作者:SRE运维博客
博客地址:https://www.cnsre.cn
文章地址:https://www.cnsre.cn/posts/210624108255/
相关话题:https://www.cnsre.cn/tags/kubernetes/
安装 go 语言环境
Golang 官网下载地址:golang官网
打开官网下载地址选择对应的系统版本, 复制下载链接
这里我选择的是
go1.16.5.linux-amd64.tar.gz
下载解压
下载安装包
1
|
wget https://dl.google.com/go/go1.16.5.linux-amd64.tar.gz
|
解压到/usr/loacl目录下
1
|
tar -C /usr/local -zxvf go1.16.5.linux-amd64.tar.gz
|
添加环境变量
添加/usr/loacl/go/bin 目录到 PATH 变量中。添加到 /etc/profile
1
2
3
4
5
6
|
vim /etc/profile
# 在最后一行添加
export GOROOT=/usr/local/go
export PATH=$PATH:$GOROOT/bin
# 保存退出后source一下
source /etc/profile
|
验证
执行go version,如果现实版本号,则Go环境安装成功。
1
2
|
[root@master ~]# go version
go version go1.16.5 linux/amd64
|
查看当前的证书时间
执行命令 查看当前证书时间
1
|
kubeadm alpha certs check-expiration
|
下载源码
打开github kubernetes 选择对应的版本下载
下载并解压
因为我是 v1.20.6 版本所以下载对应的
1
2
|
wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.20.6.zip
unzip v1.20.6.zip
|
修改 constants.go 文件
vim cmd/kubeadm/app/constants/constants.go 找到 CertificateValidity ,修改如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
cd kubernetes-1.20.6
vim cmd/kubeadm/app/constants/constants.go
....
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100 # 修改此内容
....
|
编译 kubeadm
返回如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@master kubernetes-1.20.6]# make WHAT=cmd/kubeadm
+++ [0624 10:59:21] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
+++ [0624 10:59:25] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0624 10:59:33] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0624 10:59:44] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0624 11:00:04] Building go targets for linux/amd64:
./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0624 11:00:19] Building go targets for linux/amd64:
./vendor/github.com/go-bindata/go-bindata/go-bindata
+++ [0624 11:00:20] Building go targets for linux/amd64:
cmd/kubeadm
|
编译完生成如下目录和二进制文件
1
2
3
4
5
6
7
8
9
10
|
[root@master kubernetes-1.20.6]# ll _output/bin/
总用量 75680
-rwxr-xr-x. 1 root root 5943296 6月 24 10:59 conversion-gen
-rwxr-xr-x. 1 root root 5689344 6月 24 10:59 deepcopy-gen
-rwxr-xr-x. 1 root root 5709824 6月 24 10:59 defaulter-gen
-rwxr-xr-x. 1 root root 3555111 6月 24 10:59 go2make
-rwxr-xr-x. 1 root root 1966080 6月 24 11:00 go-bindata
-rwxr-xr-x. 1 root root 39325696 6月 24 11:01 kubeadm
-rwxr-xr-x. 1 root root 9650176 6月 24 11:00 openapi-gen
-rwxr-xr-x. 1 root root 5656576 6月 24 10:59 prerelease-lifecycle-gen
|
备份文件
备份 kubeadm 和证书文件
1
2
|
cp /usr/bin/kubeadm{,.bak20210624}
cp -r /etc/kubernetes/pki{,.bak20210624}
|
查看备份文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
[root@master kubernetes-1.20.6]# ll /usr/bin/kubeadm*
-rwxr-xr-x. 1 root root 39325696 6月 24 11:05 /usr/bin/kubeadm
-rwxr-xr-x. 1 root root 39210880 6月 24 11:02 /usr/bin/kubeadm.bak20210624
[root@master kubernetes-1.20.6 ll /etc/kubernetes/pki*
/etc/kubernetes/pki:
总用量 56
-rw-r--r--. 1 root root 1289 6月 24 11:05 apiserver.crt
-rw-r--r--. 1 root root 1139 6月 24 11:05 apiserver-etcd-client.crt
-rw-------. 1 root root 1675 6月 24 11:05 apiserver-etcd-client.key
-rw-------. 1 root root 1679 6月 24 11:05 apiserver.key
