Kubernetes K8S之SSL證書有效期修改
如何修改Kubernetes的SSL證書有效期html
主機配置規劃
| 服務器名稱(hostname) | 系統版本 | 配置 | 內網IP | 外網IP(模擬) |
|---|---|---|---|---|
| k8s-master | CentOS7.7 | 2C/4G/20G | 172.16.1.110 | 10.0.0.110 |
| k8s-node01 | CentOS7.7 | 2C/4G/20G | 172.16.1.111 | 10.0.0.111 |
| k8s-node02 | CentOS7.7 | 2C/4G/20G | 172.16.1.112 | 10.0.0.112 |
爲何要修改證書有效期
Kubernetes默認的證書有效期都是1年,所以須要咱們每一年都更新證書,顯然這對咱們實際生產環境來講是很不友好的;所以咱們要對Kubernetes的SSL證書有效期進行修改。node
證書有效期查看linux
1 [root@k8s-master pki]# pwd 2 /etc/kubernetes/pki 3 [root@k8s-master pki]# ll 4 total 56 5 -rw-r--r-- 1 root root 1224 May 12 15:51 apiserver.crt 6 -rw-r--r-- 1 root root 1090 May 12 15:51 apiserver-etcd-client.crt 7 -rw------- 1 root root 1675 May 12 15:51 apiserver-etcd-client.key 8 -rw------- 1 root root 1675 May 12 15:51 apiserver.key 9 -rw-r--r-- 1 root root 1099 May 12 15:51 apiserver-kubelet-client.crt 10 -rw------- 1 root root 1675 May 12 15:51 apiserver-kubelet-client.key 11 -rw-r--r-- 1 root root 1025 May 12 15:51 ca.crt 12 -rw------- 1 root root 1675 May 12 15:51 ca.key 13 drwxr-xr-x 2 root root 162 May 12 15:51 etcd 14 -rw-r--r-- 1 root root 1038 May 12 15:51 front-proxy-ca.crt 15 -rw------- 1 root root 1675 May 12 15:51 front-proxy-ca.key 16 -rw-r--r-- 1 root root 1058 May 12 15:51 front-proxy-client.crt 17 -rw------- 1 root root 1675 May 12 15:51 front-proxy-client.key 18 -rw------- 1 root root 1679 May 12 15:51 sa.key 19 -rw------- 1 root root 451 May 12 15:51 sa.pub 20 [root@k8s-master pki]# 21 [root@k8s-master pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done 22 ===== apiserver.crt ===== 23 Validity 24 Not Before: May 12 07:51:36 2020 GMT 25 Not After : May 12 07:51:36 2021 GMT 26 Subject: CN=kube-apiserver 27 ===== apiserver-etcd-client.crt ===== 28 Validity 29 Not Before: May 12 07:51:37 2020 GMT 30 Not After : May 12 07:51:38 2021 GMT 31 Subject: O=system:masters, CN=kube-apiserver-etcd-client 32 ===== apiserver-kubelet-client.crt ===== 33 Validity 34 Not Before: May 12 07:51:36 2020 GMT 35 Not After : May 12 07:51:37 2021 GMT 36 Subject: O=system:masters, CN=kube-apiserver-kubelet-client 37 ===== ca.crt ===== 38 Validity 39 Not Before: May 12 07:51:36 2020 GMT 40 Not After : May 10 07:51:36 2030 GMT 41 Subject: CN=kubernetes 42 ===== front-proxy-ca.crt ===== 43 Validity 44 Not Before: May 12 07:51:37 2020 GMT 45 Not After : May 10 07:51:37 2030 GMT 46 Subject: CN=front-proxy-ca 47 ===== front-proxy-client.crt ===== 48 Validity 49 Not Before: May 12 07:51:37 2020 GMT 50 Not After : May 12 07:51:37 2021 GMT 51 Subject: CN=front-proxy-client 52 [root@k8s-master pki]#
由上可見,除了ca根證書,其餘證書有效期都是1年。git
證書有效時限修改
go環境部署
go語言中文網github
https://studygolang.com/
在Linux命令行下載golang
1 [root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.14.6.linux-amd64.tar.gz 2 [root@k8s-master software]# tar xf go1.14.6.linux-amd64.tar.gz -C /usr/local/ 3 [root@k8s-master software]# vim /etc/profile # 最後面添加以下信息 4 # go語言環境變量 5 export PATH=$PATH:/usr/local/go/bin 6 [root@k8s-master software]# source /etc/profile
Kubernetes源碼下載與更改證書策略
當期k8s版本docker
