kubeadm初始化k8s-延长证书过期时间
kubeadm初始化k8s-延长证书过期时间
一、查看证书过期时间
# ca证书有效期是10年,从2021到2031年
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep Not
Not Before: Jul 8 02:55:00 2021 GMT
Not After : Jul 6 02:55:00 2031 GMT
# apiserver证书有效期是1年,从2021到2022年
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not
Not Before: Jul 8 02:55:00 2021 GMT
Not After : Jul 8 02:55:00 2022 GMT
二、延长证书过期时间
1)把update-kubeadm-cert.sh
文件上传到k8s-master1、k8s-master2节点
脚本下载地址:https://github.com/yuyicai/update-kube-cert
2)在每个节点都执行如下命令
# 1)给update-kubeadm-cert.sh证书授权可执行权限
[root@k8s-master1 ~]# chmod +x update-kubeadm-cert.sh
[root@k8s-master2 ~]# chmod +x update-kubeadm-cert.sh
# 2)执行下面命令,修改证书过期时间,把时间延长到10年
[root@k8s-master1 ~]# ./update-kubeadm-cert.sh all
[root@k8s-master2 ~]# ./update-kubeadm-cert.sh all
[2021-07-08T11:45:19.707677552+0800]: INFO: backup /etc/kubernetes to /etc/kubernetes.old-20210708
Signature ok
subject=/CN=etcd-server
Getting CA Private Key
[2021-07-08T11:45:19.772840987+0800]: INFO: generated /etc/kubernetes/pki/etcd/server.crt
Signature ok
subject=/CN=etcd-peer
Getting CA Private Key
[2021-07-08T11:45:19.809399855+0800]: INFO: generated /etc/kubernetes/pki/etcd/peer.crt
Signature ok
subject=/O=system:masters/CN=kube-etcd-healthcheck-client
Getting CA Private Key
[2021-07-08T11:45:19.831445526+0800]: INFO: generated /etc/kubernetes/pki/etcd/healthcheck-client.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-etcd-client
Getting CA Private Key
[2021-07-08T11:45:19.853244272+0800]: INFO: generated /etc/kubernetes/pki/apiserver-etcd-client.crt
2e55581300ad
[2021-07-08T11:45:20.247350515+0800]: INFO: restarted etcd
Signature ok
subject=/CN=kube-apiserver
Getting CA Private Key
[2021-07-08T11:45:20.282054309+0800]: INFO: generated /etc/kubernetes/pki/apiserver.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-kubelet-client
Getting CA Private Key
[2021-07-08T11:45:20.307074813+0800]: INFO: generated /etc/kubernetes/pki/apiserver-kubelet-client.crt
Signature ok
subject=/CN=system:kube-controller-manager
Getting CA Private Key
[2021-07-08T11:45:20.349848678+0800]: INFO: generated /etc/kubernetes/controller-manager.crt
[2021-07-08T11:45:20.355202936+0800]: INFO: generated new /etc/kubernetes/controller-manager.conf
Signature ok
subject=/CN=system:kube-scheduler
Getting CA Private Key
[2021-07-08T11:45:20.401409577+0800]: INFO: generated /etc/kubernetes/scheduler.crt
[2021-07-08T11:45:20.407255673+0800]: INFO: generated new /etc/kubernetes/scheduler.conf
Signature ok
subject=/O=system:masters/CN=kubernetes-admin
Getting CA Private Key
[2021-07-08T11:45:20.453035542+0800]: INFO: generated /etc/kubernetes/admin.crt
[2021-07-08T11:45:20.463892109+0800]: INFO: generated new /etc/kubernetes/admin.conf
[2021-07-08T11:45:20.470917866+0800]: INFO: copy the admin.conf to ~/.kube/config for kubectl
[2021-07-08T11:45:20.473552470+0800]: WARNING: does not need to update kubelet.conf
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
[2021-07-08T11:45:20.494001710+0800]: INFO: generated /etc/kubernetes/pki/front-proxy-client.crt
86a98ff73131
[2021-07-08T11:45:24.268973792+0800]: INFO: restarted kube-apiserver
7c01cab842fa
[2021-07-08T11:45:24.812039934+0800]: INFO: restarted kube-controller-manager
59ed847ae4eb
[2021-07-08T11:45:25.765110177+0800]: INFO: restarted kube-scheduler
[2021-07-08T11:45:25.875676379+0800]: INFO: restarted kubelet
# 3)在k8s-master1节点查询Pod是否正常,能查询出数据说明证书签发完成
[root@k8s-master1 ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
demo-pod 1/1 Running 0 15m
3)查看证书的有效期
# 查看apiserver证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not
Not Before: Jul 8 03:45:17 2021 GMT
Not After : Jul 6 03:45:17 2031 GMT
# 查看etcd证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text |grep Not
Not Before: Jul 8 03:45:16 2021 GMT
Not After : Jul 6 03:45:16 2031 GMT
# 查看fron-proxy证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text |grep Not
Not Before: Jul 8 02:55:00 2021 GMT
Not After : Jul 6 02:55:00 2031 GMT
作者:Lawrence
-------------------------------------------
个性签名:独学而无友,则孤陋而寡闻。做一个灵魂有趣的人!
扫描上面二维码关注我
如果你真心觉得文章写得不错,而且对你有所帮助,那就不妨帮忙“推荐"一下,您的“推荐”和”打赏“将是我最大的写作动力!
本文版权归作者所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.