kubeadm修改证书时间为99年

1. kubeadm修改证书时间为99年

1.1. 查看当前证书时间

[root@k8s-master ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 30, 2022 07:53 UTC   363d                                    no      
apiserver                  Aug 30, 2022 07:52 UTC   363d            ca                      no      
apiserver-etcd-client      Aug 30, 2022 07:53 UTC   363d            etcd-ca                 no      
apiserver-kubelet-client   Aug 30, 2022 07:52 UTC   363d            ca                      no      
controller-manager.conf    Aug 30, 2022 07:53 UTC   363d                                    no      
etcd-healthcheck-client    Aug 30, 2022 07:53 UTC   363d            etcd-ca                 no      
etcd-peer                  Aug 30, 2022 07:53 UTC   363d            etcd-ca                 no      
etcd-server                Aug 30, 2022 07:53 UTC   363d            etcd-ca                 no      
front-proxy-client         Aug 30, 2022 07:53 UTC   363d            front-proxy-ca          no      
scheduler.conf             Aug 30, 2022 07:53 UTC   363d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 28, 2031 07:52 UTC   9y              no      
etcd-ca                 Aug 28, 2031 07:53 UTC   9y              no      
front-proxy-ca          Aug 28, 2031 07:53 UTC   9y              no      

可以看到正常只有一年时间。

1.2. 下载源码

git clone https://github.com/kubernetes/kubernetes.git

注意：如果github下载慢可以用gitee下载地址：https://gitee.com/mirrors/Kubernetes.git

查看k8s版本

[root@k8s-master ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:58:59Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:50:46Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}

切换到自己的版本，修改源码，比如我的是v1.18.0版本

cd kubernetes
git checkout v1.18.0

vim cmd/kubeadm/app/constants/constants.go，找到CertificateValidity，修改如下

....
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100
....

1.3. 安装编译软件

yum -y install gcc automake autoconf libtool make

安装go编译环境，这里就直接使用yum安装

查看go是否安装过

[root@k8s-master kubernetes]# go env
-bash: go: command not found

查看yum的Golang

[root@k8s-master kubernetes]# yum info golang
Last metadata expiration check: 0:06:47 ago on Wed 01 Sep 2021 10:07:23 AM CST.
Available Packages
Name         : golang
Version      : 1.15.14
Release      : 1.module_el8.4.0+882+ab13bcd9
Architecture : x86_64
Size         : 708 k
Source       : golang-1.15.14-1.module_el8.4.0+882+ab13bcd9.src.rpm
Repository   : AppStream
Summary      : The Go Programming Language
URL          : http://golang.org/
License      : BSD and Public Domain
Description  : The Go Programming Language.

安装golang

yum install -y golang

再次查看go环境变量

[root@k8s-master kubernetes]# go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/golang"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/root/kubernetes/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build406782294=/tmp/go-build -gno-record-gcc-switches"

1.4. 执行make WHAT=cmd/kubeadm编译

[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm
+++ [0901 10:20:55] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0901 10:21:08] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0901 10:21:18] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0901 10:21:37] Building go targets for linux/amd64:
    ./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0901 10:21:53] Building go targets for linux/amd64:
    ./vendor/github.com/go-bindata/go-bindata/go-bindata
warning: ignoring symlink /root/kubernetes/_output/local/go/src/k8s.io/kubernetes
go: warning: "k8s.io/kubernetes/vendor/github.com/go-bindata/go-bindata/..." matched no packages
+++ [0901 10:21:55] Building go targets for linux/amd64:
    cmd/kubeadm

编译完生成如下目录和二进制文件

[root@k8s-master kubernetes]# ll _output/bin/
total 70380
-rwxr-xr-x 1 root root  6242304 Sep  1 10:21 conversion-gen
-rwxr-xr-x 1 root root  6234112 Sep  1 10:20 deepcopy-gen
-rwxr-xr-x 1 root root  6205440 Sep  1 10:21 defaulter-gen
-rwxr-xr-x 1 root root  3688610 Sep  1 10:20 go2make
-rwxr-xr-x 1 root root  2023424 Sep  1 10:21 go-bindata
-rwxr-xr-x 1 root root 37076992 Sep  1 10:23 kubeadm
-rwxr-xr-x 1 root root 10596352 Sep  1 10:21 openapi-gen

备份原kubeadm和证书文件

cp /usr/bin/kubeadm{,.bak20210901}
cp -r /etc/kubernetes/pki{,.bak20210901}

将新生成的kubeadm进行替换

cp _output/bin/kubeadm /usr/bin/kubeadm

生成新的证书

cd /etc/kubernetes/pki
kubeadm alpha certs renew all

输出如下

[root@k8s-master kubernetes]# cd /etc/kubernetes/pki
[root@k8s-master pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

验证结果

kubeadm alpha certs check-expiration

输出如下

[root@k8s-master pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 08, 2121 02:32 UTC   99y                                     no      
apiserver                  Aug 08, 2121 02:32 UTC   99y             ca                      no      
apiserver-etcd-client      Aug 08, 2121 02:32 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Aug 08, 2121 02:32 UTC   99y             ca                      no      
controller-manager.conf    Aug 08, 2121 02:32 UTC   99y                                     no      
etcd-healthcheck-client    Aug 08, 2121 02:32 UTC   99y             etcd-ca                 no      
etcd-peer                  Aug 08, 2121 02:32 UTC   99y             etcd-ca                 no      
etcd-server                Aug 08, 2121 02:32 UTC   99y             etcd-ca                 no      
front-proxy-client         Aug 08, 2121 02:32 UTC   99y             front-proxy-ca          no      
scheduler.conf             Aug 08, 2121 02:32 UTC   99y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 28, 2031 07:52 UTC   9y              no      
etcd-ca                 Aug 28, 2031 07:53 UTC   9y              no      
front-proxy-ca          Aug 28, 2031 07:53 UTC   9y              no      

查看集群状态是否OK。

[root@k8s-master pki]# kubectl get node
NAME         STATUS   ROLES    AGE   VERSION
k8s-master   Ready    master   42h   v1.18.0
k8s-node1    Ready    <none>   42h   v1.18.0
k8s-node2    Ready    <none>   42h   v1.18.0

查看pod

[root@k8s-master pki]# kubectl get pod -n kube-system
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-7ff77c879f-6pwrg             1/1     Running   1          42h
coredns-7ff77c879f-d6s95             1/1     Running   2          42h
etcd-k8s-master                      1/1     Running   3          42h
kube-apiserver-k8s-master            1/1     Running   2          42h
kube-controller-manager-k8s-master   1/1     Running   3          42h
kube-flannel-ds-fs8dj                1/1     Running   3          42h
kube-flannel-ds-g6d4l                1/1     Running   2          42h
kube-flannel-ds-tnrzq                1/1     Running   1          42h
kube-proxy-dngh8                     1/1     Running   1          42h
kube-proxy-nxb5q                     1/1     Running   2          42h
kube-proxy-zz5xn                     1/1     Running   3          42h
kube-scheduler-k8s-master            1/1     Running   2          42h

如看到上面的Ready和Running，即表示证书修改成功。