热门标签
热门文章
- 1superset安全与权限(3)_superset权限信息存在哪里?
- 2TCP、UDP客户端
- 3Kimi:作为一款超长文本AI工具,我是怎么用它来卷论文的?_为什么kimi chat不能翻译整篇英文文献
- 4【51】 kotlin 编写kts脚本_kotlin kts
- 5【js】excel/csv转json_xls转json数组的js
- 6用Rust重写数万行C代码,有必要吗?
- 7一文带你详解完全二叉树(超详细)
- 8MySQL索引底层实现原理(B树和B+树)_mysql b树和b+树 原理
- 91.2 C++变量和数据类型 (Variables and Data types )_英文字母 - c/c++ 变量及简单数据类型c语言
- 10【算法刷题 | 贪心算法07】4.29(用最少数量的箭引爆气球、无重叠区间)
当前位置: article > 正文
Kubernetes(3) 解决K8S集群证书1年到期问题_warning: kubeadm cannot validate component configs
作者:小蓝xlanll | 2024-05-13 21:27:04
赞
踩
warning: kubeadm cannot validate component configs for api groups [kubel
解决K8S集群证书1年到期问题
建议先修改证书时间,然后使用编译后的kubeadm进行集群初始化,这样的话证书就会变成100年。
1、下载对应版本源代码(不同的k8s版本下载相对应版本的包)
[root@k8s-master ~]# wget https://github.com/kubernetes/kubernetes/archive/v1.19.3.tar.gz
[root@k8s-master ~]# tar -zxvf kubernetes-1.19.3.tar.gz
[root@k8s-master ~]# cd kubernetes-1.19.3
- 1
- 2
- 3
- 修改证书有效期
查看网上的资料主要有两个地方需要修改
修改 CA 有效期为 100年(默认为 10年)
[root@k8s-master kubernetes-1.19.3]# vim ./staging/src/k8s.io/client-go/util/cert/cert.go // 这个方法里面NotAfter: now.Add(duration365d * 10).UTC() // 默认有效期就是10年,改成100年 // 输入/NotAfter查找,回车定位 func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, NotBefore: now.UTC(), // NotAfter: now.Add(duration365d * 10).UTC(), NotAfter: now.Add(duration365d * 100).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, } certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) if err != nil { return nil, err } return x509.ParseCertificate(certDERBytes) }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
修改证书有效期为 100年(默认为 1年)
[root@k8s-master kubernetes-1.19.3]# vim ./cmd/kubeadm/app/constants/constants.go // 就是这个常量定义CertificateValidity,改成*100年 const ( // KubernetesDir is the directory Kubernetes owns for storing various configuration files KubernetesDir = "/etc/kubernetes" // ManifestsSubDirName defines directory name to store manifests ManifestsSubDirName = "manifests" // TempDirForKubeadm defines temporary directory for kubeadm // should be joined with KubernetesDir. TempDirForKubeadm = "tmp" // CertificateValidity defines the validity for all the signed certificates generated by kubeadm // CertificateValidity = time.Hour * 24 * 365 CertificateValidity = time.Hour * 24 * 365 * 100 // CACertAndKeyBaseName defines certificate authority base name CACertAndKeyBaseName = "ca" // CACertName defines certificate name CACertName = "ca.crt" // CAKeyName defines certificate name CAKeyName = "ca.key"
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
源代码改好了,接下来就是编译 kubeadm 了。
3、编译
查看kube0cross的TAG版本号(这个地方所显示的版本号就是需要go环境的版本)
[root@k8s-master kubernetes-1.19.3]# cat ./build/build-image/cross/VERSION
v1.15.2-1
- 1
- 2
这里显示为 v1.15.2-1 需要v1.15.2-1的go环境。
编译kubeadm有两种方式可以编译;
第一种:是使用docker镜像在下好的有go环境的镜像中编译。条件是要不可以文明上网,要不有合适的替换镜像并且版本符合。
第二种:是使用本地环境编译需要自己手动部署go环境。
第一种使用docker镜像进行编译
[root@k8s-master kubernetes-1.19.3]# docker pull k8s.gcr.io/kube-cross:v1.15.2-1 [root@k8s-master kubernetes-1.19.3]# pwd /root/kubernetes-1.19.3 [root@k8s-master kubernetes-1.19.3]# docker run --rm -v /root/kubernetes-1.19.3:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross bash go# cd /go/src/k8s.io/kubernetes #编译kubeadm, 这里主要编译kubeadm 即可(其实只要编译kubeadm就行,kubelet和kubectl不用编译也行。) go# make all WHAT=cmd/kubeadm GOFLAGS=-v #编译kubelet (可以不用编译) go# make all WHAT=cmd/kubelet GOFLAGS=-v #编译kubectl(可以不用编译) go# make all WHAT=cmd/kubectl GOFLAGS=-v #退出容器 go# exit #编译完产物在 _output/bin/kubeadm 目录下, #其中bin是使用了软连接 #真实路径是_output/local/bin/linux/amd64/kubeadm mv /usr/bin/kubeadm /usr/bin/kubeadm_backup cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm #chmod +x /usr/bin/kubeadm # 验证版本 kubeadm version
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
第二种使用本地进行编译
基础环境软件包准备