-rw-r--r--. 1 root root 1147 6月 24 11:05 apiserver-kubelet-client.crt
-rw-------. 1 root root 1675 6月 24 11:05 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1066 6月 22 15:01 ca.crt
-rw-------. 1 root root 1675 6月 22 15:01 ca.key
drwxr-xr-x. 2 root root 162 6月 22 15:01 etcd
-rwxr-xr-x. 1 root root 1078 6月 22 15:01 front-proxy-ca.crt
-rw-------. 1 root root 1675 6月 22 15:01 front-proxy-ca.key
-rw-r--r--. 1 root root 1103 6月 24 11:05 front-proxy-client.crt
-rw-------. 1 root root 1679 6月 24 11:05 front-proxy-client.key
-rw-------. 1 root root 1675 6月 22 15:01 sa.key
-rw-------. 1 root root 451 6月 22 15:01 sa.pub
/etc/kubernetes/pki.bak20210624:
总用量 56
-rw-r--r--. 1 root root 1289 6月 24 11:04 apiserver.crt
-rw-r--r--. 1 root root 1135 6月 24 11:04 apiserver-etcd-client.crt
-rw-------. 1 root root 1675 6月 24 11:04 apiserver-etcd-client.key
-rw-------. 1 root root 1679 6月 24 11:04 apiserver.key
-rw-r--r--. 1 root root 1143 6月 24 11:04 apiserver-kubelet-client.crt
-rw-------. 1 root root 1675 6月 24 11:04 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1066 6月 24 11:04 ca.crt
-rw-------. 1 root root 1675 6月 24 11:04 ca.key
drwxr-xr-x. 2 root root 162 6月 24 11:04 etcd
-rwxr-xr-x. 1 root root 1078 6月 24 11:04 front-proxy-ca.crt
-rw-------. 1 root root 1675 6月 24 11:04 front-proxy-ca.key
-rw-r--r--. 1 root root 1103 6月 24 11:04 front-proxy-client.crt
-rw-------. 1 root root 1679 6月 24 11:04 front-proxy-client.key
-rw-------. 1 root root 1675 6月 24 11:04 sa.key
-rw-------. 1 root root 451 6月 24 11:04 sa.pub
|
替换 kubeadm
将新生成的 kubeadm 进行替换
1
|
cp _output/bin/kubeadm /usr/bin/kubeadm
|
生成新的证书
1
2
|
cd /etc/kubernetes/pki
kubeadm alpha certs renew all
|
返回内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[root@master pki]# kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
|
验证结果
到这里,证书就替换完成了。接下来验证下证书时间是否延长。
1
|
kubeadm alpha certs check-expiration
|
返回信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@master pki]# kubeadm alpha certs check-expiration
Command "check-expiration" is deprecated, please use the same command under "kubeadm certs"
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 31, 2121 03:05 UTC 99y no
apiserver May 31, 2121 03:05 UTC 99y ca no
apiserver-etcd-client May 31, 2121 03:05 UTC 99y etcd-ca no
apiserver-kubelet-client May 31, 2121 03:05 UTC 99y ca no
controller-manager.conf May 31, 2121 03:05 UTC 99y no
etcd-healthcheck-client May 31, 2121 03:05 UTC 99y etcd-ca no
etcd-peer May 31, 2121 03:05 UTC 99y etcd-ca no
etcd-server May 31, 2121 03:05 UTC 99y etcd-ca no
front-proxy-client May 31, 2121 03:05 UTC 99y front-proxy-ca no
scheduler.conf May 31, 2121 03:05 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 20, 2031 07:01 UTC 9y no
etcd-ca Jun 20, 2031 07:01 UTC 9y no
front-proxy-ca Jun 20, 2031 07:01 UTC 9y no
|
查看 node 状态
1
2
3
4
|
[root@master pki]# kubectl get node
NAME STATUS ROLES AGE VERSION
master Ready control-plane,master 44h v1.20.6
node1 Ready <none> 43h v1.20.6
|
作者:SRE运维博客
博客地址:https://www.cnsre.cn
文章地址:https://www.cnsre.cn/posts/210624108255/
相关话题:https://www.cnsre.cn/tags/kubernetes/
