运维开发网
广告位招商联系QQ:123077622
 
广告位招商联系QQ:123077622

kubernetes证书过期解决方案

运维开发网 https://www.qedev.com 2021-04-30 09:25 出处:51CTO 作者:xuegodsvip
kubernetes证书过期解决方案,拐弯处加速原创的Docker文章。

查看集群证书过期情况

kubeadm alpha certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

admin.conf                 Dec 29, 2021 06:53 UTC   358d                                    no

apiserver                  Dec 29, 2021 06:53 UTC   358d            ca                      no

apiserver-etcd-client      Dec 29, 2021 06:53 UTC   358d            etcd-ca                 no

apiserver-kubelet-client   Dec 29, 2021 06:53 UTC   358d            ca                      no

controller-manager.conf    Dec 29, 2021 06:53 UTC   358d                                    no

etcd-healthcheck-client    Dec 29, 2021 06:53 UTC   358d            etcd-ca                 no

etcd-peer                  Dec 29, 2021 06:53 UTC   358d            etcd-ca                 no

etcd-server                Dec 29, 2021 06:53 UTC   358d            etcd-ca                 no

front-proxy-client         Dec 29, 2021 06:53 UTC   358d            front-proxy-ca          no

scheduler.conf             Dec 29, 2021 06:53 UTC   358d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

ca                      Dec 23, 2029 11:49 UTC   8y              no

etcd-ca                 Dec 23, 2029 11:49 UTC   8y              no

front-proxy-ca          Dec 23, 2029 11:49 UTC   8y              no

查看根CA证书的有效期

cd /etc/kubernetes/pki

# 当前证书是10年的证书,可以直接生成, 如果和上面`EXPIRES` 日期是一样的是不适用

ls | grep ca.crt | xargs -I {} openssl x509 -text -in {} | grep "Not After"

           Not After : Dec 23 11:49:43 2029 GMT

           Not After : Dec 23 11:49:44 2029 GMT

查看证书目录结构

kubelet 上一般不会明确指定服务端证书, 而是只指定 ca 根证书, 让 kubelet 根据本地主机信息自动生成服务端证书并保存到配置的cert-dir文件夹中。

Kubernetes 集群根证书

== /etc/kubernetes/pki/ca.crt 根证书 == == /etc/kubernetes/pki/ca.key 根证书 ==

其他证书均为根证书签发

  • kube-apiserver 组件持有的服务端证书   /etc/kubernetes/pki/apiserver.crt   /etc/kubernetes/pki/apiserver.key

  • kubelet 组件持有的客户端证书

      /etc/kubernetes/pki/apiserver-kubelet-client.crt

      /etc/kubernetes/pki/apiserver-kubelet-client.key

    汇聚层(aggregator)证书

    == /etc/kubernetes/pki/front-proxy-ca.crt ==

    == /etc/kubernetes/pki/front-proxy-ca.key ==

  • 代理端使用的客户端证书, 用作代用户与 kube-apiserver 认证

    /etc/kubernetes/pki/front-proxy-client.crt

    /etc/kubernetes/pki/front-proxy-client.key

    etcd 集群根证书

    == /etc/kubernetes/pki/etcd/ca.crt ==

    == /etc/kubernetes/pki/etcd/ca.key ==

  • etcd server 持有的服务端证书 /etc/kubernetes/pki/etcd/server.crt /etc/kubernetes/pki/etcd/server.key

  • peer 集群中节点互相通信使用的客户端证书 /etc/kubernetes/pki/etcd/peer.crt /etc/kubernetes/pki/etcd/peer.key

  • pod 中定义 Liveness 探针使用的客户端证书 /etc/kubernetes/pki/etcd/healthcheck-client.crt /etc/kubernetes/pki/etcd/healthcheck-client.key

  • 配置在 kube-apiserver 中用来与 etcd server 做双向认证的客户端证书

    /etc/kubernetes/pki/apiserver-etcd-client.crt

    /etc/kubernetes/pki/apiserver-etcd-client.key

    Serveice Account秘钥

    == /etc/kubernetes/pki/sa.key ==

    == /etc/kubernetes/pki/sa.pub ==

    这组的密钥对儿仅提供给 kube-controller-manager 使用. kube-controller-manager 通过 sa.key 对 token 进行签名, master 节点通过公钥 sa.pub 进行签名的验证.

    API Server的authenticating环节支持多种身份校验方式:client cert、bearer token、static password auth等,这些方式中有一种方式通过authenticating(Kubernetes API Server会逐个方式尝试),那么身份校验就会通过。一旦API Server发现client发起的request使用的是service account token的方式,API Server就会自动采用signed bearer token方式进行身份校验。而request就会使用携带的service account token参与验证。该token是API Server在创建service account时用API server启动参数:–service-account-key-file的值签署(sign)生成的。如果–service-account-key-file未传入任何值,那么将默认使用–tls-private-key-file的值,即API Server的私钥(server.key)。

    通过authenticating后,API Server将根据Pod username所在的group:system:serviceaccounts和system:serviceaccounts:(NAMESPACE)的权限对其进行authority 和admission control两个环节的处理。在这两个环节中,cluster管理员可以对service account的权限进行细化设置。

