安装 go 语言环境
Golang 官网下载地址:golang官网
打开官网下载地址选择对应的系统版本, 复制下载链接
这里我选择的是
go1.16.5.linux-amd64.tar.gz
下载解压
下载安装包
wget https://dl.google.com/go/go1.16.5.linux-amd64.tar.gz
解压到/usr/loacl目录下
tar -C /usr/local -zxvf go1.16.5.linux-amd64.tar.gz
添加环境变量
添加/usr/loacl/go/bin 目录到 PATH 变量中。添加到 /etc/profile
vim /etc/profile # 在最后一行添加 export GOROOT=/usr/local/go export PATH=$PATH:$GOROOT/bin # 保存退出后source一下 source /etc/profile
验证
执行go version,如果现实版本号,则Go环境安装成功。
[root@master ~]# go version go version go1.16.5 linux/amd64
查看当前的证书时间
执行命令 查看当前证书时间
kubeadm alpha certs check-expiration
下载源码
打开github kubernetes 选择对应的版本下载
下载并解压
因为我是 v1.20.6 版本所以下载对应的
wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.20.6.zip unzip v1.20.6.zip
修改 constants.go 文件
vim cmd/kubeadm/app/constants/constants.go 找到 CertificateValidity ,修改如下
cd kubernetes-1.20.6
vim cmd/kubeadm/app/constants/constants.go
....
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100 # 修改此内容
....
编译 kubeadm
make WHAT=cmd/kubeadm
返回如下
[root@master kubernetes-1.20.6]# make WHAT=cmd/kubeadm
+++ [0624 10:59:21] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
+++ [0624 10:59:25] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/deepcopy-gen
+++ [0624 10:59:33] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/defaulter-gen
+++ [0624 10:59:44] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/conversion-gen
+++ [0624 11:00:04] Building go targets for linux/amd64:
./vendor/k8s.io/kube-openapi/cmd/openapi-gen
+++ [0624 11:00:19] Building go targets for linux/amd64:
./vendor/github.com/go-bindata/go-bindata/go-bindata
+++ [0624 11:00:20] Building go targets for linux/amd64:
cmd/kubeadm
编译完生成如下目录和二进制文件
[root@master kubernetes-1.20.6]# ll _output/bin/ 总用量 75680 -rwxr-xr-x. 1 root root 5943296 6月 24 10:59 conversion-gen -rwxr-xr-x. 1 root root 5689344 6月 24 10:59 deepcopy-gen -rwxr-xr-x. 1 root root 5709824 6月 24 10:59 defaulter-gen -rwxr-xr-x. 1 root root 3555111 6月 24 10:59 go2make -rwxr-xr-x. 1 root root 1966080 6月 24 11:00 go-bindata -rwxr-xr-x. 1 root root 39325696 6月 24 11:01 kubeadm -rwxr-xr-x. 1 root root 9650176 6月 24 11:00 openapi-gen -rwxr-xr-x. 1 root root 5656576 6月 24 10:59 prerelease-lifecycle-gen
备份文件
备份 kubeadm 和证书文件
cp /usr/bin/kubeadm{,.bak20210624}
cp -r /etc/kubernetes/pki{,.bak20210624}
查看备份文件
[root@master kubernetes-1.20.6]# ll /usr/bin/kubeadm* -rwxr-xr-x. 1 root root 39325696 6月 24 11:05 /usr/bin/kubeadm -rwxr-xr-x. 1 root root 39210880 6月 24 11:02 /usr/bin/kubeadm.bak20210624 [root@master kubernetes-1.20.6 ll /etc/kubernetes/pki* /etc/kubernetes/pki: 总用量 56 -rw-r--r--. 1 root root 1289 6月 24 11:05 apiserver.crt -rw-r--r--. 1 root root 1139 6月 24 11:05 apiserver-etcd-client.crt -rw-------. 1 root root 1675 6月 24 11:05 apiserver-etcd-client.key -rw-------. 1 root root 1679 6月 24 11:05 apiserver.key -rw-r--r--. 1 root root 1147 6月 24 11:05 apiserver-kubelet-client.crt -rw-------. 