kubernetes集群证书过期处理

avatar 2022年12月10日18:08:11 评论 537 次浏览

kubernetes中集群证书默认一般都是一年,但是一年时间太短了,如果时间过了就会影响到组件之间的通信,无法创建pod,kubernetes的基本命令也无法使用,dashboard也无法使用,所以为了避免影响使用,在过期之前就延长证书时间。

#查看证书时间
[root@Mater ~]#  kubeadm certs check-expiration //新版本的kubernetes
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 19, 2023 05:05 UTC   314d            ca                      no
apiserver                  Oct 19, 2023 05:04 UTC   314d            ca                      no
apiserver-etcd-client      Oct 19, 2023 05:04 UTC   314d            etcd-ca                 no
apiserver-kubelet-client   Oct 19, 2023 05:04 UTC   314d            ca                      no
controller-manager.conf    Oct 19, 2023 05:05 UTC   314d            ca                      no
etcd-healthcheck-client    Oct 19, 2023 05:03 UTC   314d            etcd-ca                 no
etcd-peer                  Oct 19, 2023 05:03 UTC   314d            etcd-ca                 no
etcd-server                Oct 19, 2023 05:03 UTC   314d            etcd-ca                 no
front-proxy-client         Oct 19, 2023 05:04 UTC   314d            front-proxy-ca          no
scheduler.conf             Oct 19, 2023 05:05 UTC   314d            ca                      no
kubeadm alpha certs check-expiration  //旧版本的kubernetes
#创建证书延长
[root@Mater home]# cp -p /etc/kubernetes/*.conf /home/old-k8s/ //先备份
[root@Mater home]# kubeadm certs renew all   //新版本,默认延长一年
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
[root@Mater home]#  kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 08, 2023 12:45 UTC   364d            ca                      no
apiserver                  Dec 08, 2023 12:45 UTC   364d            ca                      no
apiserver-etcd-client      Dec 08, 2023 12:45 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 08, 2023 12:45 UTC   364d            ca                      no
controller-manager.conf    Dec 08, 2023 12:45 UTC   364d            ca                      no
etcd-healthcheck-client    Dec 08, 2023 12:45 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 08, 2023 12:45 UTC   364d            etcd-ca                 no
etcd-server                Dec 08, 2023 12:45 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 08, 2023 12:45 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 08, 2023 12:45 UTC   364d            ca                      no
kubeadm alpha certs renew all //旧版本,默认延长一年

以上是针对证书默认延长一年,不过查看过期时间也可以使用

[root@Mater home]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
            Not Before: Oct 19 02:21:28 2022 GMT
            Not After : Dec  8 12:45:51 2023 GMT
/etc/kubernetes/pki/apiserver.crt           #1年有效期
/etc/kubernetes/pki/front-proxy-ca.crt        #10年有效期
/etc/kubernetes/pki/ca.crt              #10年有效期
/etc/kubernetes/pki/apiserver-etcd-client.crt    #1年有效期
/etc/kubernetes/pki/front-proxy-client.crt      #1年有效期
/etc/kubernetes/pki/etcd/server.crt         #1年有效期
/etc/kubernetes/pki/etcd/ca.crt           #10年有效期
/etc/kubernetes/pki/etcd/peer.crt          #1年有效期
/etc/kubernetes/pki/etcd/healthcheck-client.crt  #1年有效期
/etc/kubernetes/pki/apiserver-kubelet-client.crt  #1年有效期

如果觉得集群证书时间1年太短,我们也可以直接延长到10年,这样也就可以避免后期证书异常的问题了,网上也有针对这个做的批量更新证书,https://github.com/yuyicai/update-kube-cert,如果访问不了,可以使用百度网盘.

