一、kubeadm安装证书期限查看
[root@k8s-master01 ~]# cd /etc/kubernetes/pki/ [root@k8s-master01 pki]# ls apiserver.crt apiserver.key ca.crt devuser-key.pem front-proxy-ca.crt front-proxy-client.key apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key devuser.pem front-proxy-ca.key sa.key apiserver-etcd-client.key apiserver-kubelet-client.key devuser.csr etcd front-proxy-client.crt sa.pub #apiserver证书期限 [root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2512053590653979745 (0x22dc9b6e67accc61) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes Validity Not Before: Feb 2 06:17:57 2020 GMT #默认是一年 Not After : Feb 1 06:17:57 2021 GMT Subject: CN=kube-apiserver Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:ac:99:1f:03:32:99:a3:8b:29:0a:29:a5:5f: 10:49:4d:f2:76:22:20:1c:49:a1:b6:5f:79:ed:e4: 90:2b:ec:04:70:48:a0:d7:55:6e:70:90:2a:44:a4: 17:e8:23:83:30:c8:3c:64:36:04:bd:d5:17:d6:b9: 77:81:83:52:46:f0:bc:73:eb:6d:90:57:a3:18:61: 81:9b:32:24:58:1e:cf:30:ae:37:04:fc:83:d6:de: 10:f9:4c:ad:51:48:b7:6c:c5:ad:3f:12:03:e8:6b: a4:28:94:65:23:16:69:50:c7:03:8b:11:24:b0:1b: d3:e7:8e:a2:2f:cc:8b:99:28:b8:30:53:95:a6:15: 79:43:b8:3b:78:e7:0a:30:f4:ba:99:ac:09:94:3a: 3f:64:61:27:f7:41:16:17:17:df:54:36:05:cd:d5: 96:77:47:9b:6d:3d:e7:a0:75:d3:84:f2:0d:77:33: 03:57:8a:0d:a6:bf:80:cf:f9:c1:5d:90:ff:8d:cf: a7:60:d8:d3:07:bd:1e:21:17:06:83:10:7f:69:68: bb:f8:4d:1e:54:85:39:51:cc:07:05:3f:01:c9:e5: e1:2f:81:c0:c0:6e:eb:b1:8f:e4:af:af:c2:7b:eb: b6:73:e5:1f:3a:ee:be:a3:db:9c:ad:7f:d8:68:f3: f0:47 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:k8s-master01, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:10.0.0.11 Signature Algorithm: sha256WithRSAEncryption 21:53:49:89:11:7c:2e:ab:59:24:6a:bf:cc:b0:ba:66:4e:1d: 21:3d:36:1c:5a:e8:ee:59:e3:eb:44:2d:06:0f:e2:3f:a6:18: 27:c2:07:72:95:61:e6:6f:df:fe:84:32:a4:dc:44:53:5f:6f: a9:1b:c7:1d:61:ac:d9:c1:ec:fa:ad:08:4d:ca:3d:f0:92:5a: be:36:58:5f:10:72:7f:99:be:75:84:88:95:a1:17:87:fa:f8: 39:dc:16:f8:e9:2a:64:af:51:a1:d3:60:85:24:d2:ec:b7:65: 1f:4e:73:f2:f0:cf:30:f4:86:a7:a3:f9:a7:2d:3e:b4:29:4d: 3b:dd:8b:69:c1:aa:7c:1b:a8:de:96:0c:cb:a0:bc:66:7a:62: 08:97:e5:16:98:45:d5:c4:1d:fa:f2:97:7b:ae:09:43:ab:61: 67:fb:3e:e4:70:d0:1f:d9:5f:71:ab:d5:27:71:5b:fb:eb:99: 56:23:74:49:eb:23:9b:ec:24:80:f8:7f:54:4e:6e:35:af:c6: 3c:aa:28:23:0f:da:07:f0:f5:e3:11:34:a8:b1:e4:90:28:4c: 63:26:6e:f7:80:72:a4:79:5b:37:f7:cc:c6:24:b8:cc:f5:5f: ae:05:ec:1f:c1:37:f6:ac:37:5f:bf:0b:db:73:06:00:1f:2f: bb:f4:a0:5d #ca证书期限 [root@k8s-master01 pki]# openssl x509 -in ca.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes Validity Not Before: Feb 2 06:17:57 2020 GMT #十年 Not After : Jan 30 06:17:57 2030 GMT Subject: CN=kubernetes Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) .....
二、证书期限修改步骤
1)部署go语言环境
#下载go语言包 [root@k8s-master01 k8s]# cd data/ [root@k8s-master01 data]# wget https://studygolang.com/dl/golang/go1.13.7.linux-amd64.tar.gz [root@k8s-master01 data]# ls go1.13.7.linux-amd64.tar.gz [root@k8s-master01 data]# tar xf go1.13.7.linux-amd64.tar.gz -C /usr/local/ [root@k8s-master01 data]# cd /usr/local/ [root@k8s-master01 local]# ls bin etc games go include lib lib64 libexec sbin share src #部署环境变量 [root@k8s-master01 go]# vim /etc/profile export PATH=$PATH:/usr/local/go/bin [root@k8s-master01 go]# source /etc/profile #查看 [root@k8s-master01 go]# go version go version go1.13.7 linux/amd64
2)下载源码
[root@k8s-master01 data]# git clone https://github.com/kubernetes/kubernetes.git [root@k8s-master01 data]# kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"} #切换版本 [root@k8s-master01 data]# git checkout -b remotes/origin/release-1.15.1 v1.15.1
下载不了,可以使用压缩包:
3)修改 Kubeadm 源码包更新证书策略
vim staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前 vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今 ---------------------------------------------------------------------------- [root@k8s-master01 kubernetes-release-1.15]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go 554 const duration3650d = time.Hour * 24 * 365 *10 575 NotAfter: time.Now().Add(duration3650d).UTC(),
6、HA集群其余 mater 节点证书更新