该文提供了一个脚本,用于将kubeadm生成的证书有效期从1年延长至10年,主要处理master节点上的证书,包括apiserver、etcd等相关证书的更新。执行脚本的步骤包括下载脚本、赋予执行权限并在master节点上运行。脚本会备份原有证书并生成新的证书,然后重启相关服务以应用变更。对于node节点,kubelet证书会自动轮换,无需手动更新。
[root@k8s01 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep Not
Not Before: Jan 10 09:56:12 2022 GMT
Not After : Jan 8 09:56:12 2032 GMT
[root@k8s01 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not
Not Before: Jan 10 09:56:12 2022 GMT
Not After : Jan 10 09:56:13 2023 GMT
#ca证书有效期10年,apiserver证书有效期1年
kubeadm 生成的证书有效期为 1 年,该脚本可将 kubeadm 生成的证书有效期更新为 10 年
该脚本只处理 master 节点上的证书,node 节点的 kubelet 证书默认自动轮换更新,无需关心过期问题,只需关心 master 节点上的证书即可
该脚本仅需要在 master 节点执行,无需在 node 节点执行
若没有 etcd 相关证书,只需要更新 master 证书即可,见这里(小于等于 v1.9 版本,etcd 默认不使用 TLS 连接)
默认情况按照下面步骤进行证书更新
执行时请使用 ./update-kubeadm-cert.sh all 或者 bash update-kubeadm-cert.sh all ,不要使用 sh update-kubeadm-cert.sh all,因为某些 Linux 发行版 sh 并不是链接到 bash,可能会不兼容
如果有多个 master 节点,在每个 master 节点都执行一次
执行命令:
git clone https://github.com/yuyicai/update-kube-cert.git
cd update-kubeadm-cert
chmod 755 update-kubeadm-cert.sh
chmod 755 update-kubeadm-cert.sh
./update-kubeadm-cert.sh all
输出类似信息
[2022-01-10T18:50:09.365346270+0800]: INFO: backup /etc/kubernetes to /etc/kubernetes.old-20220110
Signature ok
subject=/CN=etcd-server
Getting CA Private Key
[2022-01-10T18:50:09.425352868+0800]: INFO: generated /etc/kubernetes/pki/etcd/server.crt
Signature ok
subject=/CN=etcd-peer
Getting CA Private Key
[2022-01-10T18:50:09.481460118+0800]: INFO: generated /etc/kubernetes/pki/etcd/peer.crt
Signature ok
subject=/O=system:masters/CN=kube-etcd-healthcheck-client
Getting CA Private Key
[2022-01-10T18:50:09.522898903+0800]: INFO: generated /etc/kubernetes/pki/etcd/healthcheck-client.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-etcd-client
Getting CA Private Key
[2022-01-10T18:50:09.559751660+0800]: INFO: generated /etc/kubernetes/pki/apiserver-etcd-client.crt
1c65dac2967f
[2022-01-10T18:50:11.067593654+0800]: INFO: restarted etcd
Signature ok
subject=/CN=kube-apiserver
Getting CA Private Key
[2022-01-10T18:50:11.136289676+0800]: INFO: generated /etc/kubernetes/pki/apiserver.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-kubelet-client
Getting CA Private Key
[2022-01-10T18:50:11.177126464+0800]: INFO: generated /etc/kubernetes/pki/apiserver-kubelet-client.crt
Signature ok
subject=/CN=system:kube-controller-manager
Getting CA Private Key
[2022-01-10T18:50:11.269766849+0800]: INFO: generated /etc/kubernetes/controller-manager.crt
[2022-01-10T18:50:11.302255202+0800]: INFO: generated new /etc/kubernetes/controller-manager.conf
Signature ok
subject=/CN=system:kube-scheduler
Getting CA Private Key
[2022-01-10T18:50:11.379987827+0800]: INFO: generated /etc/kubernetes/scheduler.crt
[2022-01-10T18:50:11.388350335+0800]: INFO: generated new /etc/kubernetes/scheduler.conf
Signature ok
subject=/O=system:masters/CN=kubernetes-admin
Getting CA Private Key
[2022-01-10T18:50:11.454095179+0800]: INFO: generated /etc/kubernetes/admin.crt
[2022-01-10T18:50:11.460446442+0800]: INFO: generated new /etc/kubernetes/admin.conf
[2022-01-10T18:50:11.467249673+0800]: INFO: copy the admin.conf to ~/.kube/config for kubectl
[2022-01-10T18:50:11.470375526+0800]: WARNING: does not need to update kubelet.conf
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
[2022-01-10T18:50:11.502384189+0800]: INFO: generated /etc/kubernetes/pki/front-proxy-client.crt
730fa1430c87
[2022-01-10T18:50:12.428407360+0800]: INFO: restarted kube-apiserver
4b97debc1405
[2022-01-10T18:50:12.828963546+0800]: INFO: restarted kube-controller-manager
8cbc7dd868e2
[2022-01-10T18:50:13.409071339+0800]: INFO: restarted kube-scheduler
[2022-01-10T18:50:13.625536997+0800]: INFO: restarted kubelet
-----------------------------------
©著作权归作者所有:来自51CTO博客作者哭泣的馒头的原创作品,请联系作者获取转载授权,否则将追究法律责任
六、kubeadm证书过期更新
https://blog.51cto.com/u_13236892/5551266
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
