k8s踩坑记录——证书一年有效期

企业开发 2019-06-12 12:20:52 阅读次数: 0

依照https://github.com/strongit/kubeadm-ha/ 安装步骤,kubeadm init安装后的集群存在证书过期问题。现修复如下:
思路如下,
1、保留ca.crt ca.key front-proxy-ca.crt front-proxy-ca.key,根证书有效期十年
2、openssl重新签注
3、kubeadm alpha phase 生成config

 [root@k8s-master01 pki]# cat csr.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = CN
ST = BeiJing
L = BeiJing
O = k8s
OU = System
CN = kubernetes

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = k8s-master01
DNS.7 = k8s-master02
DNS.8 = k8s-master03
IP.1 = 10.96.0.1
IP.2 = 100.82.200.190
IP.3 = 100.82.200.184
IP.4 = 100.82.200.187
IP.5 = 100.82.200.194
IP.6 = 10.220.8.184
IP.7 = 10.220.8.187
IP.8 = 10.220.8.190
IP.9 = 10.220.8.194

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names

 openssl genrsa -out apiserver.key 2048 
 openssl req -new -key apiserver.key -out apiserver.csr -config csr.conf
 openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 10000 -extensions v3_ext -extfile csr.conf
 openssl x509  -noout -text -in ./apiserver.crt  |grep "Not"

 openssl genrsa -out apiserver-kubelet-client.key 2048
 openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -config csr.conf
 openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
 openssl x509  -noout -text -in ./apiserver-kubelet-client.crt  |grep "Not"

 openssl genrsa -out front-proxy-client.key 2048
 openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -config csr.conf
 openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
 openssl x509  -noout -text -in ./front-proxy-client.crt  |grep "Not"

kubeadm alpha phase certs all --config kubeadm-config.yaml

kubeadm alpha phase kubelet config write-to-disk --config kubeadm-config.yaml
kubeadm alpha phase kubelet write-env-file --config kubeadm-config.yaml
kubeadm alpha phase kubeconfig kubelet --config kubeadm-config.yaml

kubeadm alpha phase kubeconfig all --config kubeadm-config.yaml

kubeadm alpha phase controlplane all --config kubeadm-config.yaml

systemctl restart kubelet
kubeadm alpha phase mark-master --config kubeadm-config.yaml
cp /etc/kubernetes/admin.conf ~/.kube/config

重启集群后,执行kubelet logs pods XXXX -n kube-system报错如下:Error from server (Forbidden): Forbidden (user=kubernetes, verb=get, resource=nodes, subresource=proxy) ( pods/log kube-scheduler-k8s-master01)
解决方案:kubectl create clusterrolebinding system:kubernetes --clusterrole=cluster-admin --user=system:kubernetes

猜你喜欢

转载自blog.51cto.com/strongit/2407732
今日推荐
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
周排行
Metasploit文件目录与入侵基本概念
跨域(CORS)请求问题[No 'Access-Control-Allow-Origin' header is present on the requested resource]常见解决方案
CodeIgniter 源码解读之 CodeIgniter.php(二)
SAS入门之(四)改变数据类型
初识元组
[数学建模]数学建模算法和模型(B站视频)(二)
Nginx 服务器源码安装配置流程
C#实现语音视频录制 【基于MCapture + MFile】
开发进度4
下载安装vue的方法网址
每日归档
更多
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022