1 [root@k8s-master software]# kubectl version 2 Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T21:03:42Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"} 3 Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
根據k8s版本下載源碼bootstrap
操做步驟vim
1 [root@k8s-master software]# wget https://github.com/kubernetes/kubernetes/archive/v1.17.4.tar.gz 2 [root@k8s-master software]# tar xf v1.17.4.tar.gz && cd kubernetes-1.17.4 3 [root@k8s-master kubernetes-1.17.4]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go 4 ……………… 5 func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { 6 // 添加以下行 有效時間 100 年 7 const effectyear = time.Hour * 24 * 365 * 100 8 9 serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) 10 if err != nil { 11 return nil, err 12 } 13 if len(cfg.CommonName) == 0 { 14 return nil, errors.New("must specify a CommonName") 15 } 16 if len(cfg.Usages) == 0 { 17 return nil, errors.New("must specify at least one ExtKeyUsage") 18 } 19 20 certTmpl := x509.Certificate{ 21 Subject: pkix.Name{ 22 CommonName: cfg.CommonName, 23 Organization: cfg.Organization, 24 }, 25 DNSNames: cfg.AltNames.DNSNames, 26 IPAddresses: cfg.AltNames.IPs, 27 SerialNumber: serial, 28 NotBefore: caCert.NotBefore, 29 // NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(), 30 NotAfter: time.Now().Add(effectyear).UTC(), // 修改行 31 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 32 ExtKeyUsage: cfg.Usages, 33 } 34 [root@k8s-master kubernetes-1.17.4]# 35 # 注意路徑 36 [root@k8s-master kubernetes-1.17.4]# make WHAT=cmd/kubeadm GOFLAGS=-v 37 # 將更新後的kubeadm拷貝到指定位置 38 [root@k8s-master kubernetes-1.17.4]# cp -a _output/bin/kubeadm /root/kubeadm-new
更新kubeadm並備份原證書
1 # kubeadm更新 2 mv /usr/bin/kubeadm /usr/bin/kubeadm_20200725 3 mv /root/kubeadm-new /usr/bin/kubeadm 4 chmod 755 /usr/bin/kubeadm 5 # 原證書備份 6 cp -a /etc/kubernetes/pki/ /etc/kubernetes/pki_20200725
證書更新
操做以下:api
1 # 證書更新 2 [root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/k8s_install/kubeadm-config.yaml 3 # 查看新證書有效期 4 [root@k8s-master ~]# cd /etc/kubernetes/pki 5 [root@k8s-master pki]# ll 6 total 56 7 -rw-r--r-- 1 root root 1224 Jul 25 18:44 apiserver.crt 8 -rw-r--r-- 1 root root 1094 Jul 25 18:44 apiserver-etcd-client.crt 9 -rw------- 1 root root 1675 Jul 25 18:44 apiserver-etcd-client.key 10 -rw------- 1 root root 1679 Jul 25 18:44 apiserver.key 11 -rw-r--r-- 1 root root 1103 Jul 25 18:44 apiserver-kubelet-client.crt 12 -rw------- 1 root root 1679 Jul 25 18:44 apiserver-kubelet-client.key 13 -rw-r--r-- 1 root root 1025 May 12 15:51 ca.crt 14 -rw------- 1 root root 1675 May 12 15:51 ca.key 15 drwxr-xr-x 2 root root 162 May 12 15:51 etcd 16 -rw-r--r-- 1 root root 1038 May 12 15:51 front-proxy-ca.crt 17 -rw------- 1 root root 1675 May 12 15:51 front-proxy-ca.key 18 -rw-r--r-- 1 root root 1058 Jul 25 18:44 front-proxy-client.crt 19 -rw------- 1 root root 1679 Jul 25 18:44 front-proxy-client.key 20 -rw------- 1 root root 1679 May 12 15:51 sa.key 21 -rw------- 1 root root 451 May 12 15:51 sa.pub 22 [root@k8s-master pki]# 23 [root@k8s-master pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done 24 ===== apiserver.crt ===== 25 Validity 26 Not Before: May 12 07:51:36 2020 GMT 27 Not After : Jul 1 10:44:20 2120 GMT 28 Subject: CN=kube-apiserver 29 ===== apiserver-etcd-client.crt ===== 30 Validity 31 Not Before: May 12 07:51:37 2020 GMT 32 Not After : Jul 1 10:44:20 2120 GMT 33 Subject: O=system:masters, CN=kube-apiserver-etcd-client 34 ===== apiserver-kubelet-client.crt ===== 35 Validity 36 Not Before: May 12 07:51:36 2020 GMT 37 Not After : Jul 1 10:44:20 2120 GMT 38 Subject: O=system:masters, CN=kube-apiserver-kubelet-client 39 ===== ca.crt ===== 40 Validity 41 Not Before: May 12 07:51:36 2020 GMT 42 Not After : May 10 07:51:36 2030 GMT 43 Subject: CN=kubernetes 44 ===== front-proxy-ca.crt ===== 45 Validity 46 Not Before: May 12 07:51:37 2020 GMT 47 Not After : May 10 07:51:37 2030 GMT 48 Subject: CN=front-proxy-ca 49 ===== front-proxy-client.crt ===== 50 Validity 51 Not Before: May 12 07:51:37 2020 GMT 52 Not After : Jul 1 10:44:22 2120 GMT 53 Subject: CN=front-proxy-client
由上可見,除了CA根證書,其餘證書有效期已經改成 100 年。
kubeadm-config.yaml文件參見以下
1 [root@k8s-master k8s_install]# pwd 2 /root/k8s_install 3 [root@k8s-master k8s_install]# kubeadm config print init-defaults > kubeadm-config.yaml 4 # 作了適當修改 5 [root@k8s-master k8s_install]# cat kubeadm-config.yaml 6 apiVersion: kubeadm.k8s.io/v1beta2 7 bootstrapTokens: 8 - groups: 9 - system:bootstrappers:kubeadm:default-node-token 10 token: abcdef.0123456789abcdef 11 ttl: 24h0m0s 12 usages: 13 - signing 14 - authentication 15 kind: InitConfiguration 16 localAPIEndpoint: 17 # 改成本機內網IP 18 advertiseAddress: 172.16.1.110 19 bindPort: 6443 20 nodeRegistration: 21 criSocket: /var/run/dockershim.sock 22 name: k8s-master 23 taints: 24 - effect: NoSchedule 25 key: node-role.kubernetes.io/master 26 --- 27 apiServer: 28 timeoutForControlPlane: 4m0s 29 apiVersion: kubeadm.k8s.io/v1beta2 30 certificatesDir: /etc/kubernetes/pki 31 clusterName: kubernetes 32 controllerManager: {} 33 dns: 34 type: CoreDNS 35 etcd: 36 local: 37 dataDir: /var/lib/etcd 38 imageRepository: k8s.gcr.io 39 kind: ClusterConfiguration 40 # 本次部署的版本爲 v1.17.4 41 kubernetesVersion: v1.17.4 42 networking: 43 dnsDomain: cluster.local 44 # 添加以下行,指定pod網絡的IP地址範圍,由於flannel 就是這個網段 45 podSubnet: 10.244.0.0/16 46 # 默認值便可,無需改變。服務VIP使用可選的IP地址範圍。默認10.96.0.0/12 47 serviceSubnet: 10.96.0.0/12 48 scheduler: {} 49 --- 50 # 添加以下配置段,調度方式從默認改成ipvs方式【若是上面初始化沒有作ipvs,那麼這段就不須要】 51 apiVersion: kubeproxy.config.k8s.io/v1alpha1 52 kind: KubeProxyConfiguration 53 featureGates: 54 SupportIPVSProxyMode: true 55 mode: ipvs
相關閱讀
一、基於kubeadm快速部署kubernetes K8S V1.17.4集羣-無坑完整版
完畢!
———END———
若是以爲不錯就關注下唄 (-^O^-) !
相關文章
- 1. Kubernetes K8S之SSL證書有效期修改
- 2. kubeadm修改證書有效期
- 3. [kubernetes]step3-kubeadm更新證書有效期
- 4. k8s證書升級總結,修改證書時間
- 5. k8s踩坑記錄——證書一年有效期
- 6. 修改FileZilla生成證書的有效期
- 7. SSL證書之多域名SSL證書
- 8. 騰訊雲申請免費ssl證書(1年有效期)
- 9. SHELL監控網站SSL證書有效期
- 10. let's encrypt ssl證書續期
- 更多相關文章...
- • MySQL修改視圖(ALTER VIEW) - MySQL教程
- • MySQL修改用戶(RENAME USER) - MySQL教程
- • Docker容器實戰(八) - 漫談 Kubernetes 的本質
- • 再有人問你分佈式事務,把這篇扔給他
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
