K8S kubeadm管理证书
官方文档: k8s kubeadm管理证书查询证书过期时间$ kubeadm alpha certs check-expiration如下输出[root@master1 ~]# kubeadm alpha certs check-expiration[check-expiration] Reading configuration from the cluster...[check-expirati
·
官方文档: k8s kubeadm管理证书
查询证书过期时间
$ kubeadm alpha certs check-expiration
如下输出
[root@master1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0425 13:59:12.092991 16885 defaults.go:186] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 25, 2022 05:53 UTC 364d no
apiserver Apr 25, 2022 05:53 UTC 364d ca no
apiserver-kubelet-client Apr 25, 2022 05:53 UTC 364d ca no
controller-manager.conf Apr 25, 2022 05:53 UTC 364d no
front-proxy-client Apr 25, 2022 05:53 UTC 364d front-proxy-ca no
scheduler.conf Apr 25, 2022 05:53 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 11, 2031 05:51 UTC 9y no
front-proxy-ca Mar 11, 2031 05:51 UTC 9y no
直接使用命令续期证书,默认是apiserver 一年
$ kubeadm alpha certs renew all
所以修改了源码,重新编译了Kubeadm
# /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 100).UTC(), # 修改了这里100年
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
# /kubernetes/test/utils/pki_helpers.go
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(duration365d * 100).UTC(), # 修改了这里100年
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
# /kubernetes/vendor/k8s.io/client-go/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 100).UTC(), # 修改了这里100年
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
# /kubernetes/cmd/kubeadm/app/contants
CertificateValidity = time.Hour * 24 * 365 * 100
修改后,准备好go环境和相关包,这个就不说了 so easy 自行解决
开始编译
$ make all WHAT=cmd/kubeadm GOFLAGS=-v
二进制文件在/kubernetes/_output/bin 下
自行寻找,并替换任意master节点二进制文件即可
替换前执行 chmod a+x 给权限,然后执行命令
$ kubeadm alpha certs renew all
执行命令 查询证书过期时间
$ kubeadm alpha certs check-expiration
[root@master1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0425 14:11:55.863296 30256 defaults.go:186] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 01, 2121 06:11 UTC 99y no
apiserver Apr 01, 2121 06:11 UTC 99y ca no
apiserver-kubelet-client Apr 01, 2121 06:11 UTC 99y ca no
controller-manager.conf Apr 01, 2121 06:11 UTC 99y no
front-proxy-client Apr 01, 2121 06:11 UTC 99y front-proxy-ca no
scheduler.conf Apr 01, 2121 06:11 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 11, 2031 05:51 UTC 9y no
front-proxy-ca Mar 11, 2031 05:51 UTC 9y no
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)