k8s 许可证有效时长限制
我们知道,k8s 内部通讯是以 http 协议方式进行的,既然是 http 协议,那么肯定少不了证书。既然是证书,那么就一定会过期。
正常安装的 k8s 集群 部分证书(比如 apiserver.crt) 有效期为 1年,证书到期后我们只有更新集群信息才能重新正常集群功能。
具体证书有效期可以在 k8s 安装目录查看:
# 证书存放目录
[root@k8s-master01 pki]# pwd
/etc/kubernetes/pki
# 集群中所有默认证书
[root@k8s-master01 pki]# ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key
查看证书有效期,以 apiserver.crt 为例:
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6756168247759356653 (0x5dc2bb39c27842ed)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 18 03:50:55 2020 GMT
Not After : Mar 18 03:50:56 2021 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ed:d8:c1:f7:2d:02:9f:5b:70:c0:83:21:8d:34:
96:9d:01:59:43:e4:61:8d:85:28:b8:b7:12:95:42:
......
......
可以看到,证书的有效期为 2020-03-18 到 2021-03-18。
修改许可证有效时长
k8s 安装方式有很多种,本篇文章讲解的是修改 kubeadm 安装方式的有效期时长。
kubeadm 在安装集群时指定了证书的有效期时长,那么我们可以通过修改 kubeadm 的源码来达到延长证书有效期的目的。
安装 go 语言
因为 kubeadm 是 go 语言编写的,所以需要安装 go 语言。进入 go语言中文社区 点击下载。
下载解压后放入 /usr/local 目录下:
[root@k8s-master01 go]# pwd
/usr/local/go
[root@k8s-master01 go]# ls
api AUTHORS bin CONTRIBUTING.md CONTRIBUTORS doc favicon.ico lib LICENSE misc PATENTS pkg README.md robots.txt SECURITY.md src test VERSION
配置环境变量:
[root@k8s-master01 go]# vim /etc/profile
[root@k8s-master01 go]# source /etc/profile
[root@k8s-master01 data]# go version
go version go1.14.1 linux/amd64
下载 kubeadm 源码
[root@k8s-master01 data]# git clone https://github.com/kubernetes/kubernetes.git
[root@k8s-master01 data]# ls
kubernetes
[root@k8s-master01 data]# cd kubernetes
# 查看当前 k8s 集群版本
[root@k8s-master01 kubernetes]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:15:32Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
# 切换到我们当前 k8s 版本的分支
[root@k8s-master01 kubernetes]# git checkout -b remotes/origin/release-1.15.1 v1.15.1
修改 kubeadm 更新证书策略
# kubeadm 1.14版本之后是修改这个文件
[root@k8s-master01 kubernetes]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
......
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
# 定义一个我们想要的时间,time.Hour 表示一小时
const mydate = time.Hour * 24 * 365 * 10
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
# 然后修改NotAfter
# NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
NotAfter: time.Now().Add(mydate).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
......
修改完成之后重新编译:
[root@k8s-master01 kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v
# 将编译好的 kubeadm 放入 /root 下
[root@k8s-master01 kubernetes]# cp _output/bin/kubeadm /root/kubeadm
将原有的 kubeadm 备份一下:
[root@k8s-master01 kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old
备份好之后,用新的 kubeadm 覆盖旧的 kubeadm:
[root@k8s-master01 ~]# mv /root/kubeadm /usr/bin/kubeadm
mv:是否覆盖"/usr/bin/kubeadm"? y
# 赋予权限
[root@k8s-master01 kubernetes]# chmod a+x /usr/bin/kubeadm
备份 pki 文件夹:
[root@k8s-master01 ~]# cp -r /etc/kubernetes/pki/ /etc/kubernetes/pki.old
重新生成证书文件:
# kubeadm-config.yaml 是创建集群时的配置文件
[root@k8s-master01 ~]# kubeadm alpha certs renew all --config=/usr/local/install-k8s/core/kubeadm-config.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
重新查看证书有效期:
[root@k8s-master01 ~]# cd /etc/kubernetes/pki
[root@k8s-master01 pki]# ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6835707474061199748 (0x5edd4fbb03e68984)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 18 03:50:55 2020 GMT
Not After : Apr 9 17:13:35 2030 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:f9:96:90:fb:39:37:83:ad:d7:ed:ec:27:4e:
ec:82:cf:54:ca:52:3e:c0:3c:66:2a:f1:f7:ff:5a:
......
-- end --