[root@hs-k8s-master01 ~]# cd /data/
[root@hs-k8s-master01 data]# ls
docker
[root@hs-k8s-master01 data]# mkdir k8s
[root@hs-k8s-master01 data]# cd k8s/
[root@hs-k8s-master01 k8s]# ls
[root@hs-k8s-master01 k8s]# mkdir source_code
[root@hs-k8s-master01 k8s]# cd source_code/
[root@hs-k8s-master01 source_code]# rz
[root@hs-k8s-master01 source_code]# tar xf kubernetes-1.17.2.tar.gz
[root@hs-k8s-master01 source_code]# ls
kubernetes-1.17.2 kubernetes-1.17.2.tar.gz
[root@hs-k8s-master01 source_code]# cd kubernetes-1.17.2/
[root@hs-k8s-master01 kubernetes-1.17.2]# ls
api cluster Godeps logo pkg SUPPORT.md WORKSPACE
build cmd go.mod Makefile plugin test
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files README.md third_party
CHANGELOG-1.17.md CONTRIBUTING.md hack OWNERS SECURITY_CONTACTS translations
CHANGELOG.md docs LICENSE OWNERS_ALIASES staging vendor
[root@hs-k8s-master01 kubernetes-1.17.2]#
[root@hs-k8s-master01 kubernetes-1.17.2]# vim ./staging/src/k8s.io/c
client-go/ cloud-provider/ code-generator/ cri-api/
cli-runtime/ cluster-bootstrap/ component-base/ csi-translation-lib/
[root@hs-k8s-master01 kubernetes-1.17.2]# vim ./staging/src/k8s.io/cli
client-go/ cli-runtime/
[root@hs-k8s-master01 kubernetes-1.17.2]# vim ./staging/src/k8s.io/client-go/util/cert
cert/ certificate/
[root@hs-k8s-master01 kubernetes-1.17.2]# vim ./staging/src/k8s.io/client-go/util/cert/cert.go
[root@hs-k8s-master01 kubernetes-1.17.2]# vim ./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
[root@hs-k8s-master01 kubernetes-1.17.2]# vim ./cmd/kubeadm/app/constants/constants.go
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:37338->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:4029->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull gcrcontainer/kube-cross:v1.13.5-1
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 10.0.0.200:59440->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-cross:v1.13.5-1
Error response from daemon: Get https://registry.cn-hangzhou.aliyuncs.com/v2/: dial tcp: lookup registry.cn-hangzhou.aliyuncs.com on 223.5.5.5:53: read udp 10.0.0.200:42909->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# dig @114.114.114.114 registry-1.docker.io
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @114.114.114.114 registry-1.docker.io
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@hs-k8s-master01 kubernetes-1.17.2]# docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:25:41 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.3
API version: 1.40 (minimum version 1.12)
Go version: go1.12.10
Git commit: a872fc2f86
Built: Tue Oct 8 00:56:46 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
[root@hs-k8s-master01 kubernetes-1.17.2]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@hs-k8s-master01 kubernetes-1.17.2]#
[root@hs-k8s-master01 kubernetes-1.17.2]# docekr search nginx
-bash: docekr: 未找到指令
[root@hs-k8s-master01 kubernetes-1.17.2]# docker search nginx
Error response from daemon: Get https://index.docker.io/v1/search?q=nginx&n=25: dial tcp: lookup index.docker.io on 223.5.5.5:53: read udp 10.0.0.200:15999->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# mv /etc/sysconfig/network-scripts/ifcfg-eth1 /tmp/
[root@hs-k8s-master01 kubernetes-1.17.2]# systemctl restart network
[root@hs-k8s-master01 kubernetes-1.17.2]# hostname -I
20.0.0.200 172.17.0.1
[root@hs-k8s-master01 kubernetes-1.17.2]# docker search nginx
Error response from daemon: Get https://index.docker.io/v1/search?q=nginx&n=25: dial tcp: lookup index.docker.io on 223.5.5.5:53: read udp 20.0.0.200:45441->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
bc51dd8edc1b: Downloading [=> ] 542.7kB/27.09MB
66ba67045f57: Downloading [=> ] 717.7kB/23.88MB
bf317aa10aa5: Download complete
^C
[root@hs-k8s-master01 kubernetes-1.17.2]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@hs-k8s-master01 kubernetes-1.17.2]#
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull gccontainer/kube-cross:v1.13.5-1
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 223.5.5.5:53: read udp 20.0.0.200:61687->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# dig @114.114.114.114 registry-1.docker.io
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @114.114.114.114 registry-1.docker.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7712
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;registry-1.docker.io. IN A
;; ANSWER SECTION:
registry-1.docker.io. 34 IN A 34.197.189.129
registry-1.docker.io. 34 IN A 34.228.211.243
registry-1.docker.io. 34 IN A 34.199.77.19
registry-1.docker.io. 34 IN A 3.226.66.79
registry-1.docker.io. 34 IN A 34.201.196.144
registry-1.docker.io. 34 IN A 34.232.31.24
