Certificate update
- The default certificate valid for one year
- Once the certificate has expired, the following tips when using kubectl: `Unable to connect to the server: x509: certificate has expired or is not yet valid`
View certificate expiration
1 [root@k8s-test-master-1 ~]# kubeadm alpha certs check-expiration 2 CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED 3 admin.conf Jul 28, 2020 05:41 UTC 364d no 4 apiserver Jul 28, 2020 05:41 UTC 364d no 5 apiserver-etcd-client Jul 28, 2020 05:41 UTC 364d no 6 apiserver-kubelet-client Jul 28, 2020 05:41 UTC 364d no 7 controller-manager.conf Jul 28, 2020 05:41 UTC 364d no 8 etcd-healthcheck-client Jul 28, 2020 05:41 UTC 364d no 9 etcd-peer Jul 28, 2020 05:41 UTC 364d no 10 etcd-server Jul 28, 2020 05:41 UTC 364d no 11 front-proxy-client Jul 28, 2020 05:41NO 364d UTC 12 is scheduler.conf Jul- 28 , 2020 05 : 41 is UTC NO 364d 13 is 14 # See root CA certificate is valid (years) 15 [@ K8S the root-Test-The MASTER . 1 PKI] CD # / etc / Kubernetes / PKI 16 [@ K8S the root-Test-The MASTER . 1 PKI] # LS | grep in ca.crt | xargs -I X509 OpenSSL -text {} - in {} | grep " Not the After " . 17 Not the After: Jul- 26 is 05 : 41 is : 23 2029 GMT 18 Not After : Jul 26 05:41:23 2029 GMT
Certificate directory structure
[root@k8s-test-master-1 pki]# pwd /etc/kubernetes/pki [root@k8s-test-master-1 pki]# tree . . ├── apiserver.crt ├── apiserver-etcd-client.crt ├── apiserver-etcd-client.key ├── apiserver.key ├── apiserver-kubelet-client.crt ├── apiserver-kubelet-client.key ├── ca.crt ├── ca.key ├── etcd │ ├── ca.crt │ ├── ca.key │ ├── healthcheck-client.crt │ ├── healthcheck-client.key │ ├── peer.crt │ ├── peer.key │ ├── server.crt │ └── server.key ├── front-proxy-ca.crt ├── front-proxy-ca.key ├── front-proxy-client.crt ├── front-proxy-client.key ├── sa.key └── sa.pub 1 directory, 22 files
Kubernetes cluster root certificate
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.key
Thus certificate issued by the root certificate are:
- 1, kube-apiserver assembly held by the server certificate
/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver.key
- 2, kubelet hold components of the client certificate
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/apiserver-kubelet-client.key
kubelet general does not explicitly specify the server certificate, but only specify ca root certificate, let kubelet server certificate is automatically generated and saved to the cert-dir configuration file in the folder based on the local host information.
Convergence layer (Aggregator) certificate
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/front-proxy-ca.key
Thus the root certificate certificate issued by only one group:
- 1, the client certificate using the Agent, on behalf of the user as authentication and kube-apiserver
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/front-proxy-client.key
etcd cluster root certificate
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/ca.key
Thus the root Certificate Authority certificate issued are:
- 1, etcd server holds the server certificate
/etc/kubernetes/pki/etcd/server.crt
/etc/kubernetes/pki/etcd/server.key
- 2, the client certificate in the peer nodes in the cluster communicate with each other using
/etc/kubernetes/pki/etcd/peer.crt
/etc/kubernetes/pki/etcd/peer.key
- 3, pod client certificates defined probes used Liveness
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/etcd/healthcheck-client.key
- 4, configured to do with etcd server mutual authentication of client certificates in kube-apiserver in
/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.key
Serveice Account keys
This group key is only available to children kube-controller-manager use. Kube-controller-manager of the token signed by sa.key, master node verifies the signature by the public key sa.pub.
authenticating link API Server supports multiple identity verification ways: client cert, bearer token, static password auth, etc., these methods have a way (Kubernetes API Server will attempt to by-ways) by authenticating, then the identity check will pass. Once the API Server discovery client-initiated request using the service account token way, API Server will automatically adopt signed bearer token way for identity verification. The request will be used to carry the service account token participation verification. The token API Server is started with the API server when you create a service account parameters: value -service-account-key-file is signed (sign) generated. If -service-account-key-file did not pass any value, then the default value -tls-private-key-file, that API Server's private key (server.key).
