手动更新你的kubernetes证书

简介

大家都知道k8s为了鼓励大家区升级集群,证书会有个1年的时间限制,但是因为是生产环境,应该没人会无聊去升级集群吧,所以就需要手动去更新证书

官方详细文档

要看官方的可以看下面

https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

操作

首先确定你的kube-controller-manager有下面几个参数,没有的添加上

vim /etc/kubernetes/manifests/kube-controller-manager.yaml

--cluster-signing-cert-file

--cluster-signing-key-file

因为我是使用kubespray搭建的集群,所以是可以使用kubeadm的,首先登陆一个控制平面去看他的证书时间

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
[[email protected] ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0827 17:15:02.872064   97443 utils.go:26] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 21, 2021 10:08 UTC   359d                                    no      
apiserver                  Aug 21, 2021 10:06 UTC   359d            ca                      no      
apiserver-kubelet-client   Aug 21, 2021 10:06 UTC   359d            ca                      no      
controller-manager.conf    Aug 21, 2021 10:08 UTC   359d                                    no      
front-proxy-client         Aug 21, 2021 10:06 UTC   359d            front-proxy-ca          no      
scheduler.conf             Aug 21, 2021 10:08 UTC   359d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 19, 2030 10:06 UTC   9y              no      
front-proxy-ca          Aug 19, 2030 10:06 UTC   9y              no   

可以看到RESIDUAL TIME是359d,之后我们用 Kubernetes 证书 API 更新证书

创建签名请求

1
2
3
4
5
6
kubeadm alpha certs renew admin.conf --use-api &
kubeadm alpha certs renew apiserver --use-api &
kubeadm alpha certs renew apiserver-kubelet-client --use-api &
kubeadm alpha certs renew controller-manager.conf --use-api &
kubeadm alpha certs renew front-proxy-client --use-api &
kubeadm alpha certs renew scheduler.conf --use-api &

查看签名请求

kubectl get csr |grep Pending

批准签名请求

1
2
3
4
5
6
kubectl certificate approve kubeadm-cert-front-proxy-client-qd52x
kubectl certificate approve kubeadm-cert-kube-apiserver-d6t2l
kubectl certificate approve kubeadm-cert-kube-apiserver-kubelet-client-nq7dp
kubectl certificate approve kubeadm-cert-kubernetes-admin-tjpc6
kubectl certificate approve kubeadm-cert-system:kube-controller-manager-s6pk4
kubectl certificate approve kubeadm-cert-system:kube-scheduler-2t5xs

之后查看证书时间

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
[[email protected] ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0827 17:21:22.300640  100767 utils.go:26] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 27, 2021 09:15 UTC   364d                                    no      
apiserver                  Aug 27, 2021 09:15 UTC   364d            ca                      no      
apiserver-kubelet-client   Aug 27, 2021 09:15 UTC   364d            ca                      no      
controller-manager.conf    Aug 27, 2021 09:15 UTC   364d                                    no      
front-proxy-client         Aug 27, 2021 09:15 UTC   364d            front-proxy-ca          no      
scheduler.conf             Aug 27, 2021 09:15 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 19, 2030 10:06 UTC   9y              no      
front-proxy-ca          Aug 19, 2030 10:06 UTC   9y              no      

之后去每个控制平面用相同的方法升级证书就好了

欢迎关注我的博客 www.bboy.app

Have Fun