Kubernetes m6S之SSL证书时效查看
如何修改Kubernetes的SSL证书有效期
主机配置规划
| 服务器名称(hostname) | 系统版本 | 配置 | 内网IP | 外网IP(模拟) |
|---|---|---|---|---|
| k8s-master | CentOS7.7 | 2C/4G/20G | 172.16.1.110 | 10.0.0.110 |
| k8s-node01 | CentOS7.7 | 2C/4G/20G | 172.16.1.111 | 10.0.0.111 |
| k8s-node02 | CentOS7.7 | 2C/4G/20G | 172.16.1.112 | 10.0.0.112 |
为什么要修改证书有效期
Kubernetes默认的证书有效期都是1年,因此需要我们每年都更新证书,显然这对我们实际生产环境来说是很不友好的;因此我们要对Kubernetes的SSL证书有效期进行修改。
证书有效期查看
1 [root@k8s-master pki]# pwd2 /etc/kubernetes/pki
3 [root@k8s-master pki]# ll
4 total 56
5 -rw-r--r-- 1 root root 1224 May 1215:51 apiserver.crt
6 -rw-r--r-- 1 root root 1090 May 1215:51 apiserver-etcd-client.crt
7 -rw------- 1 root root 1675 May 1215:51 apiserver-etcd-client.key
8 -rw------- 1 root root 1675 May 1215:51 apiserver.key
9 -rw-r--r-- 1 root root 1099 May 1215:51 apiserver-kubelet-client.crt
10 -rw------- 1 root root 1675 May 1215:51 apiserver-kubelet-client.key
11 -rw-r--r-- 1 root root 1025 May 1215:51 ca.crt
12 -rw------- 1 root root 1675 May 1215:51 ca.key
13 drwxr-xr-x 2 root root 162 May 1215:51 etcd
14 -rw-r--r-- 1 root root 1038 May 1215:51 front-proxy-ca.crt
15 -rw------- 1 root root 1675 May 1215:51 front-proxy-ca.key
16 -rw-r--r-- 1 root root 1058 May 1215:51 front-proxy-client.crt
17 -rw------- 1 root root 1675 May 1215:51 front-proxy-client.key
18 -rw------- 1 root root 1679 May 1215:51 sa.key
19 -rw------- 1 root root 451 May 1215:51 sa.pub
20 [root@k8s-master pki]#
21 [root@k8s-master pki]# for i in $(ls *.crt); doecho"===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3'Validity' ; done
22 ===== apiserver.crt =====
23 Validity
24 Not Before: May 1207:51:362020 GMT
25 Not After : May 1207:51:362021 GMT
26 Subject: CN=kube-apiserver
27 ===== apiserver-etcd-client.crt =====
28 Validity
29 Not Before: May 1207:51:372020 GMT
30 Not After : May 1207:51:382021 GMT
31 Subject: O=system:masters, CN=kube-apiserver-etcd-client
32 ===== apiserver-kubelet-client.crt =====
33 Validity
34 Not Before: May 1207:51:362020 GMT
35 Not After : May 1207:51:372021 GMT
36 Subject: O=system:masters, CN=kube-apiserver-kubelet-client
37 ===== ca.crt =====
38 Validity
39 Not Before: May 1207:51:362020 GMT
40 Not After : May 1007:51:362030 GMT
41 Subject: CN=kubernetes
42 ===== front-proxy-ca.crt =====
43 Validity
44 Not Before: May 1207:51:372020 GMT
45 Not After : May 1007:51:372030 GMT
46 Subject: CN=front-proxy-ca
47 ===== front-proxy-client.crt =====
48 Validity
49 Not Before: May 1207:51:372020 GMT
50 Not After : May 1207:51:372021 GMT
51 Subject: CN=front-proxy-client
52 [root@k8s-master pki]#
由上可见,除了ca根证书,其他证书有效期都是1年。
证书有效时限修改
go环境部署
go语言中文网
https://studygolang.com/
在Linux命令行下载
1 [root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.14.6.linux-amd64.tar.gz2 [root@k8s-master software]# tar xf go1.14.6.linux-amd64.tar.gz -C /usr/local/
3 [root@k8s-master software]# vim /etc/profile # 最后面添加如下信息
4# go语言环境变量
