kubeadm初始化k8s-延长证书过期时间

kubeadm初始化k8s-延长证书过期时间

一、查看证书过期时间

# ca证书有效期是10年,从2021到2031年
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not
            Not Before: Jul  8 02:55:00 2021 GMT
            Not After : Jul  6 02:55:00 2031 GMT

# apiserver证书有效期是1年,从2021到2022年
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not
            Not Before: Jul  8 02:55:00 2021 GMT
            Not After : Jul  8 02:55:00 2022 GMT

二、延长证书过期时间

1)把update-kubeadm-cert.sh文件上传到k8s-master1、k8s-master2节点

脚本下载地址:https://github.com/yuyicai/update-kube-cert

2)在每个节点都执行如下命令

# 1)给update-kubeadm-cert.sh证书授权可执行权限
[root@k8s-master1 ~]# chmod +x update-kubeadm-cert.sh
[root@k8s-master2 ~]# chmod +x update-kubeadm-cert.sh

# 2)执行下面命令,修改证书过期时间,把时间延长到10年
[root@k8s-master1 ~]# ./update-kubeadm-cert.sh all
[root@k8s-master2 ~]# ./update-kubeadm-cert.sh all
[2021-07-08T11:45:19.707677552+0800]: INFO: backup /etc/kubernetes to /etc/kubernetes.old-20210708
Signature ok
subject=/CN=etcd-server
Getting CA Private Key
[2021-07-08T11:45:19.772840987+0800]: INFO: generated /etc/kubernetes/pki/etcd/server.crt
Signature ok
subject=/CN=etcd-peer
Getting CA Private Key
[2021-07-08T11:45:19.809399855+0800]: INFO: generated /etc/kubernetes/pki/etcd/peer.crt
Signature ok
subject=/O=system:masters/CN=kube-etcd-healthcheck-client
Getting CA Private Key
[2021-07-08T11:45:19.831445526+0800]: INFO: generated /etc/kubernetes/pki/etcd/healthcheck-client.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-etcd-client
Getting CA Private Key
[2021-07-08T11:45:19.853244272+0800]: INFO: generated /etc/kubernetes/pki/apiserver-etcd-client.crt
2e55581300ad
[2021-07-08T11:45:20.247350515+0800]: INFO: restarted etcd
Signature ok
subject=/CN=kube-apiserver
Getting CA Private Key
[2021-07-08T11:45:20.282054309+0800]: INFO: generated /etc/kubernetes/pki/apiserver.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-kubelet-client
Getting CA Private Key
[2021-07-08T11:45:20.307074813+0800]: INFO: generated /etc/kubernetes/pki/apiserver-kubelet-client.crt
Signature ok
subject=/CN=system:kube-controller-manager
Getting CA Private Key
[2021-07-08T11:45:20.349848678+0800]: INFO: generated /etc/kubernetes/controller-manager.crt
[2021-07-08T11:45:20.355202936+0800]: INFO: generated new /etc/kubernetes/controller-manager.conf
Signature ok
subject=/CN=system:kube-scheduler
Getting CA Private Key
[2021-07-08T11:45:20.401409577+0800]: INFO: generated /etc/kubernetes/scheduler.crt
[2021-07-08T11:45:20.407255673+0800]: INFO: generated new /etc/kubernetes/scheduler.conf
Signature ok
subject=/O=system:masters/CN=kubernetes-admin
Getting CA Private Key
[2021-07-08T11:45:20.453035542+0800]: INFO: generated /etc/kubernetes/admin.crt
[2021-07-08T11:45:20.463892109+0800]: INFO: generated new /etc/kubernetes/admin.conf
[2021-07-08T11:45:20.470917866+0800]: INFO: copy the admin.conf to ~/.kube/config for kubectl
[2021-07-08T11:45:20.473552470+0800]: WARNING: does not need to update kubelet.conf
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
[2021-07-08T11:45:20.494001710+0800]: INFO: generated /etc/kubernetes/pki/front-proxy-client.crt
86a98ff73131
[2021-07-08T11:45:24.268973792+0800]: INFO: restarted kube-apiserver
7c01cab842fa
[2021-07-08T11:45:24.812039934+0800]: INFO: restarted kube-controller-manager
59ed847ae4eb
[2021-07-08T11:45:25.765110177+0800]: INFO: restarted kube-scheduler
[2021-07-08T11:45:25.875676379+0800]: INFO: restarted kubelet

# 3)在k8s-master1节点查询Pod是否正常,能查询出数据说明证书签发完成
[root@k8s-master1 ~]# kubectl  get pods 
NAME       READY   STATUS    RESTARTS   AGE
demo-pod   1/1     Running   0          15m

3)查看证书的有效期

# 查看apiserver证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not
            Not Before: Jul  8 03:45:17 2021 GMT
            Not After : Jul  6 03:45:17 2031 GMT

# 查看etcd证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not
            Not Before: Jul  8 03:45:16 2021 GMT
            Not After : Jul  6 03:45:16 2031 GMT
            
# 查看fron-proxy证书
[root@k8s-master1 ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt  -noout -text  |grep Not
            Not Before: Jul  8 02:55:00 2021 GMT
            Not After : Jul  6 02:55:00 2031 GMT
posted @ 2021-07-08 11:49  运维人在路上  阅读(1645)  评论(0编辑  收藏  举报