    # `pki`目录下属于根证书目录

    # /etc/kubernetes/pki/ca.crt 根证书

    # /etc/kubernetes/pki/ca.key 根证书

    #

    tree /etc/kubernetes/pki

    /etc/kubernetes/pki

    ├── apiserver.crt

    ├── apiserver-etcd-client.crt

    ├── apiserver-etcd-client.key

    ├── apiserver.key

    ├── apiserver-kubelet-client.crt

    ├── apiserver-kubelet-client.key

    ├── ca.crt

    ├── ca.key

    ├── etcd

    │   ├── ca.crt

    │   ├── ca.key

    │   ├── healthcheck-client.crt

    │   ├── healthcheck-client.key

    │   ├── peer.crt

    │   ├── peer.key

    │   ├── server.crt

    │   └── server.key

    ├── front-proxy-ca.crt

    ├── front-proxy-ca.key

    ├── front-proxy-client.crt

    ├── front-proxy-client.key

    ├── sa.key

    └── sa.pub

    备份

    # 备份原有证书

    cp -rp /etc/kubernetes /etc/kubernetes.bak

    # 备份etcd数据目录

    cp -r /var/lib/etcd /var/lib/etcd.bak

    更新证书

    生成集群配置的yaml文件

    kubeadm config view > /root/kubeadm.yaml

    cat /root/kubeadm.yaml

    apiServer:

     extraArgs:

       authorization-mode: Node,RBAC

     timeoutForControlPlane: 4m0s

    apiVersion: kubeadm.k8s.io/v1beta2

    certificatesDir: /etc/kubernetes/pki

    clusterName: kubernetes

    controllerManager: {}

    dns:

     type: CoreDNS

    etcd:

     local:

       dataDir: /var/lib/etcd

    imageRepository: k8s.gcr.io

    kind: ClusterConfiguration

    kubernetesVersion: v1.17.0

    networking:

     dnsDomain: cluster.local

     podSubnet: 10.244.0.0/16

     serviceSubnet: 10.96.0.0/12

    scheduler: {}

    证书更新使用帮助

    kubeadm alpha certs renew --help

    Usage:

     kubeadm alpha certs renew [flags]

     kubeadm alpha certs renew [command]

    Available Commands:

     admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself

     all                      Renew all available certificates

     apiserver                Renew the certificate for serving the Kubernetes API

     apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd

     apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet

     controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use

     etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd

     etcd-peer                Renew the certificate for etcd nodes to communicate with each other

     etcd-server              Renew the certificate for serving etcd

     front-proxy-client       Renew the certificate for the front proxy client

     scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

    更新证书操作

    每个master节点都需要执行的, 切记切记

    # 更新所有服务的证书,如果不确定可以先更新一个看下结果用检查证书的命令, 上面的用法上有指定单独服务的名称

    kubeadm alpha certs renew all --config=/root/kubeadm.yaml

    [renew] Reading configuration from the cluster...

    [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

    certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

    certificate for serving the Kubernetes API renewed

    certificate the apiserver uses to access etcd renewed

    certificate for the API server to connect to kubelet renewed

    certificate embedded in the kubeconfig file for the controller manager to use renewed

    certificate for liveness probes to healthcheck etcd renewed

    certificate for etcd nodes to communicate with each other renewed

    certificate for serving etcd renewed

    certificate for the front proxy client renewed

    certificate embedded in the kubeconfig file for the scheduler manager to use renewed

    再次查询证书期限

    root @ master ➜  pki  kubeadm alpha certs check-expiration

    [check-expiration] Reading configuration from the cluster...

    [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

    CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED

    admin.conf                 Jan 04, 2022 07:55 UTC   364d                                    no

    apiserver                  Jan 04, 2022 07:55 UTC   364d            ca                      no

    apiserver-etcd-client      Jan 04, 2022 07:55 UTC   364d            etcd-ca                 no

    apiserver-kubelet-client   Jan 04, 2022 07:55 UTC   364d            ca                      no

    controller-manager.conf    Jan 04, 2022 07:55 UTC   364d                                    no

    etcd-healthcheck-client    Jan 04, 2022 07:55 UTC   364d            etcd-ca                 no

    etcd-peer                  Jan 04, 2022 07:55 UTC   364d            etcd-ca                 no

    etcd-server                Jan 04, 2022 07:55 UTC   364d            etcd-ca                 no

    front-proxy-client         Jan 04, 2022 07:55 UTC   364d            front-proxy-ca          no

    scheduler.conf             Jan 04, 2022 07:55 UTC   364d                                    no

    CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED

    ca                      Dec 23, 2029 11:49 UTC   8y              no

    etcd-ca                 Dec 23, 2029 11:49 UTC   8y              no

    front-proxy-ca          Dec 23, 2029 11:49 UTC   8y              no

    重启服务

    如果上述操作执行之后集群就恢复了,可以不执行如下操作, 但是没有的话,尝试下如下的命令.

    命令的作用是直接重启下和证书相关的应用的容器,重新加载证书.

# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

扫码领视频副本.gif

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号