Kubernetes v1.18 编译 kubeadmin 修改证书有效期到 100 年

Posted by sysin on 2019-08-15
Estimated Reading Time 7 Minutes
Words 1.4k In Total
Viewed Times

作者:gc(at)sysin.org,主页:www.sysin.org

kubeadm 默认证书为一年,一年过期后,会导致api service不可用,使用过程中会出现:x509: certificate has expired or is not yet valid.

Google 建议通过不停更新版本来自动更新证书,太坑^_^

可以在初始化群集之前重新编译kubeadm,证书有效期自动为100年

1. 获取源码

访问:https://github.com/kubernetes/kubernetes/releases,下载特定版本源码

1
2
3
4
wget https://github.com/kubernetes/kubernetes/archive/v1.18.0.tar.gz
tar -zxvf v1.18.0.tar.gz
mv kubernetes-1.18.0 kubernetes
cd kubernetes

或者使用 git 获取

1
2
3
4
# yum install git
git clone https://github.com/kubernetes/kubernetes.git
cd kubernetes
git checkout -b remotes/origin/release-1.18 v1.18.0

2. 修改证书有效期

查看网上的资料主要有两个地方需要修改

修改 CA 有效期为 100 年(默认为 10 年)

vim ./staging/src/k8s.io/client-go/util/cert/cert.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// 这个方法里面NotAfter:              now.Add(duration365d * 10).UTC()
// 默认有效期就是10年,改成100年
// 按/NotAfter查找
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 100).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}

certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}

修改证书有效期为 100 年(默认为 1 年)

vim ./cmd/kubeadm/app/constants/constants.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// 就是这个常量定义CertificateValidity,改成*100年
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"

// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 100

// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"

git验证,修改的内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
git diff

diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go
index 75adf43..54f25fa 100644
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@@ -44,7 +44,7 @@ const (
TempDirForKubeadm = "tmp"

// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
- CertificateValidity = time.Hour * 24 * 365
+ CertificateValidity = time.Hour * 24 * 365 * 100

// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go
index 9fd097a..865d6bb 100644
--- a/staging/src/k8s.io/client-go/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/util/cert/cert.go
@@ -63,7 +63,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
- NotAfter: now.Add(duration365d * 10).UTC(),
+ NotAfter: now.Add(duration365d * 100).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,

源代码改好了,接下来就是编译kubeadm了

3. 编译

3.1 Docker镜像编译(推荐)

  • 查看 kube-cross 的 TAG 版本号
1
2
3
# cat ./build/build-image/cross/VERSION

v1.13.8-1

这里我们可以使用官方容器对代码进行编译:k8s.gcr.io/kube-cross:v1.13.6-1(当前只有1.13.6而不是1.13.8,未知)

  • 拉取镜像

无法翻墙可以用下面的替代镜像:

1
docker pull gcrcontainer/kube-cross:v1.13.6-1

或者:’docker pull registry.aliyuncs.com/google_containers/kube-cross:v1.13.6-1’

  • 编译
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# docker run --rm -v <你修改后的代码目录>:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross bash
docker run --rm -v /root/kubernetes:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross:v1.13.6-1 bash

cd /go/src/k8s.io/kubernetes

# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

# 退出容器
exit

#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
#chmod +x /usr/bin/kubeadm

# 验证版本
kubeadm version

3.2 本机编

环境需求参看官方文档

3.2.1 软件包准备

CentOS:

1
2
yum install gcc make -y
yum install rsync jq -y

Ubuntu:

1
2
sudo apt install build-essential #(Following command will install essential commands like gcc, make etc.)
sudo apt install rsync jq -y

3.2.2 GoLang 环境

查看 kube-cross 的 TAG 版本号

1
2
3
# cat ./build/build-image/cross/VERSION

v1.13.8-1
  • 安装Go环境:
1
2
3
4
5
6
7
8
9
10
11
wget https://dl.google.com/go/go1.13.8.linux-amd64.tar.gz
tar zxvf go1.13.8.linux-amd64.tar.gz -C /usr/local

# 编辑/etc/profile文件添加如下:
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin

#生效
source /etc/profile
  • 验证:
1
2
go version
go version go1.13.8 linux/amd64
  • 编译:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

#编译完产物在 _output/bin/kubeadm 目录下,
#其中bin是使用了软连接
#真实路径是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm

4、执行命令更新证书

可以先备份证书,证书在/etc/kubernetes/pki

  • 检查证书到期时间
1
kubeadm alpha certs check-expiration
  • 续订证书,查看可以使用的参数
1
2
3
4
5
6
7
8
9
10
11
12
13
kubeadm alpha certs renew --help
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
  • 续订全部证书
1
kubeadm alpha certs renew all
  • 再次查看证书有效期,全部都100年了

    kubeadm alpha certs check-expiration

参考文章:

https://blog.csdn.net/fuck487/article/details/102759523

https://www.cnblogs.com/skymyyang/p/11093686.html




如果文章中使用的内容和图片侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有用,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!


支付宝打赏 微信打赏

赞赏一下