前言:
首先,先看看minikube这样的开发或者测试使用的kubernetes集群的证书时间:
[root@node3 ~]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Dec 04, 2023 12:07 UTC 363d ca no apiserver Dec 03, 2025 12:02 UTC 2y ca no apiserver-etcd-client Dec 04, 2023 12:07 UTC 363d etcd-ca no apiserver-kubelet-client Dec 04, 2023 12:07 UTC 363d ca no controller-manager.conf Dec 04, 2023 13:00 UTC 363d ca no etcd-healthcheck-client Dec 04, 2023 12:07 UTC 363d etcd-ca no etcd-peer Dec 04, 2023 12:07 UTC 363d etcd-ca no etcd-server Dec 04, 2023 12:07 UTC 363d etcd-ca no front-proxy-client Dec 04, 2023 12:07 UTC 363d front-proxy-ca no scheduler.conf Dec 04, 2023 13:00 UTC 363d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Dec 01, 2032 12:02 UTC 9y no etcd-ca Dec 01, 2032 12:07 UTC 9y no front-proxy-ca Dec 01, 2032 12:07 UTC 9y no
OK,我们可以看到,这些证书的时间大部分都是一年期的。对于minikube这样的集群,无所谓喽,集群本来就是测试性质的,大不了重新部署了,也是非常快的,但,在生产环境下,我们追求的是稳定高效,当然可以使用kubeadm certs renew all来续订证书,但是证书更新了那些服务如果要重启就很麻烦,并且如果不是一个集群的证书要续订,而是有N个集群的证书续订,那可就有得忙了。
因此,我们在生产环境部署集群的时候,如果提前就把证书的时间修改为10年或者更长的100年,会规避掉一些麻烦,也算是提前解决一个可能会对生产造成影响的问题。
那么,如何在部署阶段就修改证书的时间呢?
其实也比较简单,在部署前就利用kubernetes的源码编译出一个新的kubeadm即可了。
实操:
工具原材料:
1,kubernetes的源码
2,go语言环境
目标:
假设生产环境使用的kubernetes版本是1.23.12版本,通过go语言环境,利用kubernetes-1.23.12的源码,重新编译出一个新的kubeadm程序,在kubeadm init 初始化前,用新的kubeadm替换原有的kubeadm,使得kubernetes的证书期限是100年。
一,
go语言环境的安装部署
首先申明,其它版本的编译安装没有试过,反正1.23.12版本的kubernetes需要go-1.17版本以上,否则不能正常编译,会报错:
[root@node4 kubernetes-1.23.12]# make all WHAT=cmd/kubeadm GOFLAGS=-v Detected go version: go version go1.16.12 linux/amd64. Kubernetes requires go1.17.0 or greater. Please install go1.17.0 or later. !!! [1205 23:21:50] Call tree: !!! [1205 23:21:50] 1: hack/run-in-gopath.sh:31 kube::golang::setup_env(...) Detected go version: go version go1.16.12 linux/amd64. Kubernetes requires go1.17.0 or greater. Please install go1.17.0 or later. !!! [1205 23:21:50] Call tree: !!! [1205 23:21:50] 1: /root/kubernetes-1.23.12/hack/lib/golang.sh:794 kube::golang::setup_env(...) !!! [1205 23:21:50] 2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...) !!! [1205 23:21:50] Call tree: !!! [1205 23:21:50] 1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...) make[1]: *** [_output/bin/prerelease-lifecycle-gen] Error 1 make: *** [generated_files] Error 2
因此,go语言版本选择的是1.17.1,部署步骤如下;
1,
下载go语言安装包
wget https://studygolang.com/dl/golang/go1.17.1.linux-amd64.tar.gz
2,
解压,解压后的文件移动到/usr/local/目录下:
tar zxf go1.17.1.linux-amd64.tar.gz mv go /usr/local/
3,
设置环境变量并激活变量
编辑/etc/profile 文件,在末尾添加如下内容:
export GOROOT=/usr/local/go export PATH=$PATH:/usr/local/go/bin export GOPATH=/go
激活环境变量:
source /etc/profile
4,
验证go语言环境
[root@node3 ~]# go version go version go1.17.1 linux/amd64
二,
下载kubernetes-1.23.12源码
https://codeload.github.com/kubernetes/kubernetes/zip/refs/tags/v1.23.12
下载下来的文件上传到服务器解压后,进入解压目录:
[root@node3 kubernetes-1.23.12]# pwd /root/kubernetes-1.23.12 [root@node3 kubernetes-1.23.12]# ls api CHANGELOG cluster code-of-conduct.md docs go.sum LICENSE logo Makefile.generated_files OWNERS pkg README.md staging test vendor build CHANGELOG.md cmd CONTRIBUTING.md go.mod hack LICENSES Makefile _output OWNERS_ALIASES plugin SECURITY_CONTACTS SUPPORT.md third_party
三,
修改源码的证书相关文件(两个文件):
vim cmd/kubeadm/app/constants/constants.go
以关键字time.Hour 搜索,修改成如下(加个100,原来是只有time.Hour * 24 * 365):
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm CertificateValidity = time.Hour * 24 * 365 * 100
vim staging/src/k8s.io/client-go/util/cert/cert.go
以关键字KeyUsageDigitalSignatur 搜索,修改成如下(10改成100,原来是now.Add(duration365d * 10)):
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: []string{cfg.CommonName}, NotBefore: now.UTC(), NotAfter: now.Add(duration365d * 100).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, }
以上修改请务必以关键字准确定位。
四,
重新编译kubeadm
make all WHAT=cmd/kubeadm GOFLAGS=-v
输出如下:
