Kubernetes K8S之SSL证书有效期修改

如何修改Kubernetes的SSL证书有效期

一、主机配置规划

Kubernetes K8S之SSL证书有效期修改

二、为什么要修改证书有效期

Kubernetes默认的证书有效期都是1年,因此需要我们每年都更新证书,显然这对我们实际生产环境来说是很不友好的;因此我们要对Kubernetes的SSL证书有效期进行修改。

证书有效期查看

[root@k8s-master pki]# pwd  /etc/kubernetes/pki  [root@k8s-master pki]# ll  total 56  -rw-r--r-- 1 root root 1224 May 12 15:51 apiserver.crt  -rw-r--r-- 1 root root 1090 May 12 15:51 apiserver-etcd-client.crt  -rw------- 1 root root 1675 May 12 15:51 apiserver-etcd-client.key  -rw------- 1 root root 1675 May 12 15:51 apiserver.key  -rw-r--r-- 1 root root 1099 May 12 15:51 apiserver-kubelet-client.crt  -rw------- 1 root root 1675 May 12 15:51 apiserver-kubelet-client.key  -rw-r--r-- 1 root root 1025 May 12 15:51 ca.crt  -rw------- 1 root root 1675 May 12 15:51 ca.key  drwxr-xr-x 2 root root  162 May 12 15:51 etcd  -rw-r--r-- 1 root root 1038 May 12 15:51 front-proxy-ca.crt  -rw------- 1 root root 1675 May 12 15:51 front-proxy-ca.key  -rw-r--r-- 1 root root 1058 May 12 15:51 front-proxy-client.crt  -rw------- 1 root root 1675 May 12 15:51 front-proxy-client.key  -rw------- 1 root root 1679 May 12 15:51 sa.key  -rw------- 1 root root  451 May 12 15:51 sa.pub  [root@k8s-master pki]#  [root@k8s-master pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done  ===== apiserver.crt =====          Validity              Not Before: May 12 07:51:36 2020 GMT              Not After : May 12 07:51:36 2021 GMT          Subject: CN=kube-apiserver  ===== apiserver-etcd-client.crt =====          Validity              Not Before: May 12 07:51:37 2020 GMT              Not After : May 12 07:51:38 2021 GMT          Subject: O=system:masters, CN=kube-apiserver-etcd-client  ===== apiserver-kubelet-client.crt =====          Validity              Not Before: May 12 07:51:36 2020 GMT              Not After : May 12 07:51:37 2021 GMT          Subject: O=system:masters, CN=kube-apiserver-kubelet-client  ===== ca.crt =====          Validity              Not Before: May 12 07:51:36 2020 GMT              Not After : May 10 07:51:36 2030 GMT          Subject: CN=kubernetes  ===== front-proxy-ca.crt =====          Validity              Not Before: May 12 07:51:37 2020 GMT              Not After : May 10 07:51:37 2030 GMT          Subject: CN=front-proxy-ca  ===== front-proxy-client.crt =====          Validity              Not Before: May 12 07:51:37 2020 GMT              Not After : May 12 07:51:37 2021 GMT          Subject: CN=front-proxy-client  [root@k8s-master pki]#  

由上可见,除了ca根证书,其他证书有效期都是1年。

三、证书有效时限修改

1. go环境部署

go语言中文网

https://studygolang.com/  

Kubernetes K8S之SSL证书有效期修改

Kubernetes K8S之SSL证书有效期修改

在Linux命令行下载

[root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.14.6.linux-amd64.tar.gz  [root@k8s-master software]# tar xf go1.14.6.linux-amd64.tar.gz -C /usr/local/  [root@k8s-master software]# vim /etc/profile   # 最后面添加如下信息  # go语言环境变量  export PATH=$PATH:/usr/local/go/bin  [root@k8s-master software]# source /etc/profile  

2. Kubernetes源码下载与更改证书策略

当期k8s版本

[root@k8s-master software]# kubectl version  Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T21:03:42Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}  Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}  

根据k8s版本下载源码

Kubernetes K8S之SSL证书有效期修改

操作步骤

[root@k8s-master software]# wget https://github.com/kubernetes/kubernetes/archive/v1.17.4.tar.gz  [root@k8s-master software]# tar xf v1.17.4.tar.gz && cd kubernetes-1.17.4  [root@k8s-master kubernetes-1.17.4]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go  ………………  func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {          // 添加如下行 有效时间 100 年          const effectyear = time.Hour * 24 * 365 * 100            serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))          if err != nil {                  return nil, err          }          if len(cfg.CommonName) == 0 {                  return nil, errors.New("must specify a CommonName")          }          if len(cfg.Usages) == 0 {                  return nil, errors.New("must specify at least one ExtKeyUsage")          }            certTmpl := x509.Certificate{                  Subject: pkix.Name{                          CommonName:   cfg.CommonName,                          Organization: cfg.Organization,                  },                  DNSNames:     cfg.AltNames.DNSNames,                  IPAddresses:  cfg.AltNames.IPs,                  SerialNumber: serial,                  NotBefore:    caCert.NotBefore,                  // NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),                  NotAfter:     time.Now().Add(effectyear).UTC(),   // 修改行                  KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,                  ExtKeyUsage:  cfg.Usages,          }  [root@k8s-master kubernetes-1.17.4]#  # 注意路径  [root@k8s-master kubernetes-1.17.4]# make WHAT=cmd/kubeadm GOFLAGS=-v  # 将更新后的kubeadm拷贝到指定位置  [root@k8s-master kubernetes-1.17.4]# cp -a _output/bin/kubeadm /root/kubeadm-new  