By After authenticating, API Server according to where the group Pod username: serviceaccounts and system:: serviceaccounts: (NAMESPACE) authority and its admission control authority processing two links system. In both session, cluster administrators can set permissions to refine the service account.
/etc/kubernetes/pki/sa.key
/etc/kubernetes/pki/sa.pub
Cluster kubeadm created, kube-proxy, flannel, coreDNS pod form is running in the pod, the direct use of kube-apiserver service account for authentication, then you do not need to create a separate certificate for kube-proxy
Update certificate
Yaml cluster configuration file generation
1 kubeadm config view > /root/kubeadm.yaml
- kubeadm.yaml
1 apiServer: 2 extraArgs: 3 authorization-mode: Node,RBAC 4 timeoutForControlPlane: 4m0s 5 apiVersion: kubeadm.k8s.io/v1beta2 6 certificatesDir: /etc/kubernetes/pki 7 clusterName: kubernetes-test 8 controlPlaneEndpoint: 10.8.28.200:6443 9 controllerManager: {} 10 dns: 11 type: CoreDNS 12 etcd: 13 local: 14 dataDir: /data/etcd 15 imageRepository: k8s.gcr.io 16 kind: ClusterConfiguration 17 kubernetesVersion: v1.15.1 18 networking: 19 dnsDomain: cluster.local 20 podSubnet: 192.168.0.0/16 21 serviceSubnet: 10.96.0.0/12 22 scheduler: {}
Certificate update using Help
[root@k8s-test-master-1 ~]# kubeadm alpha certs renew --help This command is not meant to be run on its own. See list of available subcommands. Usage: kubeadm alpha certs renew [flags] kubeadm alpha certs renew [command] Available Commands: admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself all Renew all available certificates apiserver Renew the certificate for serving the Kubernetes API apiserver-etcd-client Renew the certificate the apiserver uses to access etcd apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use etcd-healthcheck-client Renew the certificate for liveness probes to healtcheck etcd etcd-peer Renew the certificate for etcd nodes to communicate with each other etcd-server Renew the certificate for serving etcd front-proxy-client Renew the certificate for the front proxy client scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Certificate update operation
Each Master Operation
kubeadm alpha certs renew all --config=/root/kubeadm.yaml # (也可以逐个更新) certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healtcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed # 再次查询证书期限 [root@k8s-test-master-1 ~]# kubeadm alpha certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED admin.conf Jul 29, 2020 06:47 UTC 364d no apiserver Jul 29, 2020 06:47 UTC 364d no apiserver-etcd-client Jul 29, 2020 06:47 UTC 364d no apiserver-kubelet-client Jul 29, 2020 06:47 UTC 364d no controller-manager.conf Jul 29, 2020 06:47 UTC 364d no etcd-healthcheck-client Jul 29, 2020 06:47NO 364d UTC ETCD -Peer Jul 29 , 2020 06 : 47 UTC 364d NO ETCD -server Jul 29 , 2020 06 : 47 UTC 364d NO Front -proxy-Client Jul 29 , 2020 06 : 47 UTC 364d NO scheduler.conf Jul 29 , 2020 06 : 47 UTC 364d NO # kube performs a restart on three Master -apiserver, the Controller-kube, kube- Scheduler, ETCD four containers, the certificate becomes effective Docker PS | grep -E ' k8s_kube-apiserver | k8s_kube-Controller-Manager | k8s_kube-Scheduler | k8s_etcd_etcd ' | awk -F ' ' ' Print $. 1} { ' | xargs Docker the restart