百度网盘下载:
链接:https://pan.baidu.com/s/1WyVAwyL3mOGVFgpQ2tomCw
提取码:f6sa

下载到本地后,赋予执行权限,然后执行即可。

[root@Mater home]# ls -l
total 12
drwxr-xr-x 2 root root    97 Dec  8 20:45 old-k8s
-rw-r--r-- 1 root root 10756 Dec  8 20:51 update-kubeadm-cert.sh
[root@Mater home]# chmod +x update-kubeadm-cert.sh
[root@Mater home]# ./update-kubeadm-cert.sh all
[2022-12-08T20:53:04.492595721+0800]: INFO: backup /etc/kubernetes to /etc/kubernetes.old-20221208
Signature ok
subject=CN = etcd-server
Getting CA Private Key
[2022-12-08T20:53:04.522896746+0800]: INFO: generated /etc/kubernetes/pki/etcd/server.crt
Signature ok
subject=CN = etcd-peer
Getting CA Private Key
[2022-12-08T20:53:04.552343803+0800]: INFO: generated /etc/kubernetes/pki/etcd/peer.crt
Signature ok
subject=O = system:masters, CN = kube-etcd-healthcheck-client
Getting CA Private Key
[2022-12-08T20:53:04.571719513+0800]: INFO: generated /etc/kubernetes/pki/etcd/healthcheck-client.crt
Signature ok
subject=O = system:masters, CN = kube-apiserver-etcd-client
Getting CA Private Key
[2022-12-08T20:53:04.592184553+0800]: INFO: generated /etc/kubernetes/pki/apiserver-etcd-client.crt
./update-kubeadm-cert.sh: line 180: docker: command not found
[2022-12-08T20:53:04.606165212+0800]: INFO: restarted etcd
Signature ok
subject=CN = kube-apiserver
Getting CA Private Key
[2022-12-08T20:53:04.642912689+0800]: INFO: generated /etc/kubernetes/pki/apiserver.crt
Signature ok
subject=O = system:masters, CN = kube-apiserver-kubelet-client
Getting CA Private Key
[2022-12-08T20:53:04.663027941+0800]: INFO: generated /etc/kubernetes/pki/apiserver-kubelet-client.crt
Signature ok
subject=CN = system:kube-controller-manager
Getting CA Private Key
[2022-12-08T20:53:04.708380553+0800]: INFO: generated /etc/kubernetes/controller-manager.crt
[2022-12-08T20:53:04.713995541+0800]: INFO: generated new /etc/kubernetes/controller-manager.conf
Signature ok
subject=CN = system:kube-scheduler
Getting CA Private Key
[2022-12-08T20:53:04.750218166+0800]: INFO: generated /etc/kubernetes/scheduler.crt
[2022-12-08T20:53:04.756171289+0800]: INFO: generated new /etc/kubernetes/scheduler.conf
Signature ok
subject=O = system:masters, CN = kubernetes-admin
Getting CA Private Key
[2022-12-08T20:53:04.795672349+0800]: INFO: generated /etc/kubernetes/admin.crt
[2022-12-08T20:53:04.801186761+0800]: INFO: generated new /etc/kubernetes/admin.conf
[2022-12-08T20:53:04.811211927+0800]: INFO: copy the admin.conf to ~/.kube/config for kubectl
[2022-12-08T20:53:04.814811844+0800]: WARNING: does not need to update kubelet.conf
Signature ok
subject=CN = front-proxy-client
Getting CA Private Key
[2022-12-08T20:53:04.830486317+0800]: INFO: generated /etc/kubernetes/pki/front-proxy-client.crt
./update-kubeadm-cert.sh: line 230: docker: command not found
[2022-12-08T20:53:04.836012553+0800]: INFO: restarted kube-apiserver
./update-kubeadm-cert.sh: line 232: docker: command not found
[2022-12-08T20:53:04.839716059+0800]: INFO: restarted kube-controller-manager
./update-kubeadm-cert.sh: line 234: docker: command not found
[2022-12-08T20:53:04.844285594+0800]: INFO: restarted kube-scheduler
[2022-12-08T20:53:04.879791737+0800]: INFO: restarted kubelet
[root@Mater home]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  | grep Not
            Not Before: Dec  8 12:53:04 2022 GMT
            Not After : Dec  5 12:53:04 2032 GMT

从原来的延长一年,这里直接延长10年了,其实针对kubernetes集群证书的监控也需要做一下,如果不做集群监控,后期如果到期了无法在到期前提醒早处理,下一个章节在对kubernetes集群证书监控的处理,没有了看看其他的吧。

avatar

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: