免责声明:延长证书有效期期限将降低PKI的安全性,请勿在需要保证生产安全的场合使用该方法。
长话短说
Git仓库:kubernetes/kubernetes
$ git clone https://github.com/kubernetes/kubernetes.git $ cd kubernetes # 编辑源码 $ git checkout release-1.15 $ vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go $ git diff --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -571,7 +571,7 @@ func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certifi IPAddresses: cfg.AltNames.IPs, SerialNumber: serial, NotBefore: caCert.NotBefore, - NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(), + NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity * 100).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: cfg.Usages, # 编译二进制 $ go version go version go1.12.7 linux/amd64 $ go build ./cmd/kubeadm # 使用二进制更新证书 $ ./kubeadm alpha certs renew all certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healtcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed # 检查新证书期限 $ cfssl-certinfo -cert /etc/kubernetes/pki/apiserver.crt|grep not "not_before": "2019-08-28T02:04:17Z", "not_after": "2119-08-04T03:52:33Z",
请问集群环境是不是全部集群机器都要这样操作?
kubeadm的证书续期范围只包括apiserver,etcd等master核心组件通信依赖的证书,所以只有master需要,对于只运行了kubelet的工作node,通常是使用kubelet的证书轮换功能自动去apiserver更新证书。
证书轮换功能自动去apiserver更新证书,自动更新证书是否会影响上面的业务呢?