Certificate useful life modification
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout
First download the source code of kubeadm, and modify the function of apiserver one-year certificate distribution from 1 year to 10 years. (Requires Go language environment)
1.go locale
[root@k8s-master01 data]# tar -zxvf go1.15.2.linux-amd64.tar.gz -C /usr/local
[root@k8s-master01 data]# vim /etc/profile
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master01 data]# source /etc/profile
[root@k8s-master01 data]# go version
2. Download the kubernetes source code
[root@k8s-master01 data]# git clone https://github.com/kubernetes/kubernetes.git
[root@k8s-master01 data]# cd kubernetes
[root@k8s-master01 kubernetes]# kubeadm version
kubeadm version: &version.Info{
Major:"1", Minor:"15", GitVersion:"v1.15.1",
[root@k8s-master01 kubernetes]# git checkout -b remotes/origin/release-1.15.1 v1.15.1
3. Modify the Kubeadm source code package update certificate policy
[root@k8s-master01 kubernetes]# vim staging/src/k8s.io/client-go/util/cert/cert.go
# kubeadm 1.14 版本之前
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
# kubeadm 1.14 至今
// NewSignedCert {
const duration365d = time.Hour * 24 * 365 * 10
NotAfter: time.Now().Add(duration365d).UTC(),
}
[root@k8s-master01 kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v
[root@k8s-master01 kubernetes]# cp /usr/bin/kubeadm /usr/bin/kubeadm.old
[root@k8s-master01 kubernetes]# cp _output/bin/kubeadm /usr/bin/kubeadm
[root@k8s-master01 kubernetes]# chmod a+x /usr/bin/kubeadm
[root@k8s-master01 kubernetes]# cd /etc/kubernetes/
[root@k8s-master01 kubernetes]# cp -r pki /pki.old
新证书生成
[root@k8s-master01 ~]# kubeadm alpha certs renew all --config=/usr/local/install-k8s/core/kubeadm-config.yaml
--config是当初安装k8s集群的yaml文件
[root@k8s-master01 ~]# cd /etc/kubernetes/pki
查看证书年限
[root@k8s-master01 pki]# openssl x509 -in apiserver.crt -text -noout