kubeadm 编译修改证书有效期

2023-10-18 12:47:31 浏览数 (3)

kubeadm 默认 ca 证书10年,k8s 证书是 1 年,虽然续期方便,但是为了一劳永逸尝试编译修改 kubeadm 默认证书有效期,并更新现有集群。

环境配置

编译 1.22.9 版本的 kubeadm,首先查看原版的信息

1 2

# kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.9", GitCommit:"6df4433e288edc9c40c2e344eb336f63fad45cd2", GitTreeState:"clean", BuildDate:"2022-04-13T19:56:28Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

配置 go 环境

为了保持一致,首先配置 go1.16.15

1 2 3 4 5 6 7 8 9

安装 gvm # curl -sSL https://github.com/moovweb/gvm/raw/master/binscripts/gvm-installer | bash 安装go1.16.15 # source /root/.gvm/scripts/gvm # gvm install go1.16.15 -B #只下载二进制 # gvm use go1.16.15 查看go版本 # go version go version go1.16.15 linux/amd64

下载源码

1 2

# wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.22.9.tar.gz # tar zxvf v1.22.9.tar.gz && cd kubernetes-1.22.9/

修改并编译

修改 CA 证书有效期

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

# vim staging/src/k8s.io/client-go/util/cert/cert.go // NewSelfSignedCACert creates a CA certificate func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: []string{cfg.CommonName}, NotBefore: now.UTC(), NotAfter: now.Add(duration365d * 100).UTC(), ##### 这里改成 100 年 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, } certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) if err != nil { return nil, err } return x509.ParseCertificate(certDERBytes) }

修改证书有效期

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

# vim cmd/kubeadm/app/constants/constants.go const ( // KubernetesDir is the directory Kubernetes owns for storing various configuration files KubernetesDir = "/etc/kubernetes" // ManifestsSubDirName defines directory name to store manifests ManifestsSubDirName = "manifests" // TempDirForKubeadm defines temporary directory for kubeadm // should be joined with KubernetesDir. TempDirForKubeadm = "tmp" // CertificateValidity defines the validity for all the signed certificates generated by kubeadm CertificateValidity = time.Hour * 24 * 365 * 99 ## 修改为 99 年 // CACertAndKeyBaseName defines certificate authority base name CACertAndKeyBaseName = "ca" // CACertName defines certificate name CACertName = "ca.crt" // CAKeyName defines certificate name CAKeyName = "ca.key"

添加作者信息

按需添加作者信息

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

# vim cmd/kubeadm/kubeadm.go package main import ( "fmt" "k8s.io/kubernetes/cmd/kubeadm/app" kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" ) func main() { kubeadmutil.CheckErr(app.Run()) fmt.Println("*************************************************************************") fmt.Println("****** Change the validity period of all certificates to 100 years ******") fmt.Println("****** Change by xxxxx ******") fmt.Println("****** Company: xxxxxxxxxxx ******") fmt.Println("*************************************************************************") }

修改版本信息

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

# vim staging/src/k8s.io/client-go/pkg/version/base.go var ( // TODO: Deprecate gitMajor and gitMinor, use only gitVersion // instead. First step in deprecation, keep the fields but make // them irrelevant. (Next we'll take it out, which may muck with // scripts consuming the kubectl version output - but most of // these should be looking at gitVersion already anyways.) gitMajor string = "" // major version, always numeric gitMinor string = "" // minor version, numeric possibly followed by " " // semantic version, derived by build scripts (see // https://git.k8s.io/community/contributors/design-proposals/release/versioning.md // for a detailed discussion of this field) // // TODO: This field is still called "gitVersion" for legacy // reasons. For prerelease versions, the build metadata on the // semantic version is a git hash, but the version itself is no // longer the direct output of "git describe", but a slight // translation to be semver compliant. // NOTE: The $Format strings are replaced during 'git archive' thanks to the // companion .gitattributes file containing 'export-subst' in this same // directory. See also https://git-scm.com/docs/gitattributes gitVersion string = "v1.22.9" // 修改版本号 gitCommit string = "6df4433e288edc9c40c2e344eb336f63fad45cd2" // sha1 from git, output of $(git rev-parse HEAD) gitTreeState string = "" // state of git tree, either "clean" or "dirty" buildDate string = "2022-06-15T10:43:00Z" // 修改编译时间 )

开始编译

1 2 3 4 5

重新编译 kubeadm # make all WHAT=cmd/kubeadm GOFLAGS=-v 编译后的文件位于 _output/bin/kubeadm # # ls -l _output/bin/kubeadm -rwxr-xr-x 1 root root 45838336 Jun 15 10:56 _output/bin/kubeadm

验证

生成新的证书

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

# ./kubeadm init phase certs all I0615 11:03:24.174252 293233 version.go:255] remote version is much newer: v1.24.1; falling back to: stable-1.22 [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Generating "ca" certificate and key [certs] Generating "apiserver" certificate and key [certs] apiserver serving cert is signed for DNS names [hwcloud kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.0.160] [certs] Generating "apiserver-kubelet-client" certificate and key [certs] Generating "front-proxy-ca" certificate and key [certs] Generating "front-proxy-client" certificate and key [certs] Generating "etcd/ca" certificate and key [certs] Generating "etcd/server" certificate and key [certs] etcd/server serving cert is signed for DNS names [hwcloud localhost] and IPs [192.168.0.160 127.0.0.1 ::1] [certs] Generating "etcd/peer" certificate and key [certs] etcd/peer serving cert is signed for DNS names [hwcloud localhost] and IPs [192.168.0.160 127.0.0.1 ::1] [certs] Generating "etcd/healthcheck-client" certificate and key [certs] Generating "apiserver-etcd-client" certificate and key [certs] Generating "sa" key and public key

查看证书有效期

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

# ./kubeadm certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED !MISSING! admin.conf apiserver May 22, 2121 03:03 UTC 98y ca no apiserver-etcd-client May 22, 2121 03:03 UTC 98y etcd-ca no apiserver-kubelet-client May 22, 2121 03:03 UTC 98y ca no !MISSING! controller-manager.conf etcd-healthcheck-client May 22, 2121 03:03 UTC 98y etcd-ca no etcd-peer May 22, 2121 03:03 UTC 98y etcd-ca no etcd-server May 22, 2121 03:03 UTC 98y etcd-ca no front-proxy-client May 22, 2121 03:03 UTC 98y front-proxy-ca no !MISSING! scheduler.conf CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca May 22, 2122 03:03 UTC 99y no etcd-ca May 22, 2122 03:03 UTC 99y no front-proxy-ca May 22, 2122 03:03 UTC 99y no

查看版本

1 2

# ./kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.9", GitCommit:"6df4433e288edc9c40c2e344eb336f63fad45cd2", GitTreeState:"archive", BuildDate:"2022-06-15T02:56:47Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}


更新集群证书

替换新编译的 kubeadm 文件到 k8s 任意 master 节点的

查看证书有效期

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' W0615 11:30:27.657289 11850 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [11.254.0.10]; the provided value is: [169.254.25.10] CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf May 26, 2023 08:03 UTC 345d ca no apiserver May 26, 2023 08:03 UTC 345d ca no apiserver-etcd-client May 26, 2023 08:03 UTC 345d etcd-ca no apiserver-kubelet-client May 26, 2023 08:03 UTC 345d ca no controller-manager.conf May 26, 2023 08:03 UTC 345d ca no etcd-healthcheck-client May 26, 2023 08:03 UTC 345d etcd-ca no etcd-peer May 26, 2023 08:03 UTC 345d etcd-ca no etcd-server May 26, 2023 08:03 UTC 345d etcd-ca no front-proxy-client May 26, 2023 08:03 UTC 345d front-proxy-ca no scheduler.conf May 26, 2023 08:03 UTC 345d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca May 23, 2032 08:03 UTC 9y no etcd-ca May 23, 2032 08:03 UTC 9y no front-proxy-ca May 23, 2032 08:03 UTC 9y no

更新证书

所有 master 节点上面执行

1

# kubeadm certs renew all

再次查看有效期

注: 已经运行的集群 ca 证书不会更新

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

# kubeadm certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf May 22, 2121 04:10 UTC 98y ca no apiserver May 22, 2121 04:10 UTC 98y ca no apiserver-etcd-client May 22, 2121 04:10 UTC 98y etcd-ca no apiserver-kubelet-client May 22, 2121 04:10 UTC 98y ca no controller-manager.conf May 22, 2121 04:10 UTC 98y ca no etcd-healthcheck-client May 22, 2121 04:10 UTC 98y etcd-ca no etcd-peer May 22, 2121 04:10 UTC 98y etcd-ca no etcd-server May 22, 2121 04:10 UTC 98y etcd-ca no front-proxy-client May 22, 2121 04:10 UTC 98y front-proxy-ca no scheduler.conf May 22, 2121 04:10 UTC 98y ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca May 23, 2032 08:03 UTC 9y no etcd-ca May 23, 2032 08:03 UTC 9y no front-proxy-ca May 23, 2032 08:03 UTC 9y no

更新配置文件

所有master节点执行

1 2 3

# kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm.yaml # kubeadm init phase kubeconfig all --config kubeadm.yaml # mv /root/.kube/config /root/.kube/config.bak && cp /etc/kubernetes/admin.conf /root/.kube/config

重启服务

重启容器让apiserver、controller、scheduler、etcd配置生效

1

# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

再次验证

1 2

# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate notAfter=May 22 04:13:09 2121 GMT

参考文章:

更新一个10年有效期的 Kubernetes 证书

kubeadm修改证书有效期100年

1 人点赞