kubeadm管理證書
在管理證書之前,你需要了解kubernetes如何使用PKI證書的相關知識:官方文檔
檢查證書到期時間
check-expiration 可用于檢查證書過期時間:
kubeadm certs check-expiration
輸出如下内容;
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 22, 2022 09:34 UTC 364d no
apiserver Nov 22, 2022 09:34 UTC 364d ca no
apiserver-etcd-client Nov 22, 2022 09:34 UTC 364d etcd-ca no
apiserver-kubelet-client Nov 22, 2022 09:34 UTC 364d ca no
controller-manager.conf Nov 22, 2022 09:34 UTC 364d no
etcd-healthcheck-client Nov 22, 2022 09:33 UTC 364d etcd-ca no
etcd-peer Nov 22, 2022 09:33 UTC 364d etcd-ca no
etcd-server Nov 22, 2022 09:33 UTC 364d etcd-ca no
front-proxy-client Nov 22, 2022 09:34 UTC 364d front-proxy-ca no
scheduler.conf Nov 22, 2022 09:34 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 17, 2031 09:25 UTC 9y no
etcd-ca Nov 17, 2031 09:25 UTC 9y no
front-proxy-ca Nov 17, 2031 09:25 UTC 9y no
該指令顯示了 所有證書的到期/剩餘時間,包括在etc/kubernetes/pki目錄下的用戶端證書及由kubeadm嵌入到KUBECONFIG檔案中的用戶端證書(admin.conf,controller-manager.conf和scheduler.conf)。
注意:
- kubelet.conf未包含在上面的清單中,因為kubeadm将已将其配置為自動更新。
- kubeadm無法管理由外部CA簽名的證書。
自動續訂證書
自動續訂指的是,在用kubeadm更新控制平面時 自動更新所有證書。
如果對證書續約沒有要求,并定期更新kubernetes版本,每次更新間隔時間少于1年,最佳做法是經常更新叢集以確定安全。
如果不想在更新叢集時續約證書,則給 kubeadm upgrade apply 或 kubeadm upgrade node 傳遞參數:--certificate-renewal=false
手動續訂證書
使用 kubeadm certs renew 指令 可以随時手動續訂證書,該指令使用存儲在/etc/kubernetes/pki中的 CA (or front-proxy-CA)證書和密鑰來更新證書。
如果是HA叢集,則在所有控制平面執行。
kubeadm alpha certs 指令詳解:
Available Commands:
certificate-key 生成證書和key
check-expiration 檢測證書過期時間
renew 續訂Kubernetes叢集的證書
用的最多的續訂證書的 renew子指令,現在來看下該指令幫助:
root@k8s-master:~# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm certs renew [flags]
kubeadm certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm certs renew [command] --help" for more information about a command.
如上所知,指定某個證書就能續訂該證書,指定 all
則續訂所有證書。
指令執行後,注意:
- 無論證書的到期時間如何,都會無條件地續訂一年。
- 證書的SAN等資訊基于原證書,無需再次提供。
- renew執行後,為使更改生效,需要重新開機控制平面元件。
kubeadm certs指令僅支援v1.15及其以上的版本。
示例一: 手動續訂apiserver的證書-apiserver.crt
從上面檢測中知道,目前 apiserver.crt 到期時間是 Nov 22, 2022 09:34 UTC ,剩餘364d。
1. 執行renew更新:
root@k8s-master:~# kubeadm certs renew apiserver
certificate for serving the Kubernetes API renewed
renew完成後,會自動在 /etc/kubernetes/pki 目錄下生成新的 apiserver.key 和 apiserver.crt檔案,并且覆寫了原檔案。
2. 重新開機 apiserver :
已經為 apiserver 重新生成了新的證書檔案,那麼就需要重新開機下 kube-apiserve 元件 讓其使用新的證書。
靜态Pod的重新開機方式:
mv /etc/kubernetes/manifests/kube-apiserver.yaml /tmp/
//約等30秒後,kube-apiserver 容器會停止,然後,再将清單檔案移過來:
mv /tmp/kube-apiserver.yaml /etc/kubernetes/manifests/
kubelet會立即檢測到,進而啟動 kube-apiserver,完成 kube-apiserver 的 重新開機動作。
3. 驗證:
root@k8s-master:~# kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
apiserver Nov 23, 2022 01:45 UTC 364d ca no
apiserver證書到期時間發生了變化, 不過不是順延一年, 而是 從你 執行renew成功的時間開始續簽一年。
4. 其它master節點應用新證書:
将上面新生成的證書檔案 apiserver.key和apiserver.crt 複制到其它的master節點上對應的證書目錄,同樣的覆寫掉原來的檔案,然後kube-apiserver,讓其應用到新的證書檔案。
示例二: 手動續訂所有證書
