您当前的位置: 首页 > 慢生活 > 程序人生 网站首页程序人生
65、Kubernetes - 证书可用年限修改_
发布时间:2023-02-05 15:44:18编辑:雪饮阅读()
Step1
先来查看我们的kubernetes集群当前证书的可用年限哈
[root@k8s-master01 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2606081207612327332 (0x242aa90cfb8dc5a4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Feb 3 13:12:43 2023 GMT
Not After : Feb 3 13:12:43 2024 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:86:c7:9f:27:86:68:d7:9a:81:27:8b:81:15:
32:6c:7b:a0:52:f2:3a:f5:97:4e:c5:a1:ca:d3:54:
92:46:32:4e:b3:4b:c8:22:c7:45:94:a1:a0:08:6b:
20:dd:43:f6:76:56:12:bb:95:a2:b7:eb:2b:64:63:
bd:6e:1e:68:9e:75:ad:cf:8b:f7:a5:38:6a:99:14:
7e:a7:6e:22:b4:66:a8:c4:57:34:f0:28:c3:0b:44:
a0:7c:b8:90:69:11:51:86:94:27:dd:63:24:42:3e:
e6:a9:a8:a3:cb:b9:c4:33:fc:da:40:36:51:34:d1:
21:16:66:e6:95:06:40:4f:5b:97:8d:50:fd:3c:f9:
12:67:9d:c2:7e:33:bb:e7:46:dd:6d:41:80:87:66:
a7:6a:5e:69:88:01:23:51:5e:a7:a9:eb:9d:ce:5c:
08:f8:e1:e3:7d:2b:bc:14:93:35:e6:42:3d:2a:93:
d4:1b:42:89:1d:36:74:cc:76:2c:e8:85:25:81:89:
92:3d:75:08:a6:b2:b0:36:7a:11:99:60:1b:51:09:
90:3f:df:2b:78:99:27:3f:9b:6e:e9:3d:28:12:58:
2d:f9:ab:0e:ce:2f:e9:91:b9:8e:59:84:e2:54:40:
6c:87:bc:8e:13:11:e9:e1:30:ed:e6:de:a9:e7:0e:
fe:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:k8s-master01, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.66.10
Signature Algorithm: sha256WithRSAEncryption
6d:30:0d:88:a1:a4:75:5f:1c:01:24:f1:10:10:a6:2d:5f:8a:
46:7c:21:f4:d7:02:88:f3:e9:8b:87:88:e2:59:56:d6:f7:6e:
40:50:13:07:0f:9a:ec:b2:3f:5b:46:42:cd:38:18:66:0f:2b:
27:cd:dc:a6:d6:09:15:cc:26:ed:01:a2:22:d2:4a:2a:6a:49:
a4:69:9d:b3:b8:2f:3c:e4:4d:5d:e2:b7:be:9c:aa:70:ac:79:
d9:e4:c2:d3:19:36:ef:d3:07:00:fb:e2:98:c9:77:22:42:1e:
97:c8:5d:b4:b4:78:86:38:d7:65:09:cf:1e:37:e6:8f:79:4d:
c9:12:2d:ff:6f:0b:05:bd:b0:89:ae:be:43:fb:a8:3d:dd:1d:
ae:41:73:67:e5:51:87:0c:29:da:5e:7f:5d:d4:9d:b4:5f:f1:
b5:65:90:5f:eb:d1:53:20:4c:ed:5a:85:28:6b:1d:07:bd:52:
b4:be:f4:55:79:3d:d4:57:2d:e6:21:0b:33:da:16:e3:1e:2e:
f5:e6:e7:cd:70:d9:cc:14:63:12:e9:f5:eb:95:53:cc:67:bc:
6c:6a:c0:74:52:50:79:23:1f:f7:20:b0:14:09:2a:9f:d3:2a:
c5:88:a2:fc:57:25:18:ae:84:76:ff:53:d5:8e:c6:d0:07:82:
79:57:c9:0d
可以看到的是这里是2023年2月3到2024年2月3吧。
应该就是1年的年限了。
而另外这个证书
[root@k8s-master01 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Feb 3 13:12:43 2023 GMT
Not After : Jan 31 13:12:43 2033 GMT
Subject: CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:1f:84:aa:29:57:83:18:a2:96:ac:29:a0:49:
32:bf:ee:bd:57:c0:7c:cd:1b:d1:a9:f0:28:7a:1e:
3c:e6:78:a5:2f:05:5f:76:9b:54:17:c8:e2:89:82:
63:fd:8f:84:23:c7:cb:68:6a:22:e4:e6:da:ad:ab:
dc:32:7d:30:69:cf:dc:6d:7b:fa:55:cf:5a:73:a5:
8a:2e:80:d1:97:01:a9:30:11:80:db:5e:be:6a:58:
04:fa:d8:a8:ee:12:e6:30:a5:20:44:64:3a:51:98:
47:f5:fc:55:3d:d9:c1:11:b9:ca:b8:ab:87:e2:f6:
98:92:67:49:7d:22:9d:eb:30:bf:3a:71:6c:6b:29:
1d:98:77:bb:51:f8:df:9e:a4:df:2d:51:36:cc:be:
62:f1:fb:35:6f:ed:cd:c1:59:ca:f2:30:6b:ba:2c:
ee:33:bf:de:01:a6:cf:05:e9:1c:33:45:f2:08:2c:
2a:a3:01:76:c1:de:13:b4:cf:c9:e1:a5:4f:88:80:
94:fe:d4:55:53:3b:06:33:7c:d7:9d:ec:ef:9b:81:
2e:37:66:1e:01:f5:54:16:be:92:55:39:53:68:8b:
07:af:be:56:3d:d1:60:bd:3b:da:7e:1f:63:7a:6e:
bb:9f:19:1a:38:81:99:1c:2c:d1:83:0f:97:9e:09:
32:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
72:4b:84:f3:3e:2c:c5:3d:29:7f:a2:a2:53:5d:7d:83:7e:68:
b1:62:bb:10:e8:40:d0:1e:8b:42:d5:ab:56:dd:1c:9d:43:68:
62:7a:a9:e3:fc:24:3f:4b:a6:d2:b7:07:08:9c:21:89:72:ec:
98:ed:b5:4a:f9:4f:f8:29:23:6d:12:6c:b8:45:d0:d1:40:da:
6c:89:66:63:3f:1c:a4:5c:ba:df:58:76:c7:3d:44:a4:68:7e:
6c:36:45:9b:0f:0d:d4:87:eb:23:b8:ec:ea:81:96:a5:61:fd:
ee:40:a0:07:11:c1:f1:09:a0:bb:68:e7:55:2e:8f:51:2a:81:
8a:cf:b8:09:18:68:a4:1b:b1:8c:db:f2:5c:86:53:09:81:bd:
cf:3b:1c:62:c7:64:49:87:b6:12:42:2f:e6:64:69:5c:24:d3:
fd:c2:ce:e9:a7:b4:e8:1c:e6:72:ad:d3:b3:f9:3b:74:ef:84:
57:2e:11:0e:2c:3c:bf:d4:83:66:9b:22:32:e3:6f:f6:5e:c7:
88:67:c9:5d:da:64:71:93:00:35:82:3e:32:a2:57:37:15:da:
f6:ba:0a:13:12:43:c6:ab:7c:1c:53:b5:75:0a:b8:e1:67:90:
d1:9d:a9:ba:ba:99:99:e7:67:aa:4b:76:0d:85:7a:c0:41:b2:
c6:06:b5:5a
而另外这个证书则是2023-02-03到2033-01-31
天哪,足足十年。
不过上面这两条数据的结果可能不准,因为我集群里面后面貌似有自己动过这个证书相关的配置的。
Step2
把go语言安装上
mkdir /data
[root@k8s-master01 ~]# cd /data
[root@k8s-master01 data]# wget https://studygolang.com/dl/golang/go1.12.9.linux-amd64.tar.gz
tar -zxvf go1.12.9.linux-amd64.tar.gz -C /usr/local/
导入对于go的环境变量
[root@k8s-master01 data]# cat /etc/profile
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`/usr/bin/id -u`
UID=`/usr/bin/id -ru`
fi
USER="`/usr/bin/id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
# Path manipulation
if [ "$EUID" = "0" ]; then
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
fi
HOSTNAME=`/usr/bin/hostname 2>/dev/null`
HISTSIZE=1000
if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 002
else
umask 022
fi
for i in /etc/profile.d/*.sh /etc/profile.d/sh.local ; do
if [ -r "$i" ]; then
if [ "${-#*i}" != "$-" ]; then
. "$i"
else
. "$i" >/dev/null
fi
fi
done
unset i
unset -f pathmunge
export PATH=$PATH:/usr/local/go/bin
生效之
source /etc/profile
go语言安装ok
[root@k8s-master01 data]# go version
go version go1.12.9 linux/amd64
Step3
基于kubernetes源码修改证书可用年限
下载源码
git clone https://github.com/kubernetes/kubernetes.git
进入源码并切换分支到当前kubernetes集群版本
cd kubernetes/
git checkout -b remotes/origin/release-1.15.1 v1.15.1
Updating files: 100% (30007/30007), done.
Switched to a new branch 'remotes/origin/release-1.15.1'
配置证书可以年限修改为10年,位置大概在552行
vi cmd/kubeadm/app/util/pkiutil/pki_helpers.go
原来的
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
现在的
// NewSignedCert creates a signed certificate using the given CA certificate and key
553 func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
554 const duration3650d = time.Hour * 24 * 365 * 10
555 serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
556 if err != nil {
557 return nil, err
558 }
559 if len(cfg.CommonName) == 0 {
560 return nil, errors.New("must specify a CommonName")
561 }
562 if len(cfg.Usages) == 0 {
563 return nil, errors.New("must specify at least one ExtKeyUsage")
564 }
565
566 certTmpl := x509.Certificate{
567 Subject: pkix.Name{
568 CommonName: cfg.CommonName,
569 Organization: cfg.Organization,
570 },
571 DNSNames: cfg.AltNames.DNSNames,
572 IPAddresses: cfg.AltNames.IPs,
573 SerialNumber: serial,
574 NotBefore: caCert.NotBefore,
575 NotAfter: time.Now().Add(duration3650d).UTC(),
576 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
577 ExtKeyUsage: cfg.Usages,
578 }
然后编译的时候报错
[root@k8s-master01 kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v
Makefile:1: *** 遗漏分隔符 。 停止。
这种问题实际上就是说上面git clone最后直接在linux服务器内部搞,我当时这里是因为内部发现到github的网络比较慢,好像直接就不可达吧。
于是在物理机(windows)上面搞的。
实际上应该都在linux,最后我找了一个新加坡服务器处理好后通过scp拉取过来的。
Step4
配置新的证书年限生效
接下来先备份下当前的相关文件
[root@k8s-master01 kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old
[root@k8s-master01 kubernetes]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
然后是新生成的相关文件配置
[root@k8s-master01 kubernetes]# cp _output/bin/kubeadm /root/
[root@k8s-master01 kubernetes]# cp _output/bin/kubeadm /usr/bin/
cp:是否覆盖"/usr/bin/kubeadm"? y
[root@k8s-master01 kubernetes]# chmod a+x /usr/bin/kubeadm
回到家目录并重新生成新的可用年限生效于之前的那个证书目录
[root@k8s-master01 kubernetes]# cd
[root@k8s-master01 ~]# kubeadm alpha certs renew all --config=/usr/local/install-k8s/core/kubeadm-config.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Step5
接下来就是验证咱们的这个新的证书可用年限修改的是否成功
[root@k8s-master01 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7150314831584952520 (0x633b057490d400c8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Feb 3 13:12:43 2023 GMT
Not After : Feb 2 07:36:28 2033 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:14:d8:53:f3:05:7c:76:14:27:fa:37:aa:a4:
1b:02:76:62:40:c1:16:0b:13:49:65:3d:90:22:16:
a6:34:f9:91:34:11:0b:52:a6:c3:fd:b5:9c:33:a9:
8a:34:86:39:45:0c:28:0c:a4:d9:07:cb:f1:a8:00:
47:1e:7f:b7:af:e2:24:97:98:4e:e7:97:ec:e9:e1:
92:2e:72:73:b9:d5:29:aa:6d:bf:31:e2:93:c0:e6:
36:08:af:d0:45:68:c8:a6:be:08:d3:aa:37:29:e6:
b0:16:f0:bd:c3:f9:07:5f:40:f3:2d:f3:53:70:bd:
64:68:74:d0:5e:83:18:63:69:1e:ca:ee:25:d8:e7:
9e:97:ea:b8:6d:d6:cb:ab:a8:d0:28:90:08:de:80:
6b:a5:e0:11:d5:12:f7:d3:9c:75:85:95:af:5b:61:
e6:64:61:88:19:77:03:89:0d:06:b3:62:d7:db:6d:
4e:47:28:f4:77:9c:27:7b:7d:7b:8c:cc:9e:d2:0d:
b2:eb:7f:5f:44:08:4f:c8:75:20:2a:93:8b:a3:b0:
1a:ba:ed:42:61:a0:69:3b:76:6f:99:d1:14:f2:6e:
64:e3:f3:69:33:6b:8f:d5:0e:e0:13:68:88:64:08:
69:cf:4a:4d:b9:e3:31:1c:d1:bc:6d:03:ad:38:06:
9f:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:k8s-master01, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.66.10
Signature Algorithm: sha256WithRSAEncryption
6a:5e:14:3a:b3:0a:e2:2e:7a:b0:e6:ce:9a:c0:93:d0:a8:0a:
2f:3a:a4:b3:14:31:c0:8f:39:fb:1e:d2:79:8c:e7:61:80:80:
97:b4:3c:c2:cb:51:00:6a:05:d7:56:74:3c:90:47:60:de:e3:
5b:f9:ab:2b:f3:95:02:a8:82:3f:69:ff:68:64:76:9f:10:ed:
2a:26:28:9f:69:f3:0c:89:ab:57:fe:b9:8e:a1:87:ba:fb:f6:
52:28:e1:c4:cd:96:9c:97:6a:68:74:60:2c:39:43:8c:f1:d3:
91:94:5b:fe:aa:9d:4d:31:c9:c5:26:c2:2a:de:ed:f8:72:79:
e6:f7:7b:9e:60:e8:80:55:8b:a5:d1:01:16:58:0b:43:6e:9c:
33:60:04:fc:dc:04:c5:b3:fc:39:b4:3f:97:3b:2c:7c:88:9a:
4c:44:be:c9:96:05:61:e4:17:c9:13:e5:77:ac:3e:a5:c4:71:
39:ca:d3:62:36:8e:8b:df:59:c6:ad:33:7b:81:cb:ee:f2:4d:
18:f1:b0:f3:53:65:f2:4a:02:47:77:4f:5e:35:f4:21:2d:c8:
5f:45:72:0a:a9:73:50:a9:e4:49:53:7a:c4:88:26:00:d7:0f:
8f:c9:5e:a0:84:1e:83:be:ce:91:cb:f6:b2:b7:51:18:b3:19:
1f:74:4d:29
2023-02-03到2033-02-02,也确实是10年了。
然后接下来就是把这个保留下
cp /usr/bin/kubeadm /etc/kubernetes/pki/kubeadm-cert10y
这步其实我觉得可以忽略吧,不知道老师怎么想的。
甚至老师还把kubeadm-cert10y这个保留他物理机上面貌似,可能是给同学们用的资料吧。
关键字词:Kubernetes,证书,可用,年限,修改
相关文章
- 64、Kubernetes - Helm 及其它功能性组件 - EFK 日志_
- no available release name found问题排查
- 56、Kubernetes - 安全 鉴权(3]
- 53、Kubernetes - 安全 认证
- 23、Kubernetes - 资源清单 - start、stop、相位
- 22、Kubernetes - 资源清单 - 探针
- 21、Kubernetes - 资源清单 - 探针
- 19、Kubernetes - 资源清单 - initC(reset)
- 17、Kubernetes - 资源清单 - 常用字段说明
- 14、Kubernetes - 集群安装 - 配置私有仓库、集群功能