1 root root 1675 6月 24 11:05 apiserver-kubelet-client.key -rw-r--r--. 1 root root 1066 6月 22 15:01 ca.crt -rw-------. 1 root root 1675 6月 22 15:01 ca.key drwxr-xr-x. 2 root root 162 6月 22 15:01 etcd -rwxr-xr-x. 1 root root 1078 6月 22 15:01 front-proxy-ca.crt -rw-------. 1 root root 1675 6月 22 15:01 front-proxy-ca.key -rw-r--r--. 1 root root 1103 6月 24 11:05 front-proxy-client.crt -rw-------. 1 root root 1679 6月 24 11:05 front-proxy-client.key -rw-------. 1 root root 1675 6月 22 15:01 sa.key -rw-------. 1 root root 451 6月 22 15:01 sa.pub /etc/kubernetes/pki.bak20210624: 总用量 56 -rw-r--r--. 1 root root 1289 6月 24 11:04 apiserver.crt -rw-r--r--. 1 root root 1135 6月 24 11:04 apiserver-etcd-client.crt -rw-------. 1 root root 1675 6月 24 11:04 apiserver-etcd-client.key -rw-------. 1 root root 1679 6月 24 11:04 apiserver.key -rw-r--r--. 1 root root 1143 6月 24 11:04 apiserver-kubelet-client.crt -rw-------. 1 root root 1675 6月 24 11:04 apiserver-kubelet-client.key -rw-r--r--. 1 root root 1066 6月 24 11:04 ca.crt -rw-------. 1 root root 1675 6月 24 11:04 ca.key drwxr-xr-x. 2 root root 162 6月 24 11:04 etcd -rwxr-xr-x. 1 root root 1078 6月 24 11:04 front-proxy-ca.crt -rw-------. 1 root root 1675 6月 24 11:04 front-proxy-ca.key -rw-r--r--. 1 root root 1103 6月 24 11:04 front-proxy-client.crt -rw-------. 1 root root 1679 6月 24 11:04 front-proxy-client.key -rw-------. 1 root root 1675 6月 24 11:04 sa.key -rw-------. 1 root root 451 6月 24 11:04 sa.pub
替换 kubeadm
将新生成的 kubeadm 进行替换
cp _output/bin/kubeadm /usr/bin/kubeadm
生成新的证书
cd /etc/kubernetes/pki kubeadm alpha certs renew all
返回内容
[root@master pki]# kubeadm alpha certs renew all Command "all" is deprecated, please use the same command under "kubeadm certs" [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
验证结果
到这里,证书就替换完成了。接下来验证下证书时间是否延长。
kubeadm alpha certs check-expiration
返回信息
[root@master pki]# kubeadm alpha certs check-expiration Command "check-expiration" is deprecated, please use the same command under "kubeadm certs" [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf May 31, 2121 03:05 UTC 99y no apiserver May 31, 2121 03:05 UTC 99y ca no apiserver-etcd-client May 31, 2121 03:05 UTC 99y etcd-ca no apiserver-kubelet-client May 31, 2121 03:05 UTC 99y ca no controller-manager.conf May 31, 2121 03:05 UTC 99y no etcd-healthcheck-client May 31, 2121 03:05 UTC 99y etcd-ca no etcd-peer May 31, 2121 03:05 UTC 99y etcd-ca no etcd-server May 31, 2121 03:05 UTC 99y etcd-ca no front-proxy-client May 31, 2121 03:05 UTC 99y front-proxy-ca no scheduler.conf May 31, 2121 03:05 UTC 99y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Jun 20, 2031 07:01 UTC 9y no etcd-ca Jun 20, 2031 07:01 UTC 9y no front-proxy-ca Jun 20, 2031 07:01 UTC 9y no
查看 node 状态
[root@master pki]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready control-plane,master 44h v1.20.6 node1 Ready <none> 43h v1.20.6