检查过期时间

kubeadm alpha certs check-expiration

备份

cp -r /etc/kubernetes /etc/kubernetes.bak

重新生成证书

所有组件
kubeadm alpha certs renew all
指定组件(如apiserver)
kubeadm alpha certs renew apiserver

针对控制面节点

重新生成配置文件

所有组件
kubeadm init phase kubeconfig all --apiserver-advertise-address {apiserverip}
特定组件(如kubelet)
kubeadm init phase kubeconfig kubelet --apiserver-advertise-address {apiserverip}

重启

kubelet

systemctl restart kubelet 

控制面组件

docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | xargs -I '{}'  docker restart {}

针对worker节点

生成kubeconfig

mkdir  /tmp/worker/${nodename}
kubeadm init  phase kubeconfig kubelet --node-name ${nodename} --kubeconfig-dir  /tmp/worker/${nodename}

拷贝到worker节点

重启kubelet

systemctl restart kubelet

补充

针对kubelet可以设置config来自动更新证书

rotateCertificates: true

设置controller-manager启动参数来延长自动颁发kubelet到证书有效时间

cluster-signing-duration=87600h

针对etcd|scheduler|controller|apiserver

修改kubeadm代码中kubeadmconstants.CertificateValidity变量值后重新编译,实现ca证书有效期延长,比如100年,即可以无需更新
cmd/kubeadm/app/util/pkiutil/pki_helpers.go中

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
    serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
    if err != nil {
        return nil, err
    }
    if len(cfg.CommonName) == 0 {
        return nil, errors.New("must specify a CommonName")
    }

    keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
    if isCA {
        keyUsage |= x509.KeyUsageCertSign
    }

    RemoveDuplicateAltNames(&cfg.AltNames)

    notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
    if cfg.NotAfter != nil {
        notAfter = *cfg.NotAfter
    }

    certTmpl := x509.Certificate{
        Subject: pkix.Name{
            CommonName:   cfg.CommonName,
            Organization: cfg.Organization,
        },
        DNSNames:              cfg.AltNames.DNSNames,
        IPAddresses:           cfg.AltNames.IPs,
        SerialNumber:          serial,
        NotBefore:             caCert.NotBefore,
        NotAfter:              notAfter,
        KeyUsage:              keyUsage,
        ExtKeyUsage:           cfg.Usages,
        BasicConstraintsValid: true,
        IsCA:                  isCA,
    }
    certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
    if err != nil {
        return nil, err
    }
    return x509.ParseCertificate(certDERBytes)
}

针对ca有效期

修改kubeadm代码中duration365d变量值后重新编译,实现ca证书有效期延长,比如100年,即可以无需更新
vendor/k8s.io/client-go/util/cert/cert.go中

func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
    now := time.Now()
    tmpl := x509.Certificate{
        SerialNumber: new(big.Int).SetInt64(0),
        Subject: pkix.Name{
            CommonName:   cfg.CommonName,
            Organization: cfg.Organization,
        },
        DNSNames:              []string{cfg.CommonName},
        NotBefore:             now.UTC(),
        NotAfter:              now.Add(duration365d * 10).UTC(),
        KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
        BasicConstraintsValid: true,
        IsCA:                  true,
    }

    certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
    if err != nil {
        return nil, err
    }
    return x509.ParseCertificate(certDERBytes)
}