手动更新你的kubernetes证书

简介

大家都知道k8s为了鼓励大家区升级集群,证书会有个1年的时间限制,但是因为是生产环境,应该没人会无聊去升级集群吧,所以就需要手动去更新证书

官方详细文档

要看官方的可以看下面

https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

操作

首先确定你的kube-controller-manager有下面几个参数,没有的添加上

vim /etc/kubernetes/manifests/kube-controller-manager.yaml

--cluster-signing-cert-file

--cluster-signing-key-file

因为我是使用kubespray搭建的集群,所以是可以使用kubeadm的,首先登陆一个控制平面去看他的证书时间

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[[email protected] ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0827 17:15:02.872064 97443 utils.go:26] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 21, 2021 10:08 UTC 359d no
apiserver Aug 21, 2021 10:06 UTC 359d ca no
apiserver-kubelet-client Aug 21, 2021 10:06 UTC 359d ca no
controller-manager.conf Aug 21, 2021 10:08 UTC 359d no
front-proxy-client Aug 21, 2021 10:06 UTC 359d front-proxy-ca no
scheduler.conf Aug 21, 2021 10:08 UTC 359d no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 19, 2030 10:06 UTC 9y no
front-proxy-ca Aug 19, 2030 10:06 UTC 9y no

可以看到RESIDUAL TIME是359d,之后我们用 Kubernetes 证书 API 更新证书

创建签名请求

1
2
3
4
5
6
kubeadm alpha certs renew admin.conf --use-api &
kubeadm alpha certs renew apiserver --use-api &
kubeadm alpha certs renew apiserver-kubelet-client --use-api &
kubeadm alpha certs renew controller-manager.conf --use-api &
kubeadm alpha certs renew front-proxy-client --use-api &
kubeadm alpha certs renew scheduler.conf --use-api &

查看签名请求

kubectl get csr |grep Pending

批准签名请求

1
2
3
4
5
6
kubectl certificate approve kubeadm-cert-front-proxy-client-qd52x
kubectl certificate approve kubeadm-cert-kube-apiserver-d6t2l
kubectl certificate approve kubeadm-cert-kube-apiserver-kubelet-client-nq7dp
kubectl certificate approve kubeadm-cert-kubernetes-admin-tjpc6
kubectl certificate approve kubeadm-cert-system:kube-controller-manager-s6pk4
kubectl certificate approve kubeadm-cert-system:kube-scheduler-2t5xs

之后查看证书时间

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[[email protected] ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0827 17:21:22.300640 100767 utils.go:26] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 27, 2021 09:15 UTC 364d no
apiserver Aug 27, 2021 09:15 UTC 364d ca no
apiserver-kubelet-client Aug 27, 2021 09:15 UTC 364d ca no
controller-manager.conf Aug 27, 2021 09:15 UTC 364d no
front-proxy-client Aug 27, 2021 09:15 UTC 364d front-proxy-ca no
scheduler.conf Aug 27, 2021 09:15 UTC 364d no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 19, 2030 10:06 UTC 9y no
front-proxy-ca Aug 19, 2030 10:06 UTC 9y no

之后去每个控制平面用相同的方法升级证书就好了

欢迎关注Bboysoul的博客www.bboy.app

Have Fun

欢迎关注我的其它发布渠道