[root@k8s-master kubernetes-1.19.3]# yum install gcc make -y [root@k8s-master kubernetes-1.19.3]# yum install rsync jq -y 查看kube0cross的TAG版本号(这个地方所显示的版本号就是需要go环境的版本) [root@k8s-master kubernetes-1.19.3]# cat ./build/build-image/cross/VERSION v1.15.2-1 下载对应版本的go环境包,如果机器下载太慢使用迅雷下载。 [root@k8s-master kubernetes-1.19.3]# cd /root/ [root@k8s-master ~]# wget https://dl.google.com/go/go1.15.2.linux-amd64.tar.gz [root@k8s-master ~]# tar zxvf go1.15.2.linux-amd64.tar.gz -C /usr/local # 编辑/etc/profile文件添加如下: #go setting [root@k8s-master ~]# vim /etc/profile export GOROOT=/usr/local/go export GOPATH=/usr/local/gopath export PATH=$PATH:$GOROOT/bin #生效 [root@k8s-master ~]# source /etc/profile 查看go的版本验证go的可用性。 [root@k8s-master ~]# go version go version go1.15.2 linux/amd64 编译kubeadm [root@k8s-master ~]# cd kubernetes-1.19.3 # 编译kubeadm, 这里主要编译kubeadm 即可(其实只要编译kubeadm就行,kubelet和kubectl不用编译也行。) [root@k8s-master kubernetes-1.19.3]# make all WHAT=cmd/kubeadm GOFLAGS=-v # 编译kubelet (可以不用编译) [root@k8s-master kubernetes-1.19.3]# make all WHAT=cmd/kubelet GOFLAGS=-v # 编译kubectl(可以不用编译) [root@k8s-master kubernetes-1.19.3]# make all WHAT=cmd/kubectl GOFLAGS=-v #编译完产物在 _output/bin/kubeadm 目录下, #其中bin是使用了软连接 #真实路径是_output/local/bin/linux/amd64/kubeadm [root@k8s-master kubernetes-1.19.3]# mv /usr/bin/kubeadm /usr/bin/kubeadm_backup [root@k8s-master kubernetes-1.19.3]# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm [root@k8s-master kubernetes-1.19.3]# chmod +x /usr/bin/kubeadm # 验证版本 [root@k8s-master kubernetes-1.19.3]# kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"archive", BuildDate:"2021-02-19T02:24:12Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
4、编译完成后更新证书
备份之前的证书
[root@k8s-master ~]# cp -rf /etc/kubernetes/pki{,_bak}
- 1
检查证书到期时间
[root@k8s-master ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration W0219 10:28:36.098658 15456 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Feb 18, 2022 10:08 UTC 364d no apiserver Feb 18, 2022 10:08 UTC 364d ca no apiserver-etcd-client Feb 18, 2022 10:08 UTC 364d etcd-ca no apiserver-kubelet-client Feb 18, 2022 10:08 UTC 364d ca no controller-manager.conf Feb 18, 2022 10:08 UTC 364d no etcd-healthcheck-client Feb 18, 2022 10:08 UTC 364d etcd-ca no etcd-peer Feb 18, 2022 10:08 UTC 364d etcd-ca no etcd-server Feb 18, 2022 10:08 UTC 364d etcd-ca no front-proxy-client Feb 18, 2022 10:08 UTC 364d front-proxy-ca no scheduler.conf Feb 18, 2022 10:08 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Feb 16, 2031 09:11 UTC 9y no etcd-ca Feb 16, 2031 09:11 UTC 9y no front-proxy-ca Feb 16, 2031 09:11 UTC 9y no
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
查看帮助,查看都有那些可用参数。
[root@k8s-master ~]# kubeadm alpha certs renew --help This command is not meant to be run on its own. See list of available subcommands. Usage: kubeadm alpha certs renew [flags] kubeadm alpha certs renew [command] Available Commands: admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself all Renew all available certificates apiserver Renew the certificate for serving the Kubernetes API apiserver-etcd-client Renew the certificate the apiserver uses to access etcd apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd etcd-peer Renew the certificate for etcd nodes to communicate with each other etcd-server Renew the certificate for serving etcd front-proxy-client Renew the certificate for the front proxy client scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use Flags: -h, --help help for renew Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm alpha certs renew [command] --help" for more information about a command.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
续订全部证书
[root@k8s-master ~]# kubeadm alpha certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' [renew] Error reading configuration from the Cluster. Falling back to default configuration W0219 10:29:55.337888 16431 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
再次查看证书有效期,就比那成了我们之前修改的100年了。
[root@k8s-master ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' [check-expiration] Error reading configuration from the Cluster. Falling back to default configuration W0219 10:30:41.959616 16532 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jan 26, 2121 02:29 UTC 99y no apiserver Jan 26, 2121 02:29 UTC 99y ca no apiserver-etcd-client Jan 26, 2121 02:29 UTC 99y etcd-ca no apiserver-kubelet-client Jan 26, 2121 02:29 UTC 99y ca no controller-manager.conf Jan 26, 2121 02:29 UTC 99y no etcd-healthcheck-client Jan 26, 2121 02:29 UTC 99y etcd-ca no etcd-peer Jan 26, 2121 02:29 UTC 99y etcd-ca no etcd-server Jan 26, 2121 02:29 UTC 99y etcd-ca no front-proxy-client Jan 26, 2121 02:29 UTC 99y front-proxy-ca no scheduler.conf Jan 26, 2121 02:29 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Feb 16, 2031 09:11 UTC 9y no etcd-ca Feb 16, 2031 09:11 UTC 9y no front-proxy-ca Feb 16, 2031 09:11 UTC 9y no
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小蓝xlanll/article/detail/565741
推荐阅读
相关标签
