kubeadm)
作  者Leif160519
出  处https://github.icu/articles/2020/08/09/1596949888243.html
关于博主:坐标南京,运维工程师,如有问题探讨可以直接下方留言。
声援博主:如果您觉得文章对您有帮助,可以评论、订阅、收藏。您的鼓励是博主的最大动力!