注意事项

更新证书只需要更新master节点，node节点不需要！！！

一、续签证书一年

 1. #查看证书有效期
 kubeadm certs check-expiration
 2. #备份原有证书
 cp -rp /etc/kubernetes/pki/ /opt/pki.bak
 3. #续签证书
 kubeadm certs renew all
 4. #重启kubectl
 systemctl restart kubelet.service 

二、续签证书99年

2.1、查看当前证书时间

# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 30, 2024 09:55 UTC   364d            ca                      no      
apiserver                  Apr 30, 2024 09:55 UTC   364d            ca                      no      
apiserver-etcd-client      Apr 30, 2024 09:55 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Apr 30, 2024 09:55 UTC   364d            ca                      no      
controller-manager.conf    Apr 30, 2024 09:55 UTC   364d            ca                      no      
etcd-healthcheck-client    Apr 30, 2024 09:55 UTC   364d            etcd-ca                 no      
etcd-peer                  Apr 30, 2024 09:55 UTC   364d            etcd-ca                 no      
etcd-server                Apr 30, 2024 09:55 UTC   364d            etcd-ca                 no      
front-proxy-client         Apr 30, 2024 09:55 UTC   364d            front-proxy-ca          no      
scheduler.conf             Apr 30, 2024 09:55 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 26, 2033 10:55 UTC   9y              no      
etcd-ca                 Apr 26, 2033 10:55 UTC   9y              no      
front-proxy-ca          Apr 26, 2033 10:55 UTC   9y              no 

可以看到有效期为1年

2.2、下载K8S源码

git clone https://github.com/kubernetes/kubernetes.git

2.3、查看K8s版本

(root@omt-k8m1 2023-05-01 20:10:10 ~)
# kubectl version 
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.1", GitCommit:"4c9411232e10168d7b050c49a1b59f6df9d7ea4b", GitTreeState:"clean", BuildDate:"2023-04-14T13:21:19Z", GoVersion:"go1.20.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.1", GitCommit:"4c9411232e10168d7b050c49a1b59f6df9d7ea4b", GitTreeState:"clean", BuildDate:"2023-04-14T13:14:42Z", GoVersion:"go1.20.3", Compiler:"gc", Platform:"linux/amd64"}

2.4、切换版本修改源码

cd kubernetes
git checkout v1.27.1
git branch #查看当前版本分支
git branch -r #查看远程版本分支

vim cmd/kubeadm/app/constants/constants.go，找到CertificateValidity，修改如下

const (
    // KubernetesDir is the directory Kubernetes owns for storing various configuration files
    KubernetesDir = "/etc/kubernetes"
    // ManifestsSubDirName defines directory name to store manifests
    ManifestsSubDirName = "manifests"
    // TempDirForKubeadm defines temporary directory for kubeadm
    // should be joined with KubernetesDir.
    TempDirForKubeadm = "tmp"

    // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
    CertificateValidity = time.Hour * 24 * 365 * 100

2.5、安装编译软件

yum -y install gcc automake autoconf libtool make

安装go编译环境，这里就直接使用yum安装

查看go是否安装过

(root@omt-k8m1 2023-05-01 19:53:47 ~/kubernetes/cmd/kubeadm/app/constants)
# go env
-bash: go: command not found

查看yum的Golang

# yum info golang
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
Name        : golang
Arch        : x86_64
Version     : 1.17.10
Release     : 1.el7
Size        : 680 k
Repo        : eeo-extras-tools
Summary     : The Go Programming Language
URL         : http://golang.org/
License     : BSD and Public Domain
Description : The Go Programming Language.

安装golang

yum install -y golang

再次查看go环境变量

# go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/golang"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.10"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/root/kubernetes/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1185725141=/tmp/go-build -gno-record-gcc-switches"

2.6、执行make WHAT=cmd/kubeadm编译

(root@omt-k8m1 2023-05-01 19:55:49 ~/kubernetes)
go version go1.20.3 linux/amd64
+++ [0501 19:57:14] Building go targets for linux/amd64
    k8s.io/kubernetes/cmd/kubeadm (static)

编译完会在当前目录生成二进制文件

(root@omt-k8m1 2023-05-01 20:20:04 ~/kubernetes/_output/bin)
# ll
total 47064
-rwxr-xr-x 1 root root 48193536 May  1 19:57 kubeadm

2.7、备份文件

将之前kubeadm 和K8s集群组件证书全部备份一下。

1. cp /usr/bin/kubeadm /opt
2. cp -rp /etc/kubernetes/pki /opt

2.8、替换二进制文件和重新生成证书

1. 替换当前二进制文件

cp _output/bin/kubeadm /usr/bin/kubeadm

1. 重新生成证书文件

cd /etc/kubernetes/pki
kubeadm certs renew all

2.9、查看是否生效

(root@omt-k8m1 2023-05-01 20:01:56 /etc/kubernetes/pki)
# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 07, 2123 12:01 UTC   99y             ca                      no      
apiserver                  Apr 07, 2123 12:01 UTC   99y             ca                      no      
apiserver-etcd-client      Apr 07, 2123 12:01 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Apr 07, 2123 12:01 UTC   99y             ca                      no      
controller-manager.conf    Apr 07, 2123 12:01 UTC   99y             ca                      no      
etcd-healthcheck-client    Apr 07, 2123 12:01 UTC   99y             etcd-ca                 no      
etcd-peer                  Apr 07, 2123 12:01 UTC   99y             etcd-ca                 no      
etcd-server                Apr 07, 2123 12:01 UTC   99y             etcd-ca                 no      
front-proxy-client         Apr 07, 2123 12:01 UTC   99y             front-proxy-ca          no      
scheduler.conf             Apr 07, 2123 12:01 UTC   99y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 26, 2033 10:55 UTC   9y              no      
etcd-ca                 Apr 26, 2033 10:55 UTC   9y              no      
front-proxy-ca          Apr 26, 2033 10:55 UTC   9y 

可以看到已经生效了。

如下，重启kubelet，再次检查一下

systemctl restart kubelet.service

3.0、检查集群是否生效

# kubectl get node
NAME       STATUS   ROLES           AGE    VERSION
omt-k8m1   Ready    control-plane   2d1h   v1.27.1
omt-k8m2   Ready    control-plane   2d     v1.27.1
omt-k8m3   Ready    control-plane   2d     v1.27.1
omt-k8n1   Ready    <none>          2d     v1.27.1
omt-k8n2   Ready    <none>          2d     v1.27.1

3.1、让其整个集群master生效

当前只是演示了集群中一个master，如何让其他两个master生效如下操作：

将当前新编译好的kubeadm文件复制到其他节点上，然后再替换之前一定要备份好文件，然后重新生成证书，其他操作步骤如上述。

作者：运维老许

出处：https://www.strives.cn/

联系方式：strive120620@163.com

微信公众号：Linux必修之路

声明1：本站部分资源收集自互联网，仅供个人学习交流，如不慎侵犯了您的权益，请联系我，我将尽快处理！

声明2：本文版权归作者，欢迎转载，但未经作者同意必须在文章页面给出原文链接，否则保留追究法律责任的权利！