免责声明:延长证书有效期期限将降低PKI的安全性,请勿在需要保证生产安全的场合使用该方法。
长话短说
Git仓库:kubernetes/kubernetes
$ git clone https://github.com/kubernetes/kubernetes.git $ cd kubernetes # 编辑源码 $ git checkout release-1.15 $ vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go $ git diff --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -571,7 +571,7 @@ func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certifi IPAddresses: cfg.AltNames.IPs, SerialNumber: serial, NotBefore: caCert.NotBefore, - NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(), + NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity * 100).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: cfg.Usages, # 编译二进制 $ go version go version go1.12.7 linux/amd64 $ go build ./cmd/kubeadm # 使用二进制更新证书 $ ./kubeadm alpha certs renew all certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healtcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed # 检查新证书期限 $ cfssl-certinfo -cert /etc/kubernetes/pki/apiserver.crt|grep not "not_before": "2019-08-28T02:04:17Z", "not_after": "2119-08-04T03:52:33Z",