renew 續簽,也就是重新生成證書檔案,如果要将所有證書續簽一年,則執行:
kubeadm certs renew all
,作用是重新生成所有元件的證書檔案(/etc/kubernetes/pki/) 及 /etc/kubernetes/目錄下的 kubeconfig檔案(admin.conf controller-manager.conf scheduler.conf ),kubelet.conf 除外。
1. 執行 renew all:
#執行之前可先備份下:
$ cp -r /etc/kubernetes /etc/kubernetes.bak
$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
2. 檢視新證書檔案:
哪些證書檔案重新生成了?可以看下各證書檔案的建立時間,與目前時間是否一緻:
root@k8s-master:~# date
Tue Nov 23 10:30:13 CST 2021
root@k8s-master:~#
// kubeconfig
root@k8s-master:~# ls -l /etc/kubernetes
total 40
-rw------- 1 root root 5594 Nov 23 10:21 admin.conf
-rw------- 1 root root 5626 Nov 23 10:21 controller-manager.conf
-rw------- 1 root root 1950 Nov 19 17:26 kubelet.conf #時間沒變是以并未重新生成
drwxr-xr-x 2 root root 4096 Nov 23 10:04 manifests
drwxr-xr-x 3 root root 4096 Nov 19 17:25 pki
-rw------- 1 root root 5570 Nov 23 10:21 scheduler.conf
// pki目錄:除了兩個ca檔案外,其它證書都重新生成了
root@test-node-tmp-1:~# ls -l /etc/kubernetes/pki/
total 60
-rw-r--r-- 1 root root 1155 Nov 23 10:21 apiserver-etcd-client.crt
-rw------- 1 root root 1675 Nov 23 10:21 apiserver-etcd-client.key
-rw-r--r-- 1 root root 1164 Nov 23 10:21 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Nov 23 10:21 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1294 Nov 23 10:21 apiserver.crt
-rw------- 1 root root 1679 Nov 23 10:21 apiserver.key
-rw-r--r-- 1 root root 1066 Nov 19 17:25 ca.crt
-rw------- 1 root root 1679 Nov 19 17:25 ca.key
drwxr-xr-x 2 root root 4096 Nov 19 17:25 etcd
-rw-r--r-- 1 root root 1078 Nov 19 17:25 front-proxy-ca.crt
-rw------- 1 root root 1679 Nov 19 17:25 front-proxy-ca.key
-rw-r--r-- 1 root root 1119 Nov 23 10:21 front-proxy-client.crt
-rw------- 1 root root 1675 Nov 23 10:21 front-proxy-client.key
-rw------- 1 root root 1679 Nov 19 17:25 sa.key
-rw------- 1 root root 451 Nov 19 17:25 sa.pub
//kubeadm自動安裝的 etcd 證書也被重新生成了,除了ca證書外:
root@test-node-tmp-1:~# ls -l /etc/kubernetes/pki/etcd/
total 32
-rw-r--r-- 1 root root 1058 Nov 19 17:25 ca.crt
-rw------- 1 root root 1679 Nov 19 17:25 ca.key
-rw-r--r-- 1 root root 1159 Nov 23 10:21 healthcheck-client.crt
-rw------- 1 root root 1675 Nov 23 10:21 healthcheck-client.key
-rw-r--r-- 1 root root 1216 Nov 23 10:21 peer.crt
-rw------- 1 root root 1675 Nov 23 10:21 peer.key
-rw-r--r-- 1 root root 1216 Nov 23 10:21 server.crt
-rw------- 1 root root 1675 Nov 23 10:21 server.key
3. 重新開機目前節點的master元件以應用新證書檔案::
根據提示,需要重新開機 kube-apiserver、kube-controller-manager、kube-scheduler、etcd,重新開機方式與上面重新開機 kube-apiserver 相同。
4. 複制目前節點/etc/kubernetes目錄下證書檔案 到 其它master節點,以更新相關的證書檔案。
另,參考官方文檔:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-certs/
使用外部CA續訂證書
通過外部CA簽發證書,需要kubeadm 生成一個CSR送出給CA。
1. 生成CSR和私鑰:
kubeadm alpha certs renew apiserver --csr-only --csr-dir /tmp/apiserver.csr
- --csr-only:僅生成CSR。
- --csr-dir:生成的CSR和私鑰檔案儲存在哪裡,預設儲存在/etc/kubernetes/pki
2. 檢視CSR和私鑰:
root@k8s-master:~# ls /tmp/apiserver.csr/
apiserver.csr apiserver.key