如果更新k8s版本会默认更新证书,检查证书有效期(一部分10年一部分1年),实现所有的证书,都为100年
下载GOLANG
wget https://dl.google.com/go/go1.13.5.linux-amd64.tar.gz
tar zxf go1.13.5.linux-amd64.tar.gz
mv go /opt/go
echo "export PATH=$PATH:/opt/go/bin" >> /root/.bash_profile
go env下载源码
mkdir -p /root/go/src/k8s.io/
cd /root/go/src/k8s.io/
git clone https://github.com/kubernetes/kubernetes.git
cd kubernetes/
git checkout -b remotes/origin/release-1.17.4 v1.17.4 #切换修改版本
vi staging/src/k8s.io/client-go/util/cert/cert.go
更改常量为100年(搜 const duration365d = time.Hour )
const duration365d = time.Hour * 24 * 365 * 100
搜索
NotAfter: now.Add(duration365d * 10).UTC(),
去掉*10
NotAfter: now.Add(duration365d).UTC(),
第二个文件:
vi cmd/kubeadm/app/constants/constants.go
CertificateValidity = time.Hour * 24 * 365
更改为100年
CertificateValidity = time.Hour * 24 * 365 * 100编译并复制到你的/bin/目录
#只编译kubeadm 服务器配置太底,可能会报错,可先进行未更改的编译
make WHAT=cmd/kubeadm GOFLAGS=-v
cp _output/bin/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadmkubeadm alpha certs renew all
重置所有证书,并复制证收到其它主节点即可如果看到CA证书,还是10年,代表要重新初始化,因为renew不会增加CA证书的时间
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 04, 2069 11:55 UTC 49y no
apiserver Dec 04, 2069 11:55 UTC 49y ca no
apiserver-etcd-client Dec 04, 2069 11:55 UTC 49y etcd-ca no
apiserver-kubelet-client Dec 04, 2069 11:55 UTC 49y ca no
controller-manager.conf Dec 04, 2069 11:55 UTC 49y no
etcd-healthcheck-client Dec 04, 2069 11:55 UTC 49y etcd-ca no
etcd-peer Dec 04, 2069 11:55 UTC 49y etcd-ca no
etcd-server Dec 04, 2069 11:55 UTC 49y etcd-ca no
front-proxy-client Dec 04, 2069 11:55 UTC 49y front-proxy-ca no
scheduler.conf Dec 04, 2069 11:55 UTC 49y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Dec 04, 2069 11:55 UTC 49y no
etcd-ca Dec 04, 2069 11:55 UTC 49y no
front-proxy-ca Dec 04, 2069 11:55 UTC 49y no