Kubeadm 更新k8s集群证书为10年

默认由 kubeadm 生成的客户端证书在 1 年后到期。可以使用 kubeadm certs check-expiration 命令查看集群证书有效期。

kubeadm 会在集群升级的时候更新所有证书。这个功能旨在解决最简单的用例；如果你对此类证书的更新没有特殊要求，并且定期执行 Kubernetes 版本升级（每次升级之间的间隔时间少于 1 年），则 kubeadm 将确保你的集群保持最新状态并保持合理的安全性。

除此之外，我们可以通过重新编译 Kubeadm 从而使用kubeadm生成10年或更长有效期的证书

1、配置 GO 环境

[root@k8s-master downloads]# wget https://golang.google.cn/dl/go1.19.1.linux-amd64.tar.gz
[root@k8s-master downloads]# tar xf go1.19.1.linux-amd64.tar.gz
[root@k8s-master ~]# mv -f downloads/go .
[root@k8s-master ~]# vim .bashrc
export GOROOT=/home/czz/go
export GOPATH=/home/czz/go_path
export GOPROXY=https://goproxy.cn
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

[root@k8s-master ~]# source .bashrc
[root@k8s-master ~]# mkdir -p go_path/{src,bin,pkg}

2、对 kubernetes 源码进行修改

下载源码

1 2	[root@k8s-master ~]# git clone https://github.com/kubernetes/kubernetes.git [root@k8s-master kubernetes]# git checkout -b v1.23.16

修改 kubeadm 源代码

## ca证书默认是10年，需要更长时间可以进行修改
[root@k8s-master kubernetes]# vim staging/src/k8s.io/client-go/util/cert/cert.go
NotAfter:              now.Add(duration365d * 10).UTC(),

## 修改生成证书时间默认是1年
[root@k8s-master kubernetes# vim cmd/kubeadm/app/constants/constants.go
CertificateValidity = time.Hour * 24 * 3650

编译成二进制文件

1	[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v

编译后的产物在 kubernetes/_output/local/bin/linux/amd64/目录下

3、kubeadm 更新 k8s证书

## 查看集群证书有效期
[root@k8s-master ~]# kubeadm certs check-expiration

## 获取现有集群配置文件
[root@k8s-master ~]# kubectl get cm kubeadm-config -n kube-system -o=jsonpath="{.data.ClusterConfiguration}" > kubeadm.yaml

## 备份现有证书
[root@k8s-master ~]# cp -rf /etc/kubernetes/ /etc/kubernetes-bak20230322

## 续期证书
[root@k8s-master ~]# kubeadm certs renew all --config=kubeadm.yaml
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

## 查看新证书有效期
[root@k8s-master ~]# for i in `find /etc/kubernetes/pki -name "*.crt"`;do openssl x509 -in $i -text -noout| grep Not;echo $i;done

## 重启k8s master节点组件
[root@k8s-master kubernetes]# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

## 复制新的认证文件
[root@k8s-master ~]# cp /etc/kubernetes/admin.conf ~/.kube/config

## 验证apiserver证书有效期
[root@k8s-master ~]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate

## 将证书拷贝到集群其它master并重启k8s组件，node节点的kubelet证书默认自动轮换更新，无需关心过期问题，只需关心master节点上的证书即可

## 查看集群证书有效期
[root@k8s-master ~]# kubeadm certs check-expiration

也可以使用 https://github.com/yuyicai/update-kube-cert 开源项目进行证书更新