kubeadm 默认证书为一年,一年过期后,会导致api service不可用,使用过程中会出现:x509: certificate has expired or is not yet valid.

查看集群版本信息

# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2020-10-14T12:47:53Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}

查看集群证书过期时间

# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 06, 2022 08:13 UTC 346d no
apiserver Feb 06, 2022 08:12 UTC 346d ca no
apiserver-etcd-client Feb 06, 2022 08:12 UTC 346d etcd-ca no
apiserver-kubelet-client Feb 06, 2022 08:12 UTC 346d ca no
controller-manager.conf Feb 06, 2022 08:13 UTC 346d no
etcd-healthcheck-client Nov 06, 2021 09:50 UTC 254d etcd-ca no
etcd-peer Nov 06, 2021 09:50 UTC 254d etcd-ca no
etcd-server Nov 06, 2021 09:50 UTC 254d etcd-ca no
front-proxy-client Feb 06, 2022 08:12 UTC 346d front-proxy-ca no
scheduler.conf Feb 06, 2022 08:13 UTC 346d no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 04, 2030 09:50 UTC 9y no
etcd-ca Nov 04, 2030 09:50 UTC 9y no
front-proxy-ca Nov 04, 2030 09:50 UTC 9y no

下载源码

# git clone https://github.com/kubernetes/kubernetes.git
# cd kubernetes/
检出相同版本的kubernetes
# git checkout v1.19.3

修改代码

# vim cmd/kubeadm/app/constants/constants.go
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"

// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100 // 添加 * 100,修改成100年

安装go环境

# wget https://dl.google.com/go/go1.15.3.linux-amd64.tar.gz
# tar xf go1.15.3.linux-amd64.tar.gz
# cp -rf go /usr/local/
# cat >> /etc/profile <<EOF
export PATH=$PATH:/usr/local/go/bin
EOF
# source /etc/profile
# go version
go version go1.15.3 linux/amd64

编译源码

编译kubeadm, 这里主要编译kubeadm 即可
# make WHAT=cmd/kubeadm GOFLAGS=-v
编译完产物在 _output/bin/ 目录下
# ./_output/bin/kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2021-02-25T05:41:59Z", GoVersion:"go1.15.3", Compiler:"gc", Platform:"linux/amd64"}

备份kubeadm与证书

# mkair bak
# cp -fr /etc/kubernetes ./bak/
# cp /usr/bin/kubeadm ./bak/

替换证书

# cp _output/bin/kubeadm /usr/bin/
cp: overwrite ‘/usr/bin/kubeadm’? y
[root@zzmaster ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2021-02-25T05:41:59Z", GoVersion:"go1.15.3", Compiler:"gc", Platform:"linux/amd64"}
生成新的证书
# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

验证证书是否更新

# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 01, 2121 05:54 UTC 99y no
apiserver Feb 01, 2121 05:54 UTC 99y ca no
apiserver-etcd-client Feb 01, 2121 05:54 UTC 99y etcd-ca no
apiserver-kubelet-client Feb 01, 2121 05:54 UTC 99y ca no
controller-manager.conf Feb 01, 2121 05:54 UTC 99y no
etcd-healthcheck-client Feb 01, 2121 05:54 UTC 99y etcd-ca no
etcd-peer Feb 01, 2121 05:54 UTC 99y etcd-ca no
etcd-server Feb 01, 2121 05:54 UTC 99y etcd-ca no
front-proxy-client Feb 01, 2121 05:54 UTC 99y front-proxy-ca no
scheduler.conf Feb 01, 2121 05:54 UTC 99y no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 04, 2030 09:50 UTC 9y no
etcd-ca Nov 04, 2030 09:50 UTC 9y no
front-proxy-ca Nov 04, 2030 09:50 UTC 9y no