您好,登錄后才能下訂單哦!
在管理證書(shū)之前,你需要了解kubernetes如何使用PKI證書(shū)的相關(guān)知識(shí):官方文檔
check-expiration 可用于檢查證書(shū)過(guò)期時(shí)間:
kubeadm alpha certs check-expiration
輸出如下內(nèi)容;
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Oct 06, 2020 03:56 UTC 364d no
apiserver Oct 06, 2020 10:41 UTC 364d no
apiserver-etcd-client Oct 06, 2020 03:55 UTC 364d no
apiserver-kubelet-client Oct 06, 2020 03:55 UTC 364d no
controller-manager.conf Oct 06, 2020 03:56 UTC 364d no
etcd-healthcheck-client Oct 02, 2020 12:14 UTC 361d no
etcd-peer Oct 02, 2020 12:14 UTC 361d no
etcd-server Oct 02, 2020 12:14 UTC 361d no
front-proxy-client Oct 06, 2020 03:55 UTC 364d no
scheduler.conf Oct 06, 2020 03:56 UTC 364d no
該命令顯示了 所有證書(shū)的到期/剩余時(shí)間,包括在etc/kubernetes/pki目錄下的客戶端證書(shū)及由kubeadm嵌入到KUBECONFIG文件中的客戶端證書(shū)(admin.conf,controller-manager.conf和scheduler.conf)。
注意:
- kubelet.conf未包含在上面的列表中,因?yàn)閗ubeadm將已將其配置為自動(dòng)更新。
- kubeadm無(wú)法管理由外部CA簽名的證書(shū)。
自動(dòng)續(xù)訂指的是,在用kubeadm升級(jí)控制平面時(shí) 自動(dòng)更新所有證書(shū)。
如果對(duì)證書(shū)續(xù)約沒(méi)有要求,并定期升級(jí)kubernetes版本,每次升級(jí)間隔時(shí)間少于1年,最佳做法是經(jīng)常升級(jí)集群以確保安全。
如果不想在升級(jí)集群時(shí)續(xù)約證書(shū),則給 kubeadm upgrade apply 或 kubeadm upgrade node 傳遞參數(shù):--certificate-renewal=false
使用 kubeadm alpha certs renew 命令 可以隨時(shí)手動(dòng)續(xù)訂證書(shū),該命令使用存儲(chǔ)在/etc/kubernetes/pki中的 CA (or front-proxy-CA)證書(shū)和密鑰來(lái)更新證書(shū)。
如果是HA集群,則在所有控制平面執(zhí)行。
kubeadm alpha certs 命令詳解:
Available Commands:
certificate-key 生成證書(shū)和key
check-expiration 檢測(cè)證書(shū)過(guò)期時(shí)間
renew 續(xù)訂Kubernetes集群的證書(shū)
用的最多的續(xù)訂證書(shū)的 renew子命令,現(xiàn)在來(lái)看下該命令幫助:
root@k8s-master:~# kubeadm alpha certs renew -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healtcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
如上所知,指定某個(gè)證書(shū)就能續(xù)訂該證書(shū),指定 all
則續(xù)訂所有證書(shū)。
命令執(zhí)行后,注意:
kubeadm alpha certs命令僅支持v1.15及其以上的版本。
從上面檢測(cè)中知道,當(dāng)前 apiserver.crt 到期時(shí)間是 Oct 06, 2020 03:55 UTC ,剩余364d。
1. 執(zhí)行renew更新:
root@k8s-master:~# kubeadm alpha certs renew apiserver
certificate for serving the Kubernetes API renewed
2. 重啟控制平面:
重啟kubelet會(huì)自動(dòng)重新創(chuàng)建核心組件
systemctl restart kubelet
3. 驗(yàn)證:
root@k8s-master:~# kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
apiserver Oct 06, 2020 10:41 UTC 364d no
apiserver證書(shū)到期時(shí)間發(fā)生了變化, 不過(guò)不是順延一年, 而是 從你 執(zhí)行renew成功的時(shí)間開(kāi)始續(xù)簽一年。
如果要將所有證書(shū)續(xù)簽一年,則執(zhí)行:
kubeadm alpha certs renew all
通過(guò)外部CA簽發(fā)證書(shū),需要kubeadm 生成一個(gè)CSR提交給CA。
1. 生成CSR和私鑰:
kubeadm alpha certs renew apiserver --csr-only --csr-dir /tmp/apiserver.csr
2. 查看CSR和私鑰:
命令輸出結(jié)果中提供了CSR和私鑰。
root@k8s-master:~# ls /tmp/apiserver.csr/
apiserver.csr apiserver.key
3. 使用該私鑰到CA上請(qǐng)求簽發(fā)證書(shū)。
將頒發(fā)的證書(shū)及私鑰復(fù)制到PKI目錄/etc/kubernetes/pki中。
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。