registry-1.docker.io. 34 IN A 34.199.40.84
registry-1.docker.io. 34 IN A 3.224.75.242
;; Query time: 15 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: 一 2月 03 11:43:57 CST 2020
;; MSG SIZE rcvd: 177
[root@hs-k8s-master01 kubernetes-1.17.2]# vim /etc/hosts
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull gccontainer/kube-cross:v1.13.5-1
Error response from daemon: Get https://registry-1.docker.io/v2/gccontainer/kube-cross/manifests/v1.13.5-1: Get https://auth.docker.io/token?scope=repository%3Agccontainer%2Fkube-cross%3Apull&service=registry.docker.io: dial tcp: lookup auth.docker.io on 223.5.5.5:53: read udp 20.0.0.200:31167->223.5.5.5:53: i/o timeout
[root@hs-k8s-master01 kubernetes-1.17.2]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
[root@hs-k8s-master01 kubernetes-1.17.2]# systemctl restart network
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull gccontainer/kube-cross:v1.13.5-1
Error response from daemon: pull access denied for gccontainer/kube-cross, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull gccontainer/kube-cross:v1.13.5
Error response from daemon: pull access denied for gccontainer/kube-cross, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@hs-k8s-master01 kubernetes-1.17.2]# docker pull gcrcontainer/kube-cross:v1.13.5-1
檢視網上的資料主要有兩個地方需要修改
vim ./staging/src/k8s.io/client-go/util/cert/cert.go
# 這個方法裡面NotAfter: now.Add(duration365d * 10).UTC()
# 預設有效期就是10年,改成100年
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 100).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
vim ./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
# 這個方法裡面看到NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
# 參數裡面是一個常量kubeadmconstants.CertificateValidity
# 是以這裡可以不修改,我去看看源碼能不能找到這個常量的指派位置
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
結果在這裡找到kubeadmconstants.CertificateValidity的定義
vim ./cmd/kubeadm/app/constants/constants.go
// 就是這個常量定義CertificateValidity,我改成*100年
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 100
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
源代碼改好了,接下來就是編譯kubeadm了
[root@hs-k8s-master01 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 02, 2021 07:17 UTC 364d no
apiserver Feb 02, 2021 07:17 UTC 364d ca no
apiserver-etcd-client Feb 02, 2021 07:17 UTC 364d etcd-ca no
apiserver-kubelet-client Feb 02, 2021 07:17 UTC 364d ca no
controller-manager.conf Feb 02, 2021 07:17 UTC 364d no
etcd-healthcheck-client Feb 02, 2021 07:17 UTC 364d etcd-ca no
etcd-peer Feb 02, 2021 07:17 UTC 364d etcd-ca no
etcd-server Feb 02, 2021 07:17 UTC 364d etcd-ca no
front-proxy-client Feb 02, 2021 07:17 UTC 364d front-proxy-ca no
scheduler.conf Feb 02, 2021 07:17 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 31, 2030 07:17 UTC 9y no
etcd-ca Jan 31, 2030 07:17 UTC 9y no
front-proxy-ca Jan 31, 2030 07:17 UTC 9y no
[root@hs-k8s-master01 ~]# cd /data/k8s/
[root@hs-k8s-master01 k8s]# ls
source_code yaml
[root@hs-k8s-master01 k8s]# cd source_code/
[root@hs-k8s-master01 source_code]# ls
kubernetes-1.17.2 kubernetes-1.17.2.tar.gz
[root@hs-k8s-master01 source_code]# cd kubernetes-1.17.2/
[root@hs-k8s-master01 kubernetes-1.17.2]# ls
api cluster Godeps logo OWNERS_ALIASES staging vendor
build cmd go.mod Makefile pkg SUPPORT.md WORKSPACE
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files plugin test
CHANGELOG-1.17.md CONTRIBUTING.md hack _output README.md third_party
CHANGELOG.md docs LICENSE OWNERS SECURITY_CONTACTS translations
[root@hs-k8s-master01 kubernetes-1.17.2]# cd _output/
[root@hs-k8s-master01 _output]# ls
APIEXTENSIONS_violations.report bin CODEGEN_violations.report KUBE_violations.report local SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# ll
總用量 88
-rw-r--r-- 1 root root 3669 2月 3 12:08 APIEXTENSIONS_violations.report
lrwxrwxrwx 1 root root 55 2月 3 12:09 bin -> /go/src/k8s.io/kubernetes/_output/local/bin/linux/amd64
-rw-r--r-- 1 root root 4256 2月 3 12:08 CODEGEN_violations.report
-rw-r--r-- 1 root root 73192 2月 3 12:08 KUBE_violations.report
drwxr-xr-x 4 root root 27 2月 3 12:07 local
-rw-r--r-- 1 root root 3999 2月 3 12:08 SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# cd local/
[root@hs-k8s-master01 local]# ls
bin go
[root@hs-k8s-master01 local]# cd bin/
[root@hs-k8s-master01 bin]# ls
linux
[root@hs-k8s-master01 bin]# cd linux/
[root@hs-k8s-master01 linux]# ls
amd64
[root@hs-k8s-master01 linux]# cd amd64/
[root@hs-k8s-master01 amd64]# ls
conversion-gen deepcopy-gen defaulter-gen go2make go-bindata kubeadm openapi-gen
[root@hs-k8s-master01 amd64]#
[root@hs-k8s-master01 amd64]# cd ../../
[root@hs-k8s-master01 bin]# ls
linux
[root@hs-k8s-master01 bin]# cd ../
[root@hs-k8s-master01 local]# ls
bin go
[root@hs-k8s-master01 local]# cd ..
