k8s 证书过期解决

下载kubernetest 源码

apt -get install git 

git clone https://github.com/kubernetes/kubernetes.git

切换分支

cd kubernetes && git checkout -b remotes/origin/release-1.13 v1.13.0

下载docker编译环境

https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2  在dockerhub 下载相应的版本

docker pull gcrcontainer/kube-cross:v1.13.1-1 
docker run --rm -v /root/kubernetes/:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.13.1-1 bash

修改源码

?
1
2
3
4
5
6
7
8
9
vim  /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go
 
maxAge := time.Hour * 24 * 365   #修改前      
 
NotAfter:     time.Now().Add(duration365d).UTC()
 
 maxAge := time.Hour * 24 * 365 * 50  #修改后   给证书期限为50年
 
NotAfter:     time.Now().Add(duration365d * 50).UTC()

 

编译

cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
?
1
2
拷贝编译的文件
cp ./_output/local/bin/linux/amd64/kubeadm

 

master  

备份证书和配置文件

?
1
cp -/etc/kubernetes/ ./
复制代码
#!/usr/bin/env bash
set -e
sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.crt /etc/kubernetes/pki/front-proxy-ca.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.key /etc/kubernetes/pki/front-proxy-ca.key.old
sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old
sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old
sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
View Code
复制代码

 

拷贝编译后的kubeadm

\cp kubeadm /usr/bin/

创建kubeadm-conf.yaml 文件

复制代码
cat > /tmp/kubeadm-conf.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
networking:
  podSubnet: 192.169.0.0/16
  serviceSubnet: 10.96.0.0/12
#apiServerCertSANs:
#- master01
#- master02
#- master03
#- 172.16.2.1
#- 172.16.2.2
#- 172.16.2.3
#- 172.16.2.100
#etcd:
#  endpoints:
#     - http://192.168.188.160:2379
#     - http://192.168.188.161:2379
#     - http://192.168.188.162:2379
#token: 2wt8ap.ev8cvrpuzt81zwm7
#tokenTTL: "0"
kubernetesVersion: v1.11.5
#imageRepository:
api:
  advertiseAddress: 192.168.188.160
kubeletConfiguration:
  baseConfig:
    evictionHard:
      imagefs.available: 6Gi
      memory.available: 512Mi
      nodefs.available: 3Gi
EOF
View Code
复制代码
复制代码
sudo kubeadm alpha phase certs apiserver --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-ca --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs apiserver-kubelet-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase kubeconfig all --config /tmp/kubeadm-conf.yaml
View Code
复制代码
复制代码
sudo rm -rf $HOME/.kube
mkdir -p mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
View Code
复制代码

查看证书时间

?
1
openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -dates

 

追加部分:

为了不要每年都更新客户端证书可以在/etc/kubernetes/manifests/kube-controller-manager.yaml的26行左右添加下面内容(主要空格对其):

     - --experimental-cluster-signing-duration=876000h0m0s

修改完成后,需要删除/var/lib/kubelet/pki/下的文件,重新启动kubelet服务就可以了

注意:如果为生成证书,请查看时间是否同步

 

 

创建永久token

kubeadm token create --ttl 0

kubeadm token list

systemctl restart kubelet

 

node

删除/var/lib/kubelet/pki/下的所有文件

rm -rf /var/lib/kubelet/pki/*

 

 

替换/etc/kubernetes/bootstrap-kubelet.conf中的token(红色框的部分)为上面创建的token值

sudo sed -i "s/56d5fi.18j8g4fgca4lf1a1/06cymx.d1vcolksn9uwthqz/g" /etc/kubernetes/bootstrap-kubelet.conf

 

 

重启kubelet 服务,systemctl restart kubelet

 

 

检测是否成功,ls /var/lib/kubelet/pki/

 

kubelet 自动续期

https://www.cnblogs.com/lvcisco/p/11912637.html 

 

 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-cross:v1.7.5-2

https://www.cnblogs.com/skymyyang/p/11093686.html
https://www.cnblogs.com/kuku0223/p/10509637.html
https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2
posted @   hanwei666  阅读(2040)  评论(0编辑  收藏  举报
编辑推荐:
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
阅读排行:
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏
· Manus爆火,是硬核还是营销?
欢迎这位客官来到《k8s 证书过期解决 - hanwei666 - 博客园》
点击右上角即可分享
微信分享提示