1.查看当前证书时间
[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 30, 2022 07:53 UTC 363d no
apiserver Aug 30, 2022 07:52 UTC 363d ca no
apiserver-etcd-client Aug 30, 2022 07:53 UTC 363d etcd-ca no
apiserver-kubelet-client Aug 30, 2022 07:52 UTC 363d ca no
controller-manager.conf Aug 30, 2022 07:53 UTC 363d no
etcd-healthcheck-client Aug 30, 2022 07:53 UTC 363d etcd-ca no
etcd-peer Aug 30, 2022 07:53 UTC 363d etcd-ca no
etcd-server Aug 30, 2022 07:53 UTC 363d etcd-ca no
front-proxy-client Aug 30, 2022 07:53 UTC 363d front-proxy-ca no
scheduler.conf Aug 30, 2022 07:53 UTC 363d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 28, 2031 07:52 UTC 9y no
etcd-ca Aug 28, 2031 07:53 UTC 9y no
front-proxy-ca Aug 28, 2031 07:53 UTC 9y no
可以看到正常只有一年时间。
2.下载源码
git clone https://github.com/kubernetes/kubernetes.git
注意:如果github下载慢可以用gitee下载地址:https://gitee.com/mirrors/Kubernetes.git
查看k8s版本
[root@k8s-master ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:58:59Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:50:46Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
切换到自己的版本,修改源码,比如我的是v1.18.0版本
cd kubernetes
git checkout v1.18.0
vim cmd/kubeadm/app/constants/constants.go,找到CertificateValidity,修改如下
....
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100
....
3.安装编译软件
yum -y install gcc automake autoconf libtool make
安装go编译环境,这里就直接使用yum安装
查看go是否安装过
[root@k8s-master kubernetes]# go env
-bash: go: command not found
查看yum的Golang
[root@k8s-master kubernetes]# yum info golang
Last metadata expiration check: 0:06:47 ago on Wed 01 Sep 2021 10:07:23 AM CST.
Available Packages
Name : golang
Version : 1.15.14
Release : 1.module_el8.4.0+882+ab13bcd9
Architecture : x86_64
Size : 708 k
Source : golang-1.15.14-1.module_el8.4.0+882+ab13bcd9.src.rpm
Repository : AppStream
Summary : The Go Programming Language
URL : http://golang.org/
License : BSD and Public Domain
Description : The Go Programming Language.
安装golang
yum install -y golang
再次查看go环境变量
[root@k8s-master kubernetes]# go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/golang"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/root/kubernetes/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build406782294=/tmp/go-build -gno-record-gcc-switches"
4.执行make WHAT=cmd/kubeadm编译
[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm
+++ [0901 10:20:55] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0901 10:21:08] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0901 10:21:18] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0901 10:21:37] Building go targets for linux/amd64:
./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0901 10:21:53] Building go targets for linux/amd64:
./vendor/github.com/go-bindata/go-bindata/go-bindata
warning: ignoring symlink /root/kubernetes/_output/local/go/src/k8s.io/kubernetes
go: warning: "k8s.io/kubernetes/vendor/github.com/go-bindata/go-bindata/..." matched no packages
+++ [0901 10:21:55] Building go targets for linux/amd64:
cmd/kubeadm
编译完生成如下目录和二进制文件
[root@k8s-master kubernetes]# ll _output/bin/
total 70380
-rwxr-xr-x 1 root root 6242304 Sep 1 10:21 conversion-gen
-rwxr-xr-x 1 root root 6234112 Sep 1 10:20 deepcopy-gen
-rwxr-xr-x 1 root root 6205440 Sep 1 10:21 defaulter-gen
-rwxr-xr-x 1 root root 3688610 Sep 1 10:20 go2make
-rwxr-xr-x 1 root root 2023424 Sep 1 10:21 go-bindata
-rwxr-xr-x 1 root root 37076992 Sep 1 10:23 kubeadm
-rwxr-xr-x 1 root root 10596352 Sep 1 10:21 openapi-gen
备份原kubeadm和证书文件
cp /usr/bin/kubeadm{,.bak20210901}
cp -r /etc/kubernetes/pki{,.bak20210901}
将新生成的kubeadm进行替换
cp _output/bin/kubeadm /usr/bin/kubeadm
生成新的证书
cd /etc/kubernetes/pki
kubeadm alpha certs renew all
输出如下
[root@k8s-master kubernetes]# cd /etc/kubernetes/pki
[root@k8s-master pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
验证结果
kubeadm alpha certs check-expiration
输出如下
[root@k8s-master pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 08, 2121 02:32 UTC 99y no
apiserver Aug 08, 2121 02:32 UTC 99y ca no
apiserver-etcd-client Aug 08, 2121 02:32 UTC 99y etcd-ca no
apiserver-kubelet-client Aug 08, 2121 02:32 UTC 99y ca no
controller-manager.conf Aug 08, 2121 02:32 UTC 99y no
etcd-healthcheck-client Aug 08, 2121 02:32 UTC 99y etcd-ca no
etcd-peer Aug 08, 2121 02:32 UTC 99y etcd-ca no
etcd-server Aug 08, 2121 02:32 UTC 99y etcd-ca no
front-proxy-client Aug 08, 2121 02:32 UTC 99y front-proxy-ca no
scheduler.conf Aug 08, 2121 02:32 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 28, 2031 07:52 UTC 9y no
etcd-ca Aug 28, 2031 07:53 UTC 9y no
front-proxy-ca Aug 28, 2031 07:53 UTC 9y no
查看集群状态是否OK。
[root@k8s-master pki]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 42h v1.18.0
k8s-node1 Ready <none> 42h v1.18.0
k8s-node2 Ready <none> 42h v1.18.0
查看pod
[root@k8s-master pki]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-7ff77c879f-6pwrg 1/1 Running 1 42h
coredns-7ff77c879f-d6s95 1/1 Running 2 42h
etcd-k8s-master 1/1 Running 3 42h
kube-apiserver-k8s-master 1/1 Running 2 42h
kube-controller-manager-k8s-master 1/1 Running 3 42h
kube-flannel-ds-fs8dj 1/1 Running 3 42h
kube-flannel-ds-g6d4l 1/1 Running 2 42h
kube-flannel-ds-tnrzq 1/1 Running 1 42h
kube-proxy-dngh8 1/1 Running 1 42h
kube-proxy-nxb5q 1/1 Running 2 42h
kube-proxy-zz5xn 1/1 Running 3 42h
kube-scheduler-k8s-master 1/1 Running 2 42h
如看到上面的Ready和Running,即表示证书修改成功。