证书时间查看过程
[root@k8s-master kibana]# cd /etc/kubernetes/pki/
[root@k8s-master pki]# ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key
[root@k8s-master pki]# openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Nov 23 06:21:35 2019 GMT
Not After : Nov 20 06:21:35 2029 GMT
Subject: CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:a3:a3:9e:35:c2:93:59:e3:62:32:4b:85:17:
50:eb:69:7e:0c:52:df:bb:c5:a3:de:43:da:84:28:
92:dc:e3:13:d8:59:7a:d9:1d:84:35:77:27:6e:b6:
39:58:7d:b3:2b:04:51:8d:29:ff:de:c0:f8:4f:03:
7b:1e:39:2a:77:e6:a8:00:19:76:51:b7:86:ae:d3:
e6:c1:87:b7:1f:f3:3f:cd:70:56:cf:61:c5:fe:12:
72:10:88:46:cb:42:52:b3:b1:90:4a:f0:56:2b:bc:
14:eb:0d:fa:d1:0f:b2:dd:d3:80:96:98:6c:5c:f7:
f3:3a:4a:d0:df:3b:eb:d2:e2:c0:b6:95:99:03:1c:
6f:4e:ff:9f:69:36:ba:f6:e2:a2:7e:d2:ea:79:44:
56:54:bb:c9:0e:9f:a2:e1:1a:a1:25:0b:52:b1:26:
e7:ae:40:f2:6b:b6:86:5a:22:49:23:48:95:b4:01:
25:5f:3f:9a:5c:e8:a7:84:1d:29:1c:6f:7d:8b:76:
4b:7b:aa:a9:89:68:7a:76:1d:58:e3:c0:00:2a:56:
cc:99:fc:92:45:31:04:ef:31:26:bc:c4:88:61:e6:
50:e5:f3:ef:90:a6:17:97:e5:80:e4:0f:b6:07:9d:
99:62:5a:29:e8:24:bc:64:ac:97:b4:e9:db:c2:af:
ef:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
b7:e9:3f:a8:d6:5a:d0:9d:94:07:c2:05:75:78:f5:e2:e5:20:
55:11:c9:59:ac:36:cd:7a:b8:2c:50:41:b3:90:2c:d1:cc:a7:
ed:d6:a1:92:ec:ca:5d:b1:92:ac:06:92:bb:8b:a0:6d:a8:a5:
62:f9:69:be:c5:9d:89:59:26:96:bd:40:9d:76:89:ce:b0:79:
ed:2e:bd:be:f4:1c:b4:5f:73:c5:b6:12:9f:9b:96:05:3c:9e:
ae:73:30:59:27:94:74:bd:9c:49:39:3d:f1:64:ab:84:f7:65:
3c:59:75:26:d7:7b:0c:4f:51:19:7e:34:b5:d5:56:08:cd:70:
50:dd:3e:9b:f4:b2:b9:de:ac:b8:4b:ee:a5:98:60:61:07:10:
dc:64:03:ad:0e:9e:cd:0a:21:93:19:43:36:9b:43:85:69:5e:
19:af:08:b8:4f:76:67:55:2f:d1:9b:b1:97:2a:3d:05:99:0f:
da:36:dd:a7:c3:1e:1c:4d:4e:0d:ef:06:75:ff:f0:85:66:f0:
d3:b9:6b:94:0f:f6:2c:73:44:15:60:1b:39:ac:86:bd:b2:e7:
f5:dd:6a:a9:b7:d8:57:d5:66:cd:51:d4:15:11:cd:e7:70:92:
ab:2c:ab:24:4a:82:1a:9e:3e:97:4b:43:39:c8:9a:32:5c:49:
0d:db:19:c2
[root@k8s-master pki]# openssl x509 -in ca.crt -text -noout |grep GMT
Not Before: Nov 23 06:21:35 2019 GMT
Not After : Nov 20 06:21:35 2029 GMT
[root@k8s-master pki]# openssl x509 -in apiserver -text -noout |grep GMT
apiserver.crt apiserver-etcd-client.crt apiserver-etcd-client.key apiserver.key apiserver-kubelet-client.crt apiserver-kubelet-client.key
[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout |grep GMT
Not Before: Nov 23 06:21:35 2019 GMT
Not After : Nov 22 06:21:36 2020 GMT
[root@k8s-master pki]# openssl x509 -in apiserver-etcd-client.crt -text -noout |grep GMT
Not Before: Nov 23 06:21:37 2019 GMT
Not After : Nov 22 06:21:38 2020 GMT
## 通过修改kubeadm 源码,是各个组件证书有效期达到十年期限通过上面的操作发现ca证书的年限最高十年,其它组件证书的有效期为一年,下面我们通过修改kubeadm源码,让各个组件有效期也为十年
1、go 环境部署
[root@k8s-master data]# wget https://dl.google.com/go/go1.12.5.linux-amd64.tar.gz
--2019-12-09 19:45:42-- https://dl.google.com/go/go1.12.5.linux-amd64.tar.gz
正在解析主机 dl.google.com (dl.google.com)... 172.217.161.174, 2404:6800:4005:80f::200e
正在连接 dl.google.com (dl.google.com)|172.217.161.174|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:120074076 (115M) [application/octet-stream]
正在保存至: “go1.12.5.linux-amd64.tar.gz”
100%[=====================================================================================================================================================>] 120,074,076 3.29MB/s 用时 35s
