前言:
首先,先看看minikube这样的开发或者测试使用的kubernetes集群的证书时间:
- [root@node3 ~]# kubeadm certs check-expiration
- [check-expiration] Reading configuration from the cluster...
- [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
- [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
-
- CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
- admin.conf Dec 04, 2023 12:07 UTC 363d ca no
- apiserver Dec 03, 2025 12:02 UTC 2y ca no
- apiserver-etcd-client Dec 04, 2023 12:07 UTC 363d etcd-ca no
- apiserver-kubelet-client Dec 04, 2023 12:07 UTC 363d ca no
- controller-manager.conf Dec 04, 2023 13:00 UTC 363d ca no
- etcd-healthcheck-client Dec 04, 2023 12:07 UTC 363d etcd-ca no
- etcd-peer Dec 04, 2023 12:07 UTC 363d etcd-ca no
- etcd-server Dec 04, 2023 12:07 UTC 363d etcd-ca no
- front-proxy-client Dec 04, 2023 12:07 UTC 363d front-proxy-ca no
- scheduler.conf Dec 04, 2023 13:00 UTC 363d ca no
-
- CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
- ca Dec 01, 2032 12:02 UTC 9y no
- etcd-ca Dec 01, 2032 12:07 UTC 9y no
- front-proxy-ca Dec 01, 2032 12:07 UTC 9y no
OK,我们可以看到,这些证书的时间大部分都是一年期的。对于minikube这样的集群,无所谓喽,集群本来就是测试性质的,大不了重新部署了,也是非常快的,但,在生产环境下,我们追求的是稳定高效,当然可以使用kubeadm certs renew all来续订证书,但是证书更新了那些服务如果要重启就很麻烦,并且如果不是一个集群的证书要续订,而是有N个集群的证书续订,那可就有得忙了。
因此,我们在生产环境部署集群的时候,如果提前就把证书的时间修改为10年或者更长的100年,会规避掉一些麻烦,也算是提前解决一个可能会对生产造成影响的问题。
那么,如何在部署阶段就修改证书的时间呢?
其实也比较简单,在部署前就利用kubernetes的源码编译出一个新的kubeadm即可了。
实操:
工具原材料:
1,kubernetes的源码
2,go语言环境
目标:
假设生产环境使用的kubernetes版本是1.23.12版本,通过go语言环境,利用kubernetes-1.23.12的源码,重新编译出一个新的kubeadm程序,在kubeadm init 初始化前,用新的kubeadm替换原有的kubeadm,使得kubernetes的证书期限是100年。
一,
go语言环境的安装部署
首先申明,其它版本的编译安装没有试过,反正1.23.12版本的kubernetes需要go-1.17版本以上,否则不能正常编译,会报错:
- [root@node4 kubernetes-1.23.12]# make all WHAT=cmd/kubeadm GOFLAGS=-v
-
- Detected go version: go version go1.16.12 linux/amd64.
- Kubernetes requires go1.17.0 or greater.
- Please install go1.17.0 or later.
-
- !!! [1205 23:21:50] Call tree:
- !!! [1205 23:21:50] 1: hack/run-in-gopath.sh:31 kube::golang::setup_env(...)
-
- Detected go version: go version go1.16.12 linux/amd64.
- Kubernetes requires go1.17.0 or greater.
- Please install go1.17.0 or later.
-
- !!! [1205 23:21:50] Call tree:
- !!! [1205 23:21:50] 1: /root/kubernetes-1.23.12/hack/lib/golang.sh:794 kube::golang::setup_env(...)