[root@hs-k8s-master01 _output]# ls
APIEXTENSIONS_violations.report bin CODEGEN_violations.report KUBE_violations.report local SAMPLEAPISERVER_violations.report
[root@hs-k8s-master01 _output]# cd ..
[root@hs-k8s-master01 kubernetes-1.17.2]# ls
api cluster Godeps logo OWNERS_ALIASES staging vendor
build cmd go.mod Makefile pkg SUPPORT.md WORKSPACE
BUILD.bazel code-of-conduct.md go.sum Makefile.generated_files plugin test
CHANGELOG-1.17.md CONTRIBUTING.md hack _output README.md third_party
CHANGELOG.md docs LICENSE OWNERS SECURITY_CONTACTS translations
[root@hs-k8s-master01 kubernetes-1.17.2]# cp /usr/bin/kubeadm{,.bak}
[root@hs-k8s-master01 kubernetes-1.17.2]# cp _output/local/bin/linux/amd64/kubeadm
[root@hs-k8s-master01 kubernetes-1.17.2]# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
cp:是否覆寫"/usr/bin/kubeadm"? y
[root@hs-k8s-master01 kubernetes-1.17.2]# cd /etc/kubernetes/pki/
[root@hs-k8s-master01 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf gcrcontainer-kube-cross:v1.13.5-1.tar kubelet.conf manifests pki scheduler.conf
[root@hs-k8s-master01 kubernetes]# ll
總用量 1875756
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw-r--r-- 1 root root 1920737792 2月 3 12:20 gcrcontainer-kube-cross:v1.13.5-1.tar
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 3 root root 4096 2月 3 15:17 pki
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# rm -f gcrcontainer-kube-cross\:v1.13.5-1.tar
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@hs-k8s-master01 kubernetes]#
[root@hs-k8s-master01 kubernetes]# ll
總用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 3 root root 4096 2月 3 15:17 pki
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# mkdir pki.bak
[root@hs-k8s-master01 kubernetes]# ll
總用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 3 root root 4096 2月 3 15:17 pki
drwxr-xr-x 2 root root 6 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# vm pki/* pki.bak/
-bash: vm: 未找到指令
[root@hs-k8s-master01 kubernetes]# mv pki/* pki.bak/
[root@hs-k8s-master01 kubernetes]# ll
總用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 6 2月 3 16:57 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]#
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ls
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
Error checking external CA condition for ca certificate authority: failure loading certificate for CA: couldn't load the certificate file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory
To see the stack trace of this error execute with --v=5 or higher
[root@hs-k8s-master01 kubernetes]# ll
總用量 32
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 6 2月 3 16:57 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cp pki.bak/* pki/
cp: 略過目錄"pki.bak/etcd"
[root@hs-k8s-master01 kubernetes]# ll
總用量 36
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 2 root root 4096 2月 3 16:58 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.key sa.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-client.crt sa.pub
apiserver-etcd-client.key apiserver-kubelet-client.key front-proxy-ca.crt front-proxy-client.key
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki pki.bak scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki.bak/
[root@hs-k8s-master01 pki.bak]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@hs-k8s-master01 pki.bak]# cd etcd/
[root@hs-k8s-master01 etcd]# ls
ca.crt ca.key healthcheck-client.crt healthcheck-client.key peer.crt peer.key server.crt server.key
[root@hs-k8s-master01 etcd]# cd ..
[root@hs-k8s-master01 pki.bak]# cd ..
