2024年1月16日发(作者:)

CA 证书有效时间修改(默认10年)[root@kubernetes kubernetes]# vim ./staging/src//client-go/util/cert/......// NewSelfSignedCACert creates a CA certificatefunc NewSelfSignedCACert(cfg Config, key ) (*icate, error) { now := () tmpl := icate{ SerialNumber: new().SetInt64(0), Subject: { CommonName: Name, Organization: zation, }, NotBefore: (), // CA

证书有效期 // NotAfter: (duration365d * 10).UTC(), NotAfter: (duration365d * 100).UTC(), KeyUsage: geKeyEncipherment | geDigitalSignature | geCertSign, BasicConstraintsValid: true, IsCA: true, } certDERBytes, err := Certificate(, &tmpl, &tmpl, (), key) if err != nil { return nil, err } return ertificate(certDERBytes)}......证书有效期为 99 年(默认为 1 年)

root@aefcb94d4fb3:/go/src/k8s# ls _output/local/bin/linux/amd64/conversion-gen deepcopy-gen defaulter-gen go2make go-bindata kubeadm openapi-gen#

退出容器root@aefcb94d4fb3:/go/src/k8s# exitexit#

替换原有的 kubeadm[root@kubernetes kubernetes]# mv /usr/bin/kubeadm /usr/bin/kubeadm_backup[root@kubernetes kubernetes]# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm本地打包[root@kubernetes kubernetes]# yum -y install gcc make rsync jq  安装并配置好对应的 Golang:

#

事先查看[root@kubernetes kubernetes]# kubeadm alpha certs check-expiration[check-expiration] Reading configuration from [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY Aug 27, 2022 03:11 UTC 364d noapiserver Aug 27, 2022 01:44 UTC 364d ca noapiserver-etcd-client Aug 27, 2022 01:44 UTC 364d etcd-ca noapiserver-kubelet-client Aug 27, 2022 01:44 UTC 364d ca Aug 27, 2022 03:11 UTC 364d noetcd-healthcheck-client Aug 27, 2022 01:44 UTC 364d etcd-ca noetcd-peer Aug 27, 2022 01:44 UTC 364d etcd-ca noetcd-server Aug 27, 2022 01:44 UTC 364d etcd-ca nofront-proxy-client Aug 27, 2022 01:44 UTC 364d front-proxy-ca Aug 27, 2022 03:11 UTC 364d noCERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Aug 23, 2030 07:00 UTC 8y noetcd-ca Aug 23, 2030 07:00 UTC 8y nofront-proxy-ca Aug 23, 2030 07:00 UTC 8y no#

更新 99

年[root@kubernetes kubernetes]# kubeadm alpha certs renew all[renew] Reading configuration from [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewedcertificate for serving the Kubernetes API renewedcertificate the apiserver uses to access etcd renewedcertificate for the API server to connect to kubelet renewedcertificate embedded in the kubeconfig file for the controller manager to use renewedcertificate for liveness probes to healthcheck etcd renewedcertificate for etcd nodes to communicate with each other renewedcertificate for serving etcd renewedcertificate for the front proxy client renewedcertificate embedded in the kubeconfig file for the scheduler manager to use renewed#

再看[root@kubernetes kubernetes]# kubeadm alpha certs check-expiration[check-expiration] Reading configuration from [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY Aug 03, 2120 08:20 UTC 98y noapiserver Aug 03, 2120 08:20 UTC 98y ca noapiserver-etcd-client Aug 03, 2120 08:20 UTC 98y etcd-ca noapiserver-kubelet-client Aug 03, 2120 08:20 UTC 98y ca Aug 03, 2120 08:20 UTC 98y noetcd-healthcheck-client Aug 03, 2120 08:20 UTC 98y etcd-ca noetcd-peer Aug 03, 2120 08:20 UTC 98y etcd-ca noetcd-server Aug 03, 2120 08:20 UTC 98y etcd-ca nofront-proxy-client Aug 03, 2120 08:20 UTC 98y front-proxy-ca Aug 03, 2120 08:20 UTC 98y noCERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDca Aug 23, 2030 07:00 UTC 8y noetcd-ca Aug 23, 2030 07:00 UTC 8y nofront-proxy-ca Aug 23, 2030 07:00 UTC 8y no最后别忘了重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器。