- !!! [1205 23:21:50] 2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
- !!! [1205 23:21:50] Call tree:
- !!! [1205 23:21:50] 1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
- make[1]: *** [_output/bin/prerelease-lifecycle-gen] Error 1
- make: *** [generated_files] Error 2
因此,go语言版本选择的是1.17.1,部署步骤如下;
1,
下载go语言安装包
wget https://studygolang.com/dl/golang/go1.17.1.linux-amd64.tar.gz2,
解压,解压后的文件移动到/usr/local/目录下:
- tar zxf go1.17.1.linux-amd64.tar.gz
- mv go /usr/local/
3,
设置环境变量并激活变量
编辑/etc/profile 文件,在末尾添加如下内容:
- export GOROOT=/usr/local/go
- export PATH=$PATH:/usr/local/go/bin
- export GOPATH=/go
激活环境变量:
source /etc/profile4,
验证go语言环境
- [root@node3 ~]# go version
- go version go1.17.1 linux/amd64
二,
下载kubernetes-1.23.12源码
https://codeload.github.com/kubernetes/kubernetes/zip/refs/tags/v1.23.12
下载下来的文件上传到服务器解压后,进入解压目录:
- [root@node3 kubernetes-1.23.12]# pwd
- /root/kubernetes-1.23.12
- [root@node3 kubernetes-1.23.12]# ls
- api CHANGELOG cluster code-of-conduct.md docs go.sum LICENSE logo Makefile.generated_files OWNERS pkg README.md staging test vendor
- build CHANGELOG.md cmd CONTRIBUTING.md go.mod hack LICENSES Makefile _output OWNERS_ALIASES plugin SECURITY_CONTACTS SUPPORT.md third_party
三,
修改源码的证书相关文件(两个文件):
vim cmd/kubeadm/app/constants/constants.go以关键字time.Hour 搜索,修改成如下(加个100,原来是只有time.Hour * 24 * 365):
- // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
- CertificateValidity = time.Hour * 24 * 365 * 100
vim staging/src/k8s.io/client-go/util/cert/cert.go以关键字KeyUsageDigitalSignatur 搜索,修改成如下(10改成100,原来是now.Add(duration365d * 10)):
- func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
- now := time.Now()
- tmpl := x509.Certificate{
- SerialNumber: new(big.Int).SetInt64(0),
- Subject: pkix.Name{
- CommonName: cfg.CommonName,
- Organization: cfg.Organization,
- },
- DNSNames: []string{cfg.CommonName},
- NotBefore: now.UTC(),
- NotAfter: now.Add(duration365d * 100).UTC(),
- KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
- BasicConstraintsValid: true,
- IsCA: true,
- }
以上修改请务必以关键字准确定位。
四,
重新编译kubeadm
make all WHAT=cmd/kubeadm GOFLAGS=-v输出如下:
- k8s.io/kubernetes/vendor/github.com/spf13/pflag
- k8s.io/kubernetes/hack/make-rules/helpers/go2make
- +++ [1205 23:50:42] Building go targets for linux/amd64:
- ./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
- > non-static build: k8s.io/kubernetes/./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
- k8s.io/kubernetes/vendor/golang.org/x/mod/semver
- k8s.io/kubernetes/vendor/golang.org/x/sys/execabs
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/label
- k8s.io/kubernetes/vendor/golang.org/x/xerrors/internal
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/keys
- k8s.io/kubernetes/vendor/golang.org/x/xerrors
- k8s.io/kubernetes/vendor/golang.org/x/mod/module
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/core
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gocommand
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typeparams
- k8s.io/kubernetes/vendor/golang.org/x/tools/go/ast/astutil
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/fastwalk
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gopathwalk
- k8s.io/kubernetes/vendor/k8s.io/gengo/types
- k8s.io/kubernetes/vendor/k8s.io/gengo/namer
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/imports
- k8s.io/kubernetes/vendor/github.com/go-logr/logr
- k8s.io/kubernetes/vendor/k8s.io/klog/v2
- k8s.io/kubernetes/vendor/k8s.io/gengo/parser