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ll
總用量 56
-rw-r--r-- 1 root root 1241 2月 3 16:58 apiserver.crt
-rw-r--r-- 1 root root 1090 2月 3 16:58 apiserver-etcd-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-etcd-client.key
-rw------- 1 root root 1675 2月 3 16:58 apiserver.key
-rw-r--r-- 1 root root 1099 2月 3 16:58 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 2月 3 16:58 ca.crt
-rw------- 1 root root 1675 2月 3 16:58 ca.key
-rw-r--r-- 1 root root 1038 2月 3 16:58 front-proxy-ca.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 2月 3 16:58 front-proxy-client.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-client.key
-rw------- 1 root root 1675 2月 3 16:58 sa.key
-rw------- 1 root root 451 2月 3 16:58 sa.pub
[root@hs-k8s-master01 pki]# mkdir etcd
[root@hs-k8s-master01 pki]# cd ..
[root@hs-k8s-master01 kubernetes]# cd pki.bak/
[root@hs-k8s-master01 pki.bak]# mv etcd/* ../pki/etcd/
[root@hs-k8s-master01 pki.bak]# cd ..
[root@hs-k8s-master01 kubernetes]# ll
總用量 36
-rw------- 1 root root 5450 2月 3 15:17 admin.conf
-rw------- 1 root root 5482 2月 3 15:17 controller-manager.conf
-rw------- 1 root root 1894 2月 3 15:17 kubelet.conf
drwxr-xr-x 2 root root 113 2月 3 15:17 manifests
drwxr-xr-x 3 root root 4096 2月 3 16:59 pki
drwxr-xr-x 3 root root 4096 2月 3 16:57 pki.bak
-rw------- 1 root root 5430 2月 3 15:17 scheduler.conf
[root@hs-k8s-master01 kubernetes]# cd pki
[root@hs-k8s-master01 pki]# ll
總用量 56
-rw-r--r-- 1 root root 1241 2月 3 16:58 apiserver.crt
-rw-r--r-- 1 root root 1090 2月 3 16:58 apiserver-etcd-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-etcd-client.key
-rw------- 1 root root 1675 2月 3 16:58 apiserver.key
-rw-r--r-- 1 root root 1099 2月 3 16:58 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 2月 3 16:58 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 2月 3 16:58 ca.crt
-rw------- 1 root root 1675 2月 3 16:58 ca.key
drwxr-xr-x 2 root root 162 2月 3 16:59 etcd
-rw-r--r-- 1 root root 1038 2月 3 16:58 front-proxy-ca.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 2月 3 16:58 front-proxy-client.crt
-rw------- 1 root root 1679 2月 3 16:58 front-proxy-client.key
-rw------- 1 root root 1675 2月 3 16:58 sa.key
-rw------- 1 root root 451 2月 3 16:58 sa.pub
[root@hs-k8s-master01 pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@hs-k8s-master01 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 10, 2120 08:59 UTC 99y no
apiserver Jan 10, 2120 08:59 UTC 99y ca no
apiserver-etcd-client Jan 10, 2120 08:59 UTC 99y etcd-ca no
apiserver-kubelet-client Jan 10, 2120 08:59 UTC 99y ca no
controller-manager.conf Jan 10, 2120 08:59 UTC 99y no
etcd-healthcheck-client Jan 10, 2120 08:59 UTC 99y etcd-ca no
etcd-peer Jan 10, 2120 08:59 UTC 99y etcd-ca no
etcd-server Jan 10, 2120 08:59 UTC 99y etcd-ca no
front-proxy-client Jan 10, 2120 08:59 UTC 99y front-proxy-ca no
scheduler.conf Jan 10, 2120 08:59 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 31, 2030 07:17 UTC 9y no
etcd-ca Jan 31, 2030 07:17 UTC 9y no
front-proxy-ca Jan 31, 2030 07:17 UTC 9y no
[root@bs-k8s-master02 ~]# cp /usr/bin/kubeadm{,.bak}
[root@hs-k8s-master01 pki]# scp /usr/bin/kubeadm 20.0.0.201:/usr/bin/kubeadm
[root@bs-k8s-master02 ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@bs-k8s-master02 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jan 10, 2120 09:03 UTC 99y no
apiserver Jan 10, 2120 09:03 UTC 99y ca no
apiserver-etcd-client Jan 10, 2120 09:03 UTC 99y etcd-ca no
apiserver-kubelet-client Jan 10, 2120 09:03 UTC 99y ca no
controller-manager.conf Jan 10, 2120 09:03 UTC 99y no
etcd-healthcheck-client Jan 10, 2120 09:03 UTC 99y etcd-ca no
etcd-peer Jan 10, 2120 09:04 UTC 99y etcd-ca no
etcd-server Jan 10, 2120 09:04 UTC 99y etcd-ca no
front-proxy-client Jan 10, 2120 09:04 UTC 99y front-proxy-ca no
scheduler.conf Jan 10, 2120 09:04 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 31, 2030 07:17 UTC 9y no
etcd-ca Jan 31, 2030 07:17 UTC 9y no
front-proxy-ca Jan 31, 2030 07:17 UTC 9y no
同理 master03
過手如登山,一步一重天