1.1.1. 都有哪些证书?
K8s用到的证书都在/etc/kubernetes/pki路径下:
一共有三套ca,每套ca分发不同组件间的证书
1、apiserver与client、kubelet之间通信用
ca.crt
apiserver.crt
apiserver-kubelet-client.crt
2、kube-proxy用
front-proxy-ca.crt
front-proxy-client.crt
3、etcd集群及apiserv client之间通信用
apiserver-etcd-client.crt
https://www.jianshu.com/p/etcd/ca.crt
https://www.jianshu.com/p/etcd/healthcheck-client.crt
https://www.jianshu.com/p/etcd/server.crt
https://www.jianshu.com/p/etcd/peer.crt
1.1.2. 证书的有效期
所有CA证书的有效期为10年,其他证书为1年
1.1.3. 证书自动更新
只有kubelet client证书具有自动rotation功能,缺省情况下特性已经打开,需要添加--rotate-certificates参数,重启kubelet服务生效。自动rotation证书的有效期,由kube-controller-manager 的--experimental-cluster-signing-duration。duration 参数决定,默认为1年可以修改/etc/kubernetes/manifests/kube-controller-manager.yaml,增加参数- --experimental-cluster-signing-duration=17520h0m0s 将证书有效期修改为2年。
1.1.4. 手动更新证书
查看当前证书
#ls /etc/kubernetes/pki | grep crt
apiserver.crt
apiserver-etcd-client.crt
apiserver-kubelet-client.crt
ca.crt
front-proxy-ca.crt
front-proxy-client.crt
查看当前证书有效期
#ls | grepcrt | xargs -I {} openssl x509 -text -in{} | grep Not
Not Before: Apr 16 02:19:31 2019GMT
Not After : Apr 15 02:19:31 2020GMT
Not Before: Apr 16 02:19:32 2019GMT
Not After : Apr 15 02:19:33 2020GMT
Not Before: Apr 16 02:19:31 2019GMT
Not After : Apr 15 02:19:31 2020GMT
Not Before: Apr 16 02:19:31 2019 GMT
Not After : Apr 13 02:19:31 2029GMT
Not Before: Apr 16 02:19:32 2019GMT
Not After : Apr 13 02:19:32 2029GMT
Not Before: Apr 16 02:19:32 2019GMT
Not After : Apr 15 02:19:32 2020GMT
更新第一个证书apiserver.crt
#kubeadm alpha certs renew apiserver
#openssl x509 -text -in apiserver.crt| grep Not
Not Before: Apr 16 02:19:31 2019GMT
Not After : Apr 21 09:21:31 2020GMT
更新第二个证书apiserver-etcd-client.crt
#kubeadm alpha certs renew apiserver-etcd-client
# openssl x509 -text -in apiserver-etcd-client.crt | grep Not
Not Before: Apr 16 02:19:32 2019GMT
Not After : Apr 21 09:27:50 2020GMT
更新第三个证书apiserver-kubelet-client.crt
#kubeadm alpha certs renew apiserver-kubelet-client
# openssl x509 -text -inapiserver-kubelet-client.crt | grep Not
Not Before: Apr 16 02:19:31 2019GMT
Not After : Apr 21 09:31:44 2020GMT
其他证书更新操作相同,不再赘述。Etcd部分证书在/etc/kubernetes/pki下
1.1.5. 证书更新后立即生效吗?
更新证书后查看apiserver的证书,发现并未更新
删除apiserver后,apiserver自动重启
#kubectl -n kube-system delete pod kube-apiserver-kube-node1
再次查看apiserver的证书,发现证书还是没有更新成功
Kill掉apiserver的进程,apiserver重启后证书更新成功
1.1.6. 是否可以修改ca证书有效期?
自己制作ca证书,替换现有ca证书,以front-proxy-ca证书为例
# cd /etc/pki/CA/
# ls
certs crl newcerts private
生成ras key
#openssl genrsa -out ca.key 2048
使用ras key 生成证书请求
#openssl req -new -key ca.key -out ca.csr -set_serial 0-subj "/CN=front-proxy-ca"
自签名ca证书
#openssl x509 -req -days 7300 -in ca.csr -signkey ca.key-out ca.crt -extfile/etc/pki/tls/openssl.cnf -extensionsv3_req -extensions v3_ca
替换front-proxy-ca.crt证书及front-proxy-ca.key
# cp ca.key front-proxy-ca.crt
# cp ca.key front-proxy-ca.key
# cp front-proxy-ca.crt /etc/kubernetes/pki
cp: overwrite ‘/etc/kubernetes/pki/front-proxy-ca.crt’? y
# cp front-proxy-ca.key /etc/kubernetes/pki
cp: overwrite ‘/etc/kubernetes/pki/front-proxy-ca.key’? y
查看front-proxy-ca.crt证书有效期
# openssl x509 -text -in front-proxy-ca.crt | grep Not
NotBefore: Apr 23 09:13:42 2019 GMT
NotAfter : Apr 18 09:13:42 2039 GMT
手动更新证书,验证front-proxy-ca.crt证书有效
#kubeadm alpha certs renew front-proxy-client
# openssl x509 -text -in front-proxy-client.crt | grep Not
NotBefore: Apr 23 09:13:42 2019 GMT
NotAfter : Apr 22 09:20:14 2020 GMT
版权声明:
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。
如若内容造成侵权、违法违规、事实不符,请将相关资料发送至xkadmin@xkablog.com进行投诉反馈,一经查实,立即处理!
转载请注明出处,原文链接:https://www.xkablog.com/do-docker-k8s/28856.html