k8s 证书过期解决 - 码农教程

下载kubernetest 源码

apt -get install git 

git clone https://github.com/kubernetes/kubernetes.git,

切换分支

cd kubernetes && git checkout -b remotes/origin/release-1.13 v1.13.0

下载docker编译环境

https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2 在dockerhub 下载相应的版本

docker pull gcrcontainer/kube-cross:v1.9.1-1

docker run --rm -v /root/kubernetes/:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.9.1-1 bash

修改源码

vim  /kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go

maxAge := time.Hour * 24 * 365   #修改前       

NotAfter:     time.Now().Add(duration365d).UTC()

 maxAge := time.Hour * 24 * 365 * 50  #修改后   给证书期限为50年

NotAfter:     time.Now().Add(duration365d * 50).UTC()

编译

cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

拷贝编译的文件
cp ./_output/local/bin/linux/amd64/kubeadm

master

备份证书和配置文件

#!/usr/bin/env bash
set -e
sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old
sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old
sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.crt /etc/kubernetes/pki/front-proxy-ca.crt.old
sudo mv /etc/kubernetes/pki/front-proxy-ca.key /etc/kubernetes/pki/front-proxy-ca.key.old
sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old
sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old
sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old
sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old

View Code

拷贝编译后的kubeadm

\cp kubeadm /usr/bin/

创建kubeadm-conf.yaml 文件

cat > /tmp/kubeadm-conf.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
networking:
  podSubnet: 192.169.0.0/16
  serviceSubnet: 10.96.0.0/12
#apiServerCertSANs:
#- master01
#- master02
#- master03
#- 172.16.2.1
#- 172.16.2.2
#- 172.16.2.3
#- 172.16.2.100
#etcd:
#  endpoints:
#     - http://192.168.188.160:2379
#     - http://192.168.188.161:2379
#     - http://192.168.188.162:2379
#token: 2wt8ap.ev8cvrpuzt81zwm7
#tokenTTL: "0"
kubernetesVersion: v1.11.5
#imageRepository:
api:
  advertiseAddress: 192.168.188.160
kubeletConfiguration:
  baseConfig:
    evictionHard:
      imagefs.available: 6Gi
      memory.available: 512Mi
      nodefs.available: 3Gi
EOF

View Code

sudo kubeadm alpha phase certs apiserver --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-ca --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs apiserver-kubelet-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase certs front-proxy-client --config /tmp/kubeadm-conf.yaml
sudo kubeadm alpha phase kubeconfig all --config /tmp/kubeadm-conf.yaml

View Code

sudo rm -rf $HOME/.kube
mkdir -p mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

View Code

查看证书时间

openssl x509 -in /etc/kubernetes/pki/front-proxy-client.crt -noout -dates

追加部分：

为了不要每年都更新客户端证书可以在/etc/kubernetes/manifests/kube-controller-manager.yaml的26行左右添加下面内容（主要空格对其）：

- --experimental-cluster-signing-duration=876000h0m0s

修改完成后，需要删除/var/lib/kubelet/pki/下的文件，重新启动kubelet服务就可以了

注意：如果为生成证书，请查看时间是否同步

创建永久token

kubeadm token create --ttl 0

rm -rf /var/lib/kubelet/pki/*

sudo sed -i "s/56d5fi.18j8g4fgca4lf1a1/06cymx.d1vcolksn9uwthqz/g" /etc/kubernetes/bootstrap-kubelet.conf

systemctl restart kubelet

node

删除/var/lib/kubelet/pki/下的所有文件

rm -rf /var/lib/kubelet/pki/*

替换/etc/kubernetes/bootstrap-kubelet.conf中的token（红色框的部分）为上面创建的token值

sudo sed -i "s/56d5fi.18j8g4fgca4lf1a1/06cymx.d1vcolksn9uwthqz/g" /etc/kubernetes/bootstrap-kubelet.conf

重启kubelet 服务，systemctl restart kubelet

检测是否成功，ls /var/lib/kubelet/pki/

https://www.cnblogs.com/skymyyang/p/11093686.html
https://www.cnblogs.com/kuku0223/p/10509637.html
https://hub.docker.com/r/gcrcontainer/kube-cross/tags?page=2

原文地址：https://www.cnblogs.com/hanwei666/p/12058978.html