kubernetes 修改证书过期时间
1. 准备go环境
下载go, 编译kubernetes 要求go大于1.17版本 wget https://golang.google.cn/dl/go1.18.linux-amd64.tar.gz tar -zxvf go1.18.linux-amd64.tar.gz rm /usr/local/go -rf mv go /usr/local/ 设置环境变量 export GOROOT=/usr/local/go export GOPATH=/home/gowork export PATH=$PATH:$GOROOT/bin:$GOPATH/bin 加载环境变量 source /etc/profile
2. 下载kubernetes源码包
使用了git加速器
git clone https://ghproxy.com/https://github.com/kubernetes/kubernetes -b v1.23.9
3. 修改kubeadm 证书时间
修改 NewSelfSignedCACert 方法的 NotAfter 为(100年): now.Add(duration365d * 100).UTC():
vim ./staging/src/k8s.io/client-go/util/cert/cert.go
修改 CertificateValidity 为: time.Hour * 24 * 365 * 99: vim ./cmd/kubeadm/app/constants/constants.go
4. 编译
cd $GOPATH/src/k8s.io/kubernetes
编译64位所有的二进制
KUBE_BUILD_PLATFORMS=linux/amd64 make all GOFLAGS=-v GOGCFLAGS="-N -l"
或者指定编译的二进制文件
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kubeadm GOFLAGS=-v GOGCFLAGS="-N -l"
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kube-apiserver GOFLAGS=-v GOGCFLAGS="-N -l"
生成文件路径/home/gowork/src/k8s.io/kubernetes/_output/bin
5. 默认证书
[root@master ~]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Mar 05, 2023 10:53 UTC 364d ca no apiserver Mar 05, 2023 10:53 UTC 364d ca no apiserver-etcd-client Mar 05, 2023 10:53 UTC 364d etcd-ca no apiserver-kubelet-client Mar 05, 2023 10:53 UTC 364d ca no controller-manager.conf Mar 05, 2023 10:53 UTC 364d ca no etcd-healthcheck-client Mar 05, 2023 10:53 UTC 364d etcd-ca no etcd-peer Mar 05, 2023 10:53 UTC 364d etcd-ca no etcd-server Mar 05, 2023 10:53 UTC 364d etcd-ca no front-proxy-client Mar 05, 2023 10:53 UTC 364d front-proxy-ca no scheduler.conf Mar 05, 2023 10:53 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Mar 02, 2032 10:53 UTC 9y no etcd-ca Mar 02, 2032 10:53 UTC 9y no front-proxy-ca Mar 02, 2032 10:53 UTC 9y no
替换kubeadm
[root@master1 bin]# cp /home/gowork/src/k8s.io/kubernetes/_output/bin/kubeadm /usr/bin/kubeadm
重新kubeadm安装集群
kubeadm init --kubernetes-version=v1.23.9 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12 --apiserver-advertise-address=192.168.40.130 --image-repository registry.aliyuncs.com/google_containers
再次查看证书过期时间
[root@master1 bin]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jul 16, 2121 04:02 UTC 98y ca no apiserver Jul 16, 2121 04:02 UTC 98y ca no apiserver-etcd-client Jul 16, 2121 04:02 UTC 98y etcd-ca no apiserver-kubelet-client Jul 16, 2121 04:02 UTC 98y ca no controller-manager.conf Jul 16, 2121 04:02 UTC 98y ca no etcd-healthcheck-client Jul 16, 2121 04:02 UTC 98y etcd-ca no etcd-peer Jul 16, 2121 04:02 UTC 98y etcd-ca no etcd-server Jul 16, 2121 04:02 UTC 98y etcd-ca no front-proxy-client Jul 16, 2121 04:02 UTC 98y front-proxy-ca no scheduler.conf Jul 16, 2121 04:02 UTC 98y ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Jul 16, 2122 04:02 UTC 99y no etcd-ca Jul 16, 2122 04:02 UTC 99y no front-proxy-ca Jul 16, 2122 04:02 UTC 99y no
