kubeadm集群修改k8s证书时间到99年
2024-04-28 09:21:28
kubeadm集群修改k8s证书时间到99年
kubeadm修改证书时间
(1)、查看当前的证书时间
# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 20, 2021 11:21 UTC 364d no
apiserver Jun 20, 2021 11:21 UTC 364d ca no
apiserver-etcd-client Jun 20, 2021 11:21 UTC 364d etcd-ca no
apiserver-kubelet-client Jun 20, 2021 11:21 UTC 364d ca no
controller-manager.conf Jun 20, 2021 11:21 UTC 364d no
etcd-healthcheck-client Jun 20, 2021 11:21 UTC 364d etcd-ca no
etcd-peer Jun 20, 2021 11:21 UTC 364d etcd-ca no
etcd-server Jun 20, 2021 11:21 UTC 364d etcd-ca no
front-proxy-client Jun 20, 2021 11:21 UTC 364d front-proxy-ca no
scheduler.conf Jun 20, 2021 11:21 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 18, 2030 11:21 UTC 9y no
etcd-ca Jun 18, 2030 11:21 UTC 9y no
front-proxy-ca Jun 18, 2030 11:21 UTC 9y no
(2)、下载源码
git clone https://github.com/kubernetes/kubernetes.git
(3)、切换到自己的版本,修改源码,比如我的是v1.17.2版本
cd kubernetes
git checkout v1.17.2
vim cmd/kubeadm/app/constants/constants.go,找到CertificateValidity,修改如下
....
const (// KubernetesDir is the directory Kubernetes owns for storing various configuration filesKubernetesDir = "/etc/kubernetes"// ManifestsSubDirName defines directory name to store manifestsManifestsSubDirName = "manifests"// TempDirForKubeadm defines temporary directory for kubeadm// should be joined with KubernetesDir.TempDirForKubeadm = "tmp"// CertificateValidity defines the validity for all the signed certificates generated by kubeadmCertificateValidity = time.Hour * 24 * 365 * 100
....
(4)、编译kubeadm
make WHAT=cmd/kubeadm
编译完生成如下目录和二进制文件
# ll _output/bin/
total 76172
-rwxr-xr-x 1 root root 6799360 Jun 20 21:08 conversion-gen
-rwxr-xr-x 1 root root 6778880 Jun 20 21:08 deepcopy-gen
-rwxr-xr-x 1 root root 6750208 Jun 20 21:08 defaulter-gen
-rwxr-xr-x 1 root root 4883629 Jun 20 21:08 go2make
-rwxr-xr-x 1 root root 2109440 Jun 20 21:09 go-bindata
-rwxr-xr-x 1 root root 39256064 Jun 20 21:11 kubeadm
-rwxr-xr-x 1 root root 11419648 Jun 20 21:09 openapi-gen
(5)、备份原kubeadm和证书文件
cp /usr/bin/kubeadm{,.bak20200620}
cp -r /etc/kubernetes/pki{,.bak20200620}
(7)、将新生成的kubeadm进行替换
cp _output/bin/kubeadm /usr/bin/kubeadm
(8)、生成新的证书
cd /etc/kubernetes/pki
kubeadm alpha certs renew all
输出如下
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
(9)、验证结果
kubeadm alpha certs check-expiration
输出如下
[root@k8s-master pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 27, 2120 13:25 UTC 99y no
apiserver May 27, 2120 13:25 UTC 99y ca no
apiserver-etcd-client May 27, 2120 13:25 UTC 99y etcd-ca no
apiserver-kubelet-client May 27, 2120 13:25 UTC 99y ca no
controller-manager.conf May 27, 2120 13:25 UTC 99y no
etcd-healthcheck-client May 27, 2120 13:25 UTC 99y etcd-ca no
etcd-peer May 27, 2120 13:25 UTC 99y etcd-ca no
etcd-server May 27, 2120 13:25 UTC 99y etcd-ca no
front-proxy-client May 27, 2120 13:25 UTC 99y front-proxy-ca no
scheduler.conf May 27, 2120 13:25 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 18, 2030 11:21 UTC 9y no
etcd-ca Jun 18, 2030 11:21 UTC 9y no
front-proxy-ca Jun 18, 2030 11:21 UTC 9y no
查看集群状态是否OK。
[root@k8s-master pki]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 127m v1.17.2
k8s-node01 Ready <none> 94m v1.17.2
k8s-node02 Ready <none> 95m v1.17.2
[root@k8s-master pki]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-589b5f594b-76vwr 1/1 Running 0 93m
calico-node-4qvfj 1/1 Running 0 93m
calico-node-cn79s 1/1 Running 0 93m
calico-node-sppn9 1/1 Running 0 93m
coredns-7f9c544f75-hc5q5 1/1 Running 0 127m
coredns-7f9c544f75-z77s8 1/1 Running 0 127m
etcd-k8s-master 1/1 Running 0 114m
kube-apiserver-k8s-master 1/1 Running 0 115m
kube-controller-manager-k8s-master 1/1 Running 0 114m
kube-proxy-6kckk 1/1 Running 0 94m
kube-proxy-r7mn2 1/1 Running 0 127m
kube-proxy-zf48c 1/1 Running 0 95m
kube-scheduler-k8s-master 1/1 Running 0 114m
到此证书修改完成。
如果github上下载很慢的话可以到gitee上下载,地址:https://gitee.com/mirrors/Kubernetes/tree/master/
参考链接:
https://cloud.tencent.com/developer/article/1650657
kubeadm集群修改k8s证书时间到99年相关推荐
- Kubeadm集群部署k8s
Kubeadm集群部署k8s 一:部署环境 二:部署Kubernetes 三:master节点初始化 四:Node加入master 一:部署环境 实验环境: vmware 干净的centos7 k8s ...
