Check the cluster’s current certificate expiration time:
[root@k8s001 ~]# kubeadm alpha certs check-expiration # Some old versions may need to use this command to check [root@k8s001 ~]# kubeadm certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 15, 2021 07:58 UTC 364d no apiserver Oct 15, 2021 07:58 UTC 364d ca no apiserver-etcd-client Oct 15, 2021 07:58 UTC 364d etcd-ca no apiserver-kubelet-client Oct 15, 2021 07:58 UTC 364d ca no controller-manager.conf Oct 15, 2021 07:58 UTC 364d no etcd-healthcheck-client Oct 15, 2021 07:58 UTC 364d etcd-ca no etcd-peer Oct 15, 2021 07:58 UTC 364d etcd-ca no etcd-server Oct 15, 2021 07:58 UTC 364d etcd-ca no front-proxy-client Oct 15, 2021 07:58 UTC 364d front-proxy-ca no scheduler.conf Oct 15, 2021 07:58 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 13, 2030 07:58 UTC 9y no etcd-ca Oct 13, 2030 07:58 UTC 9y no front-proxy-ca Oct 13, 2030 07:58 UTC 9y no
Single certificate view
[root@k8s001 ~]# cd /etc/kubernetes/pki/ #Single certificate period view [root@k8s001 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text |grep Not Not Before: Oct 15 07:58:40 2020 GMT Not After : Oct 13 07:58:40 2030 GMT #From the above information, you can see that the ca certificate is valid for 10 years, from 2020 to 2030 [root@k8s001 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep Not Not Before: Oct 15 07:58:40 2020 GMT Not After : Oct 15 07:58:41 2021 GMT #Through the above, you can see that the apiserver certificate is valid for 1 year, from 2020 to 2021 [root@k8s001 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text |grep Not #year Not Before: Oct 15 07:58:43 2020 GMT Not After : Oct 15 07:58:45 2021 GMT [root@k8s001 ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text |grep Not #十年 Not Before: Oct 15 07:58:41 2020 GMT Not After : Oct 13 07:58:41 2030 GMT
Install the certificate update dependency tool
First download go environment support
[root@k8s001 ~]# wget https://gomirrors.org/dl/go/go1.18.3.linux-amd64.tar.gz [root@k8s001 ~]# tar xf go1.18.3.linux-amd64.tar.gz -C /usr/local/ [root@k8s001 ~]# ls /usr/local/go [root@k8s001 ~]# vim /etc/profile ... export PATH=$PATH:/usr/local/go/bin ... [root@k8s001 ~]# source /etc/profile [root@k8s001 ~]# go version go version go1.18.3 linux/amd64
Clone k8s project to local
[root@k8s001 ~]# git clone https://github.com/kubernetes/kubernetes.git # Clone the entire warehouse [root@k8s001 ~]# git clone --branch release-1.18 https://github.com/kubernetes/kubernetes.git #Only clone a single corresponding version branch? [root@k8s001 ~]# cd kubernetes [root@k8s001 kubernetes]# kubeadm version # View the current cluster installation version [root@k8s001 kubernetes]# git checkout -b remotes/origin/release-1.18.8 v1.18.8 Switch to a new branch 'remotes/origin/release-1.18.8'
To modify the certificate period:
[root@k8s001 kubernetes]# vim cmd/kubeadm/app/constants/constants.go CertificateValidity = time.Hour * 24 * 365 * 10 #Change to time.Hour * 24 * 365 * 10 #Change to *10 to change to 10-year expiration [root@k8s001 kubernetes]# make WHAT=cmd/kubeadm GOFLAGS=-v #Compile, the newly generated binary is in the _output/bin/ directory
Replace the current cluster’s files with the newly generated binaries
# Go to backup before replacing [root@k8s001 kubernetes]# \cp /usr/bin/kubeadm /usr/bin/kubeadm.backup [root@k8s001 kubernetes]# \cp _output/bin/kubeadm /usr/bin/kubeadm [root@k8s001 kubernetes]# \cp -r /etc/kubernetes/pki /etc/kubernetes/pki.backup? [root@k8s001 kubernetes]# cd /etc/kubernetes/pki [root@k8s001 pki]# kubeadm alpha certs renew all # Old versions may need to use this command [root@k8s001 pki]# kubeadm certs renew all # The new version corresponds to this command
View Results
[root@k8s001 ~]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 15, 2030 02:36 UTC 9y no apiserver Oct 15, 2030 02:36 UTC 9y ca no apiserver-etcd-client Oct 15, 2030 02:36 UTC 9y etcd-ca no apiserver-kubelet-client Oct 15, 2030 02:36 UTC 9y ca no controller-manager.conf Oct 15, 2030 02:36 UTC 9y no etcd-healthcheck-client Oct 15, 2030 02:36 UTC 9y etcd-ca no etcd-peer Oct 15, 2030 02:36 UTC 9y etcd-ca no etcd-server Oct 15, 2030 02:36 UTC 9y etcd-ca no front-proxy-client Oct 15, 2030 02:36 UTC 9y front-proxy-ca no scheduler.conf Oct 15, 2030 02:36 UTC 9y no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 13, 2030 07:58 UTC 9y no etcd-ca Oct 13, 2030 07:58 UTC 9y no front-proxy-ca Oct 13, 2030 07:58 UTC 9y no
High availability cluster certificate update:
For the other masters, you only need to transfer the newly generated kubeadm file from the first updated scp, and then follow the above steps to regenerate a new certificate file. Remember to restart the service or server after updating.
[root@k8s001 ~]# scp _output/bin/kubeadm k8s002:/usr/bin/kubeadm [root@k8s002 ~]# kubeadm certs renew all [root@k8s002 ~]# kubeadm certs check-expiration