5 export PATH=$PATH:/usr/local/go/bin
6 [root@k8s-master software]# source /etc/profile
Kubernetes源码下载与更改证书策略
当期k8s版本
1 [root@k8s-master software]# kubectl version2 Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T21:03:42Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}3 Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
根据k8s版本下载源码
操作步骤
1 [root@k8s-master software]# wget https://github.com/kubernetes/kubernetes/archive/v1.17.4.tar.gz2 [root@k8s-master software]# tar xf v1.17.4.tar.gz && cd kubernetes-1.17.4
3 [root@k8s-master kubernetes-1.17.4]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
4………………
5 func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
6// 添加如下行 有效时间 100 年
7 const effectyear = time.Hour * 24 * 365 * 100
8
9 serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
10if err != nil {
11 return nil, err
12 }
13if len(cfg.CommonName) == 0 {
14 return nil, errors.New("must specify a CommonName")
15 }
16if len(cfg.Usages) == 0 {
17 return nil, errors.New("must specify at least one ExtKeyUsage")
18 }
19
20 certTmpl := x509.Certificate{
21 Subject: pkix.Name{
22 CommonName: cfg.CommonName,
23 Organization: cfg.Organization,
24 },
25 DNSNames: cfg.AltNames.DNSNames,
26 IPAddresses: cfg.AltNames.IPs,
27 SerialNumber: serial,
28 NotBefore: caCert.NotBefore,
29// NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
30 NotAfter: time.Now().Add(effectyear).UTC(), // 修改行
31 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
32 ExtKeyUsage: cfg.Usages,
33 }
34 [root@k8s-master kubernetes-1.17.4]#
35# 注意路径
36 [root@k8s-master kubernetes-1.17.4]# make WHAT=cmd/kubeadm GOFLAGS=-v
37# 将更新后的kubeadm拷贝到指定位置
38 [root@k8s-master kubernetes-1.17.4]# cp -a _output/bin/kubeadm /root/kubeadm-new
更新kubeadm并备份原证书
1# kubeadm更新2mv /usr/bin/kubeadm /usr/bin/kubeadm_202007253mv /root/kubeadm-new /usr/bin/kubeadm4chmod755 /usr/bin/kubeadm5# 原证书备份6cp -a /etc/kubernetes/pki/ /etc/kubernetes/pki_20200725
证书更新
操作如下:
1# 证书更新 2 [root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/k8s_install/kubeadm-config.yaml 3# 查看新证书有效期 4 [root@k8s-master ~]# cd /etc/kubernetes/pki 5 [root@k8s-master pki]# ll 6 total 567 -rw-r--r-- 1 root root 1224 Jul 2518:44 apiserver.crt
8 -rw-r--r-- 1 root root 1094 Jul 2518:44 apiserver-etcd-client.crt
9 -rw------- 1 root root 1675 Jul 2518:44 apiserver-etcd-client.key
10 -rw------- 1 root root 1679 Jul 2518:44 apiserver.key
11 -rw-r--r-- 1 root root 1103 Jul 2518:44 apiserver-kubelet-client.crt
12 -rw------- 1 root root 1679 Jul 2518:44 apiserver-kubelet-client.key
13 -rw-r--r-- 1 root root 1025 May 1215:51 ca.crt
14 -rw------- 1 root root 1675 May 1215:51 ca.key
15 drwxr-xr-x 2 root root 162 May 1215:51 etcd
16 -rw-r--r-- 1 root root 1038 May 1215:51 front-proxy-ca.crt
17 -rw------- 1 root root 1675 May 1215:51 front-proxy-ca.key
18 -rw-r--r-- 1 root root 1058 Jul 2518:44 front-proxy-client.crt
19 -rw------- 1 root root 1679 Jul 2518:44 front-proxy-client.key