- linux时间跳变影响,MONGO 集群 修改linux主机时间后的影响
生产环境是 一主一从一仲裁 3 分片的集群,现在发现其中一个节点比当前时间大了好几天,后使用 NTP 将时间往回调整副本集上. 原来时间是 5 月 3 日,当前是 4 月 26 日,对此进行了调整. ...
- kubeadm部署k8s_(Ansible)三分钟部署一套高可用/可扩展的kubeadm集群
介绍 容器的兴起改变了我们开发,部署和维护软件的方式.容器使我们能够将构成应用程序的不同服务打包到单独的容器中,并在一组虚拟机和物理机上部署这些容器.这就产生了容器编排工具,可以自动执行基于容器的应用 ...
- 记录——kubeadm集群node节点加入
记录--kubeadm集群node节点加入 1. node节点关闭防火墙安全机制,映射等 2. 查看master的docker版本并安装与其相同版本. docker version 列出docker版 ...
- HAC集群修改管理员用户密码
瀚高数据库 目录 环境 文档用途 详细信息 环境 系统平台:Linux x86-64 Red Hat Enterprise Linux 7 版本:4.5.6,4.5.7 文档用途 本文档用于指导HAC ...
- HAC集群修改为单机
瀚高数据库 目录 环境 文档用途 详细信息 环境 系统平台:Linux x86 Red Hat Enterprise Linux 6 版本:4.5.7 文档用途 本文档用于指导HAC集群修改为单机 详 ...
- 从零搭建生产Hadoop集群(五)——CDH集群修改主机名与IP
从零搭建生产Hadoop集群(五)--CDH集群修改主机名与IP 一.概述 二.完整步骤 1.官网推荐步骤: (1)验证下SSL/TLS认证是否所有服务都有配备,确认创建新的SSL/TLS认证. (2 ...
- K8S集群搭建:安装kubeadm集群部署工具
将镜像包上传至服务器每个节点 mkdir /usr/local/k8s-install cd /usr/local/k8s-install XFTP上传安装文件 每个CentOS上安装Docker 使 ...
- k8s集群配置域名证书支持https与http
1.检查k8s集群是否有默认证书 查看集群默认traefik-ingress: kubectl get ds -n kube-system [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来 ...
最新文章
- qu.la网站上的小说爬取
- Visual Studio 2017 最新全量离线下载方法[有惊喜]
- (转)【风宇冲】Unity3D教程宝典之AssetBundles:第一讲
- python animation 轨迹_Python实例:自动轨迹绘制
- nginx配置前端反向代理
- java 设计模式 示例_Java中的状态设计模式–示例教程
- bfc是什么_全面分析总结BFC原理及实践
- mysql列连接_连接来自MySQL中不同表的列
- 网站/APP 流量分析、用户访问分析
- 企业微信api发送告警信息
- python三菱fx3u通讯mx_[实例]三菱FX3U-485无协议通讯程序(含程序段)
- 速腾(Robosense) M1激光雷达ip配置
- Ubuntu Screen recorder tool - Simple Screen Recorder
- 一个汉字占用多少个字节?不同的编码方式
- Moodle功能插件汇总
- linux内存管理(一)-内存管理架构
- Tensorflow笔记(八)——Estimator
- iphone、ipad屏幕分辨率
- 据说是世界上最健康的作息
- 昆明达内python培训