当前位置：首页 > news >正文

k8s证书有效期修改为10年

news 2026/3/26 22:46:03

1 查看当前有效期

kubeadm certs check-expiration

2 备份证书和etcd数据

#备份证书 mkdir /etc/kubernetes.bak cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak cp /etc/kubernetes/*.conf /etc/kubernetes.bak #备份etcd数据目录 cp -r /var/lib/etcd /var/lib/etcd.bak

3 重新编译kubeadm

#下载源码 https://github.com/kubernetes/kubernetes/releases/tag/v1.27.4 vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go // NewSignedCert creates a signed certificate using the given CA certificate and key func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) { // returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max). const duration365d = time.Hour * 24 * 365 * 10 ##增加变量，设置为10年 serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1)) if err != nil { return nil, err } serial = new(big.Int).Add(serial, big.NewInt(1)) if len(cfg.CommonName) == 0 { return nil, errors.New("must specify a CommonName") } keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature if isCA { keyUsage |= x509.KeyUsageCertSign } RemoveDuplicateAltNames(&cfg.AltNames) notAfter := time.Now().Add(duration365d).UTC() #将原代码替换成这一行 if cfg.NotAfter != nil { notAfter = *cfg.NotAfter } certTmpl := x509.Certificate{ Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: cfg.AltNames.DNSNames, IPAddresses: cfg.AltNames.IPs, SerialNumber: serial, NotBefore: caCert.NotBefore, NotAfter: notAfter, KeyUsage: keyUsage, ExtKeyUsage: cfg.Usages, BasicConstraintsValid: true, IsCA: isCA, } certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) if err != nil { return nil, err } return x509.ParseCertificate(certDERBytes) }

编译kubeadmin，并将生成的kubeadm替换下原命令

$ make WHAT=cmd/kubeadm GOFLAGS=-v $ ls _output/bin/kubeadm _output/bin/kubeadm

#替换下 root@k8s-master02:~# mv /usr/local/bin/kubeadm /usr/local/bin/kubeadm.bak root@k8s-master02:~# chmod +x /usr/local/bin/kubeadm

4 更新证书

#使用新kubeadm更新证书 kubeadm certs renew all #重启api-server、controller-manager、scheduler root@k8s-master02:/etc/kubernetes/manifests# ls kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml

6 补充

我在按照上述办法重新编译1.33.4版本的kubeadm时，发现还是只能最多更新一年的时间，后来把下面的代码注释掉后并把时间改成了9年才成功的

const duration365d = time.Hour * 24 * 365 * 9 ........... notAfter := time.Now().Add(duration365d).UTC() //notAfter := notBefore.Add(kubeadmconstants.CertificateValidityPeriod) // if !cfg.NotAfter.IsZero() { // notAfter = cfg.NotAfter // }

查看全文

http://www.jsqmd.com/news/489489/