2019-12-09 19:46:22 (3.28 MB/s) - 已保存 “go1.12.5.linux-amd64.tar.gz” [120074076/120074076])
[root@k8s-master data]# ls
go1.13.5.linux-amd64.tar.gz nginx.file
[root@k8s-master data]# tar -zxf go1.13.5.linux-amd64.tar.gz -C /usr/local/
[root@k8s-master data]# cd /usr/local/go
[root@k8s-master go]# ls
api AUTHORS bin CONTRIBUTING.md CONTRIBUTORS doc favicon.ico lib LICENSE misc PATENTS pkg README.md robots.txt SECURITY.md src test VERSION
[root@k8s-master go]# cd /etc/profile.d/
[root@k8s-master profile.d]# vim go.sh
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master profile.d]# source go.sh
[root@k8s-master profile.d]# go version
go version go1.12.5 linux/amd642、下载源码
cd /data && git clone https://github.com/kubernetes/kubernetes.git
git checkout -b remotes/origin/release-1.15.1 v1.15.13、修改kubeadm源码包更新证书策略
vim staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今
const duration3650d = time.Hour * 24 * 365 * 10
NotAfter: time.Now().Add(duration3650d).UTC(),
make WHAT=cmd/kubeadm GOFLAGS=-v
cp _output/bin/kubeadm /root/kubeadm-new4、更新kubeadm
# 将 kubeadm 进行替换
cp /usr/bin/kubeadm /usr/bin/kubeadm.old
cp /root/kubeadm-new /usr/bin/kbueadm
chmod a+x /usr/bin/kubeadm5、更新各节点证书至 Master 节点
[root@k8s-master root]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
[root@k8s-master root]# kubeadm alpha certs renew all --config=/usr/local/install-k8s/core/kubeadm-config.yaml
[root@k8s-master root]# cd /etc/kubernetes/pki/
[root@k8s-master pki]# openssl x509 -in apiserver.crt -text -noout |grep GMT# 第三步修改 pki_helpers.go文件,两个地方,一个新增一个变量内容,一个更新这个变量内容
源文件部分内容
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
# 源文件修改对应后的内容
## 553行下新增下面一行
const duration3650d = time.Hour * 24 * 365 * 10 # 新增内容
## 575行修改为下面的这行 把 kubeadmconstants.CertificateValidity 替换为 duration3650d
NotAfter: time.Now().Add(duration3650d).UTC(), # 修改内容
# 重新生成证书的过程出错了,暂时没有解决
[root@k8s-master kubernetes]# kubeadm alpha certs renew all --config=/usr/local/install-k8s/core/kubeadm-config.yaml
W1209 23:37:01.036404 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
W1209 23:37:01.261703 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate for serving the Kubernetes API renewed
W1209 23:37:01.567656 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate the apiserver uses to access etcd renewed
W1209 23:37:01.993097 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate for the API server to connect to kubelet renewed
W1209 23:37:02.339585 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate embedded in the kubeconfig file for the controller manager to use renewed
W1209 23:37:02.801822 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate for liveness probes to healtcheck etcd renewed
W1209 23:37:03.290392 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate for etcd nodes to communicate with each other renewed
W1209 23:37:03.698894 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate for serving etcd renewed
W1209 23:37:04.050365 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate for the front proxy client renewed
W1209 23:37:04.625243 131629 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"kubeProxyConfiguration"} for scheme definitions in "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"
[config] WARNING: Ignored YAML document with GroupVersionKind kubeproxy.config.k8s.io/v1alpha1, Kind=kubeProxyConfiguration
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