k8s.io/kubernetes/vendor/github.com/spf13/pflag k8s.io/kubernetes/hack/make-rules/helpers/go2make +++ [1205 23:50:42] Building go targets for linux/amd64: ./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen > non-static build: k8s.io/kubernetes/./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen k8s.io/kubernetes/vendor/golang.org/x/mod/semver k8s.io/kubernetes/vendor/golang.org/x/sys/execabs k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/label k8s.io/kubernetes/vendor/golang.org/x/xerrors/internal k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/keys k8s.io/kubernetes/vendor/golang.org/x/xerrors k8s.io/kubernetes/vendor/golang.org/x/mod/module k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/core k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gocommand k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typeparams k8s.io/kubernetes/vendor/golang.org/x/tools/go/ast/astutil k8s.io/kubernetes/vendor/golang.org/x/tools/internal/fastwalk k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gopathwalk k8s.io/kubernetes/vendor/k8s.io/gengo/types k8s.io/kubernetes/vendor/k8s.io/gengo/namer k8s.io/kubernetes/vendor/golang.org/x/tools/internal/imports k8s.io/kubernetes/vendor/github.com/go-logr/logr k8s.io/kubernetes/vendor/k8s.io/klog/v2 k8s.io/kubernetes/vendor/k8s.io/gengo/parser k8s.io/kubernetes/vendor/k8s.io/gengo/examples/set-gen/sets k8s.io/kubernetes/vendor/golang.org/x/tools/imports k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/gcimporter k8s.io/kubernetes/vendor/k8s.io/gengo/generator k8s.io/kubernetes/vendor/k8s.io/gengo/args k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/args k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/packagesdriver k8s.io/kubernetes/vendor/golang.org/x/tools/internal/packagesinternal k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typesinternal k8s.io/kubernetes/vendor/golang.org/x/tools/go/gcexportdata k8s.io/kubernetes/vendor/golang.org/x/tools/go/packages k8s.io/kubernetes/vendor/k8s.io/code-generator/pkg/util k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen Generating prerelease lifecycle code for 28 targets +++ [1205 23:50:52] Building go targets for linux/amd64: ./vendor/k8s.io/code-generator/cmd/deepcopy-gen 后面的略略略
这个编译还是比较快的,等编译完成后,echo $? 看看有没有报错,如果是0,表示编译完成了。
那么,编译出的kubeadm在 _output/bin 目录下:
/root/kubernetes-1.23.12/_output/bin [root@node4 bin]# ll total 79020 -rwxr-xr-x 1 root root 6270976 Dec 5 23:51 conversion-gen -rwxr-xr-x 1 root root 5996544 Dec 5 23:50 deepcopy-gen -rwxr-xr-x 1 root root 6000640 Dec 5 23:51 defaulter-gen -rwxr-xr-x 1 root root 3375951 Dec 5 23:50 go2make -rwxr-xr-x 1 root root 45191168 Dec 5 23:56 kubeadm -rwxr-xr-x 1 root root 8114176 Dec 5 23:52 openapi-gen -rwxr-xr-x 1 root root 5963776 Dec 5 23:50 prerelease-lifecycle-gen
五,
测试编程出来的kubeadm 初始化集群,集群的证书是否变为了100年
将以上生成的kubeadm文件拷贝到一个新的服务器上,随便怎么拷贝吧,scp也好,直接lsrzs也可以。
添加yum源,安装kubeadm:
cat >/etc/yum.repos.d/kubernetes.repo <<EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF
安装命令:
yum install kubeadm-1.23.12 kubelet-1.23.12 kubectl-1.23.12 -y
安装完毕后,将原来的kubeadm备份一哈;
cp /usr/bin/kubeadm{,.bak}
将新的kubeadm拷贝到/usr/bin/下:
cp -f kubeadm /usr/bin/
因为是测试性质,因此,随便初始化一下:
kubeadm init \ --image-repository registry.aliyuncs.com/google_containers \ --apiserver-advertise-address=192.168.217.24 \ --service-cidr=10.96.0.0/16 \ --pod-network-cidr=10.244.0.0/16 \ --kubernetes-version=1.23.12
等待初始化完成后,再次查看证书期限:
[root@node4 yum.repos.d]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Nov 11, 2122 14:48 UTC 99y ca no apiserver Nov 11, 2122 14:48 UTC 99y ca no apiserver-etcd-client Nov 11, 2122 14:48 UTC 99y etcd-ca no apiserver-kubelet-client Nov 11, 2122 14:48 UTC 99y ca no controller-manager.conf Nov 11, 2122 14:48 UTC 99y ca no etcd-healthcheck-client Nov 11, 2122 14:48 UTC 99y etcd-ca no etcd-peer Nov 11, 2122 14:48 UTC 99y etcd-ca no etcd-server Nov 11, 2122 14:48 UTC 99y etcd-ca no front-proxy-client Nov 11, 2122 14:48 UTC 99y front-proxy-ca no scheduler.conf Nov 11, 2122 14:48 UTC 99y ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Nov 11, 2122 14:48 UTC 99y no etcd-ca Nov 11, 2122 14:48 UTC 99y no front-proxy-ca Nov 11, 2122 14:48 UTC 99y no
OK,证书的过期时间都是100年了,说明前面的编译工作是有效果的,可行的。
如果是在生产上,在也不用担心证书过期的问题了,也算是提前解决了一个暴雷问题。