- k8s.io/kubernetes/vendor/k8s.io/gengo/examples/set-gen/sets
- k8s.io/kubernetes/vendor/golang.org/x/tools/imports
- k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/gcimporter
- k8s.io/kubernetes/vendor/k8s.io/gengo/generator
- k8s.io/kubernetes/vendor/k8s.io/gengo/args
- k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators
- k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/args
- k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/packagesdriver
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/packagesinternal
- k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typesinternal
- k8s.io/kubernetes/vendor/golang.org/x/tools/go/gcexportdata
- k8s.io/kubernetes/vendor/golang.org/x/tools/go/packages
- k8s.io/kubernetes/vendor/k8s.io/code-generator/pkg/util
- k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
- Generating prerelease lifecycle code for 28 targets
- +++ [1205 23:50:52] Building go targets for linux/amd64:
- ./vendor/k8s.io/code-generator/cmd/deepcopy-gen
- 后面的略略略
这个编译还是比较快的,等编译完成后,echo $? 看看有没有报错,如果是0,表示编译完成了。
那么,编译出的kubeadm在 _output/bin 目录下:
- /root/kubernetes-1.23.12/_output/bin
- [root@node4 bin]# ll
- total 79020
- -rwxr-xr-x 1 root root 6270976 Dec 5 23:51 conversion-gen
- -rwxr-xr-x 1 root root 5996544 Dec 5 23:50 deepcopy-gen
- -rwxr-xr-x 1 root root 6000640 Dec 5 23:51 defaulter-gen
- -rwxr-xr-x 1 root root 3375951 Dec 5 23:50 go2make
- -rwxr-xr-x 1 root root 45191168 Dec 5 23:56 kubeadm
- -rwxr-xr-x 1 root root 8114176 Dec 5 23:52 openapi-gen
- -rwxr-xr-x 1 root root 5963776 Dec 5 23:50 prerelease-lifecycle-gen
五,
测试编程出来的kubeadm 初始化集群,集群的证书是否变为了100年
将以上生成的kubeadm文件拷贝到一个新的服务器上,随便怎么拷贝吧,scp也好,直接lsrzs也可以。
添加yum源,安装kubeadm:
- cat >/etc/yum.repos.d/kubernetes.repo <<EOF
- [kubernetes]
- name=Kubernetes
- baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
- enabled=1
- gpgcheck=0
- repo_gpgcheck=0
- gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
- EOF
安装命令:
yum install kubeadm-1.23.12 kubelet-1.23.12 kubectl-1.23.12 -y安装完毕后,将原来的kubeadm备份一哈;
cp /usr/bin/kubeadm{,.bak}将新的kubeadm拷贝到/usr/bin/下:
cp -f kubeadm /usr/bin/因为是测试性质,因此,随便初始化一下:
- kubeadm init \
- --image-repository registry.aliyuncs.com/google_containers \
- --apiserver-advertise-address=192.168.217.24 \
- --service-cidr=10.96.0.0/16 \
- --pod-network-cidr=10.244.0.0/16 \
- --kubernetes-version=1.23.12
等待初始化完成后,再次查看证书期限:
- [root@node4 yum.repos.d]# kubeadm certs check-expiration
- [check-expiration] Reading configuration from the cluster...
- [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
-
- CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
- admin.conf Nov 11, 2122 14:48 UTC 99y ca no
- apiserver Nov 11, 2122 14:48 UTC 99y ca no
- apiserver-etcd-client Nov 11, 2122 14:48 UTC 99y etcd-ca no
- apiserver-kubelet-client Nov 11, 2122 14:48 UTC 99y ca no
- controller-manager.conf Nov 11, 2122 14:48 UTC 99y ca no
- etcd-healthcheck-client Nov 11, 2122 14:48 UTC 99y etcd-ca no
- etcd-peer Nov 11, 2122 14:48 UTC 99y etcd-ca no
- etcd-server Nov 11, 2122 14:48 UTC 99y etcd-ca no
- front-proxy-client Nov 11, 2122 14:48 UTC 99y front-proxy-ca no
- scheduler.conf Nov 11, 2122 14:48 UTC 99y ca no
-
- CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
- ca Nov 11, 2122 14:48 UTC 99y no
- etcd-ca Nov 11, 2122 14:48 UTC 99y no
- front-proxy-ca Nov 11, 2122 14:48 UTC 99y no
OK,证书的过期时间都是100年了,说明前面的编译工作是有效果的,可行的。
如果是在生产上,在也不用担心证书过期的问题了,也算是提前解决了一个暴雷问题。