3. 更新kubeadm并备份原证书

# kubeadm更新  mv /usr/bin/kubeadm /usr/bin/kubeadm_20200725  mv /root/kubeadm-new /usr/bin/kubeadm  chmod 755 /usr/bin/kubeadm  # 原证书备份  cp -a /etc/kubernetes/pki/ /etc/kubernetes/pki_20200725  

4. 证书更新

操作如下:

# 证书更新  [root@k8s-master ~]# kubeadm alpha certs renew all --config=/root/k8s_install/kubeadm-config.yaml  # 查看新证书有效期  [root@k8s-master ~]# cd /etc/kubernetes/pki  [root@k8s-master pki]# ll  total 56  -rw-r--r-- 1 root root 1224 Jul 25 18:44 apiserver.crt  -rw-r--r-- 1 root root 1094 Jul 25 18:44 apiserver-etcd-client.crt  -rw------- 1 root root 1675 Jul 25 18:44 apiserver-etcd-client.key  -rw------- 1 root root 1679 Jul 25 18:44 apiserver.key  -rw-r--r-- 1 root root 1103 Jul 25 18:44 apiserver-kubelet-client.crt  -rw------- 1 root root 1679 Jul 25 18:44 apiserver-kubelet-client.key  -rw-r--r-- 1 root root 1025 May 12 15:51 ca.crt  -rw------- 1 root root 1675 May 12 15:51 ca.key  drwxr-xr-x 2 root root  162 May 12 15:51 etcd  -rw-r--r-- 1 root root 1038 May 12 15:51 front-proxy-ca.crt  -rw------- 1 root root 1675 May 12 15:51 front-proxy-ca.key  -rw-r--r-- 1 root root 1058 Jul 25 18:44 front-proxy-client.crt  -rw------- 1 root root 1679 Jul 25 18:44 front-proxy-client.key  -rw------- 1 root root 1679 May 12 15:51 sa.key  -rw------- 1 root root  451 May 12 15:51 sa.pub  [root@k8s-master pki]#  [root@k8s-master pki]# for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done  ===== apiserver.crt =====          Validity              Not Before: May 12 07:51:36 2020 GMT              Not After : Jul  1 10:44:20 2120 GMT          Subject: CN=kube-apiserver  ===== apiserver-etcd-client.crt =====          Validity              Not Before: May 12 07:51:37 2020 GMT              Not After : Jul  1 10:44:20 2120 GMT          Subject: O=system:masters, CN=kube-apiserver-etcd-client  ===== apiserver-kubelet-client.crt =====          Validity              Not Before: May 12 07:51:36 2020 GMT              Not After : Jul  1 10:44:20 2120 GMT          Subject: O=system:masters, CN=kube-apiserver-kubelet-client  ===== ca.crt =====          Validity              Not Before: May 12 07:51:36 2020 GMT              Not After : May 10 07:51:36 2030 GMT          Subject: CN=kubernetes  ===== front-proxy-ca.crt =====          Validity              Not Before: May 12 07:51:37 2020 GMT              Not After : May 10 07:51:37 2030 GMT          Subject: CN=front-proxy-ca  ===== front-proxy-client.crt =====          Validity              Not Before: May 12 07:51:37 2020 GMT              Not After : Jul  1 10:44:22 2120 GMT          Subject: CN=front-proxy-client  

由上可见,除了CA根证书,其他证书有效期已经改为 100 年。

kubeadm-config.yaml文件参见如下

[root@k8s-master k8s_install]# pwd  /root/k8s_install  [root@k8s-master k8s_install]# kubeadm config print init-defaults > kubeadm-config.yaml  # 做了适当修改  [root@k8s-master k8s_install]# cat kubeadm-config.yaml  apiVersion: kubeadm.k8s.io/v1beta2  bootstrapTokens:  - groups:    - system:bootstrappers:kubeadm:default-node-token    token: abcdef.0123456789abcdef    ttl: 24h0m0s    usages:    - signing    - authentication  kind: InitConfiguration  localAPIEndpoint:    # 改为本机内网IP    advertiseAddress: 172.16.1.110    bindPort: 6443  nodeRegistration:    criSocket: /var/run/dockershim.sock    name: k8s-master    taints:    - effect: NoSchedule      key: node-role.kubernetes.io/master  ---  apiServer:    timeoutForControlPlane: 4m0s  apiVersion: kubeadm.k8s.io/v1beta2  certificatesDir: /etc/kubernetes/pki  clusterName: kubernetes  controllerManager: {}  dns:    type: CoreDNS  etcd:    local:      dataDir: /var/lib/etcd  imageRepository: k8s.gcr.io  kind: ClusterConfiguration  # 本次部署的版本为 v1.17.4  kubernetesVersion: v1.17.4  networking:    dnsDomain: cluster.local    # 添加如下行,指定pod网络的IP地址范围,因为flannel 就是这个网段    podSubnet: 10.244.0.0/16    # 默认值即可,无需改变。服务VIP使用可选的IP地址范围。默认10.96.0.0/12    serviceSubnet: 10.96.0.0/12  scheduler: {}  ---  # 添加如下配置段,调度方式从默认改为ipvs方式【如果上面初始化没有做ipvs,那么这段就不需要】  apiVersion: kubeproxy.config.k8s.io/v1alpha1  kind: KubeProxyConfiguration  featureGates:    SupportIPVSProxyMode: true  mode: ipvs  

完毕!

原文出处:zhangblog -> http://www.zhangblog.com/2020/08/02/kubernetes03/

本站所发布的一切资源仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如果侵犯你的利益,请发送邮箱到 [email protected],我们会很快的为您处理。
超哥软件库 » Kubernetes K8S之SSL证书有效期修改