K8S 1.16证书更新100年

不光测试了一下 1.16,顺带着测试了一下1.15也是可以的


Git 下载k8s源代码

git clone https://github.com/kubernetes/kubernetes.git
git checkout -b remotes/origin/release-1.16.1

修改源代码:

1)./staging/src/k8s.io/client-go/util/cert/cert.go

NotAfter: now.Add(duration365d * 100).UTC(), #改成100

2)./cmd/kubeadm/app/constants/constants.go

CertificateValidity = time.Hour * 24 * 365 * 100

这里我懒得装GO环境了,直接用docker起一个容器,如果有Go环境跳过这一步

docker run --rm -it -v /tmp/kubernetes-release-1.16/:/go/src/k8s.io/kubernetes registry.aliyuncs.com/google_containers/kube-cross:v1.13.4-1 bash

进入容器编译,生成kubeadm

cd /go/src/k8s.io/kubernetes
make all WHAT=cmd/kubeadm GOFLAGS=-v

备份原站点配置

cp /etc/kubernetes/pki/ /tmp/ -a
cp /usr/bin/kubeadm /tmp -a
mkdir /tmp/conf.old
mv /etc/kubernetes/*.conf conf.old

cp _output/local/bin/linux/amd64/kubeadm  /usr/bin/kubeadm -a

生成证书和配置文件

kubeadm alpha certs renew all
kubeadm alpha certs check-expiration    #可以通过这个命令查看证书时间
kubeadm init phase kubeconfig all

如果有缓存,可以将目录删一下,然后重新copy

cp admin.conf /root/.kube/config

重启

systemctl restart docker
systemctl restart kubelet

生效

[root@PM0430-10.12.54.180 kubernetes]$kubectl get pod   -n kube-system
NAME                                 READY   STATUS              RESTARTS   AGE
coredns-75985b498c-dxhxz             1/1     Running             59         230d
coredns-75985b498c-rdxzl             0/1     ContainerCreating   1          232d
etcd-k8s-master                      1/1     Running             7          333d
kube-apiserver-k8s-master            1/1     Running             7          315d
kube-controller-manager-k8s-master   1/1     Running             8          366d
kube-proxy-bl29b                     1/1     Running             7          357d
kube-proxy-jfjdk                     1/1     Running             5          232d
kube-proxy-jfln7                     1/1     Running             6          232d
kube-proxy-s5qtf                     0/1     ContainerCreating   6          366d
kube-proxy-t9nbq                     1/1     Running             6          315d
kube-scheduler-k8s-master            1/1     Running             8          333d
metrics-server-8578cbb47c-g8jxf      0/1     ImagePullBackOff    0          230d
weave-net-58zzw                      2/2     Running             19         232d
weave-net-5frcl                      2/2     Running             0          333d
weave-net-9pt2w                      2/2     Running             14         232d
weave-net-hrw9x                      2/2     Running             21         357d
weave-net-ql67p                      2/2     Running             17         315d

[root@PM0430-10.12.54.180 kubernetes]$kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Sep 18, 2120 11:27 UTC   99y             no      
apiserver                  Sep 18, 2120 11:21 UTC   99y             no      
apiserver-etcd-client      Sep 18, 2120 11:21 UTC   99y             no      
apiserver-kubelet-client   Sep 18, 2120 11:21 UTC   99y             no      
controller-manager.conf    Sep 18, 2120 11:27 UTC   99y             no      
etcd-healthcheck-client    Sep 18, 2120 11:21 UTC   99y             no      
etcd-peer                  Sep 18, 2120 11:21 UTC   99y             no      
etcd-server                Sep 18, 2120 11:21 UTC   99y             no      
front-proxy-client         Sep 18, 2120 11:21 UTC   99y             no      
scheduler.conf             Sep 18, 2120 11:27 UTC   99y             no      

其他master节点,直接打个压缩包scp 过去即可,不再重复

发表评论