20 -rw------- 1 root root 1679 May 1215:51 sa.key
21 -rw------- 1 root root 451 May 1215:51 sa.pub
22 [root@k8s-master pki]#
23 [root@k8s-master pki]# for i in $(ls *.crt); doecho"===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3'Validity' ; done
24 ===== apiserver.crt =====
25 Validity
26 Not Before: May 1207:51:362020 GMT
27 Not After : Jul 110:44:202120 GMT
28 Subject: CN=kube-apiserver
29 ===== apiserver-etcd-client.crt =====
30 Validity
31 Not Before: May 1207:51:372020 GMT
32 Not After : Jul 110:44:202120 GMT
33 Subject: O=system:masters, CN=kube-apiserver-etcd-client
34 ===== apiserver-kubelet-client.crt =====
35 Validity
36 Not Before: May 1207:51:362020 GMT
37 Not After : Jul 110:44:202120 GMT
38 Subject: O=system:masters, CN=kube-apiserver-kubelet-client
39 ===== ca.crt =====
40 Validity
41 Not Before: May 1207:51:362020 GMT
42 Not After : May 1007:51:362030 GMT
43 Subject: CN=kubernetes
44 ===== front-proxy-ca.crt =====
45 Validity
46 Not Before: May 1207:51:372020 GMT
47 Not After : May 1007:51:372030 GMT
48 Subject: CN=front-proxy-ca
49 ===== front-proxy-client.crt =====
50 Validity
51 Not Before: May 1207:51:372020 GMT
52 Not After : Jul 110:44:222120 GMT
53 Subject: CN=front-proxy-client
由上可见,除了CA根证书,其他证书有效期已经改为 100 年。
kubeadm-config.yaml文件参见如下
1 [root@k8s-master k8s_install]# pwd2 /root/k8s_install
3 [root@k8s-master k8s_install]# kubeadm config print init-defaults > kubeadm-config.yaml
4# 做了适当修改
5 [root@k8s-master k8s_install]# cat kubeadm-config.yaml
6 apiVersion: kubeadm.k8s.io/v1beta2
7bootstrapTokens:
8 - groups:
9 - system:bootstrappers:kubeadm:default-node-token
10 token: abcdef.0123456789abcdef
11 ttl: 24h0m0s
12 usages:
13 - signing
14 - authentication
15kind: InitConfiguration
16localAPIEndpoint:
17 # 改为本机内网IP
18 advertiseAddress: 172.16.1.110
19 bindPort: 6443
20nodeRegistration:
21 criSocket: /var/run/dockershim.sock
22 name: k8s-master
23 taints:
24 - effect: NoSchedule
25 key: node-role.kubernetes.io/master
26 ---
27apiServer:
28 timeoutForControlPlane: 4m0s
29 apiVersion: kubeadm.k8s.io/v1beta2
30 certificatesDir: /etc/kubernetes/pki
31clusterName: kubernetes
32controllerManager: {}
33dns:
34 type: CoreDNS
35etcd:
36 local:
37 dataDir: /var/lib/etcd
38imageRepository: k8s.gcr.io
39kind: ClusterConfiguration
40 # 本次部署的版本为 v1.17.4
41 kubernetesVersion: v1.17.4
42networking:
43 dnsDomain: cluster.local
44 # 添加如下行,指定pod网络的IP地址范围,因为flannel 就是这个网段
45 podSubnet: 10.244.0.0/16
46 # 默认值即可,无需改变。服务VIP使用可选的IP地址范围。默认10.96.0.0/12
47 serviceSubnet: 10.96.0.0/12
48scheduler: {}
49 ---
50# 添加如下配置段,调度方式从默认改为ipvs方式【如果上面初始化没有做ipvs,那么这段就不需要】
51 apiVersion: kubeproxy.config.k8s.io/v1alpha1
52kind: KubeProxyConfiguration
53featureGates:
54 SupportIPVSProxyMode: true
55 mode: ipvs
相关阅读
1、基于kubeadm快速部署kubernetes K8S V1.17.4集群-无坑完整版
完毕!
———END———
如果觉得不错就关注下呗 (-^O^-) !
以上是 Kubernetes m6S之SSL证书时效查看 的全部内容, 来源链接: utcz.com/a/54904.html
