证书可用年限修改

[[email protected] pki]# openssl x509 -in apiserver.crt -text -noout

先下载kubeadm的源码，针对apiserver一年年限证书分发的函数进行修改，由1年改为10年。（需要go语言的环境）

go中文社区

1.go语言环境

[[email protected] data]# tar -zxvf go1.16.5.linux-amd64.tar.gz -C /usr/local
[[email protected] data]# vim /etc/profile
export PATH=$PATH:/usr/local/go/bin
[[email protected] data]# source /etc/profile
[[email protected] data]# go version

• 1
• 2
• 3
• 4
• 5

2.下载kubernetes源码

[[email protected] data]# git clone https://github.com/kubernetes/kubernetes.git

[[email protected] data]# cd kubernetes
[[email protected] kubernetes]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.21.2",


[[email protected] kubernetes]# git checkout -b remotes/origin/release-1.21.2 v1.21.2

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9

3.修改Kubeadm源码包更新证书策略

[[email protected] kubernetes]# vim staging/src/k8s.io/client-go/util/cert/cert.go  
# kubeadm 1.14 版本之前

vi cmd/kubeadm/app/constants/constants.go 
# kubeadm 1.21.2 至今
// NewSignedCert { 
  const duration365d = time.Hour * 24 * 365 * 100
  NotAfter:    time.Now().Add(duration365d).UTC(),
}

[[email protected] kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v

[[email protected] kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old
[[email protected] kubernetes]# cp _output/bin/kubeadm /usr/bin/kubeadm
[[email protected] kubernetes]# chmod a+x /usr/bin/kubeadm
[[email protected] kubernetes]# cd /etc/kubernetes/
[[email protected] kubernetes]# cp -r pki /pki.old

新证书生成
[[email protected] ~]# kubeadm certs renew all --config=/root/kubeadm_init/kubeadm-config.yaml
--config是当初安装k8s集群的yaml文件
[[email protected] ~]# cd /etc/kubernetes/pki

查看证书年限
[[email protected] pki]# openssl x509 -in apiserver.crt -text -noout 


查看kubeadm-config.yaml位置
[[email protected] pki]# cd /etc/kubernetes/pki/
 openssl x509 -in apiserver.crt -text -noout
 



k8sv1.19.10版本：
需要加alpha命令才行
kubeadm alpha certs renew all --config=/root/kubeadm_init/kubeadm-config.yaml
查看全部证书过期时间也需要加alpha
kubeadm alpha certs  check-expiration