kubeadm管理证书
在管理证书之前,你需要了解kubernetes如何使用PKI证书的相关知识:官方文档
检查证书到期时间
check-expiration 可用于检查证书过期时间:
kubeadm certs check-expiration
输出如下内容;
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 22, 2022 09:34 UTC 364d no
apiserver Nov 22, 2022 09:34 UTC 364d ca no
apiserver-etcd-client Nov 22, 2022 09:34 UTC 364d etcd-ca no
apiserver-kubelet-client Nov 22, 2022 09:34 UTC 364d ca no
controller-manager.conf Nov 22, 2022 09:34 UTC 364d no
etcd-healthcheck-client Nov 22, 2022 09:33 UTC 364d etcd-ca no
etcd-peer Nov 22, 2022 09:33 UTC 364d etcd-ca no
etcd-server Nov 22, 2022 09:33 UTC 364d etcd-ca no
front-proxy-client Nov 22, 2022 09:34 UTC 364d front-proxy-ca no
scheduler.conf Nov 22, 2022 09:34 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 17, 2031 09:25 UTC 9y no
etcd-ca Nov 17, 2031 09:25 UTC 9y no
front-proxy-ca Nov 17, 2031 09:25 UTC 9y no
该命令显示了 所有证书的到期/剩余时间,包括在etc/kubernetes/pki目录下的客户端证书及由kubeadm嵌入到KUBECONFIG文件中的客户端证书(admin.conf,controller-manager.conf和scheduler.conf)。
注意:
- kubelet.conf未包含在上面的列表中,因为kubeadm将已将其配置为自动更新。
- kubeadm无法管理由外部CA签名的证书。
自动续订证书
自动续订指的是,在用kubeadm升级控制平面时 自动更新所有证书。
如果对证书续约没有要求,并定期升级kubernetes版本,每次升级间隔时间少于1年,最佳做法是经常升级集群以确保安全。
如果不想在升级集群时续约证书,则给 kubeadm upgrade apply 或 kubeadm upgrade node 传递参数:--certificate-renewal=false
手动续订证书
使用 kubeadm certs renew 命令 可以随时手动续订证书,该命令使用存储在/etc/kubernetes/pki中的 CA (or front-proxy-CA)证书和密钥来更新证书。
如果是HA集群,则在所有控制平面执行。
kubeadm alpha certs 命令详解:
Available Commands:
certificate-key 生成证书和key
check-expiration 检测证书过期时间
renew 续订Kubernetes集群的证书
用的最多的续订证书的 renew子命令,现在来看下该命令帮助:
root@k8s-master:~# kubeadm certs renew -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm certs renew [flags]
kubeadm certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm certs renew [command] --help" for more information about a command.
如上所知,指定某个证书就能续订该证书,指定 all
则续订所有证书。
命令执行后,注意:
- 无论证书的到期时间如何,都会无条件地续订一年。
- 证书的SAN等信息基于原证书,无需再次提供。
- renew执行后,为使更改生效,需要重启控制平面组件。
kubeadm certs命令仅支持v1.15及其以上的版本。
示例一: 手动续订apiserver的证书-apiserver.crt
从上面检测中知道,当前 apiserver.crt 到期时间是 Nov 22, 2022 09:34 UTC ,剩余364d。
1. 执行renew更新:
root@k8s-master:~# kubeadm certs renew apiserver
certificate for serving the Kubernetes API renewed
renew完成后,会自动在 /etc/kubernetes/pki 目录下生成新的 apiserver.key 和 apiserver.crt文件,并且覆盖了原文件。
2. 重启 apiserver :
已经为 apiserver 重新生成了新的证书文件,那么就需要重启下 kube-apiserve 组件 让其使用新的证书。
静态Pod的重启方式:
mv /etc/kubernetes/manifests/kube-apiserver.yaml /tmp/
//约等30秒后,kube-apiserver 容器会停止,然后,再将清单文件移过来:
mv /tmp/kube-apiserver.yaml /etc/kubernetes/manifests/
kubelet会立即检测到,从而启动 kube-apiserver,完成 kube-apiserver 的 重启动作。
3. 验证:
root@k8s-master:~# kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
apiserver Nov 23, 2022 01:45 UTC 364d ca no
apiserver证书到期时间发生了变化, 不过不是顺延一年, 而是 从你 执行renew成功的时间开始续签一年。
4. 其它master节点应用新证书:
将上面新生成的证书文件 apiserver.key和apiserver.crt 复制到其它的master节点上对应的证书目录,同样的覆盖掉原来的文件,然后kube-apiserver,让其应用到新的证书文件。
示例二: 手动续订所有证书
renew 续签,也就是重新生成证书文件,如果要将所有证书续签一年,则执行:
kubeadm certs renew all
,作用是重新生成所有组件的证书文件(/etc/kubernetes/pki/) 及 /etc/kubernetes/目录下的 kubeconfig文件(admin.conf controller-manager.conf scheduler.conf ),kubelet.conf 除外。
1. 执行 renew all:
#执行之前可先备份下:
$ cp -r /etc/kubernetes /etc/kubernetes.bak
$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
2. 查看新证书文件:
哪些证书文件重新生成了?可以看下各证书文件的创建时间,与当前时间是否一致:
root@k8s-master:~# date
Tue Nov 23 10:30:13 CST 2021
root@k8s-master:~#
// kubeconfig
root@k8s-master:~# ls -l /etc/kubernetes
total 40
-rw------- 1 root root 5594 Nov 23 10:21 admin.conf
-rw------- 1 root root 5626 Nov 23 10:21 controller-manager.conf
-rw------- 1 root root 1950 Nov 19 17:26 kubelet.conf #时间没变所以并未重新生成
drwxr-xr-x 2 root root 4096 Nov 23 10:04 manifests
drwxr-xr-x 3 root root 4096 Nov 19 17:25 pki
-rw------- 1 root root 5570 Nov 23 10:21 scheduler.conf
// pki目录:除了两个ca文件外,其它证书都重新生成了
root@test-node-tmp-1:~# ls -l /etc/kubernetes/pki/
total 60
-rw-r--r-- 1 root root 1155 Nov 23 10:21 apiserver-etcd-client.crt
-rw------- 1 root root 1675 Nov 23 10:21 apiserver-etcd-client.key
-rw-r--r-- 1 root root 1164 Nov 23 10:21 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Nov 23 10:21 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1294 Nov 23 10:21 apiserver.crt
-rw------- 1 root root 1679 Nov 23 10:21 apiserver.key
-rw-r--r-- 1 root root 1066 Nov 19 17:25 ca.crt
-rw------- 1 root root 1679 Nov 19 17:25 ca.key
drwxr-xr-x 2 root root 4096 Nov 19 17:25 etcd
-rw-r--r-- 1 root root 1078 Nov 19 17:25 front-proxy-ca.crt
-rw------- 1 root root 1679 Nov 19 17:25 front-proxy-ca.key
-rw-r--r-- 1 root root 1119 Nov 23 10:21 front-proxy-client.crt
-rw------- 1 root root 1675 Nov 23 10:21 front-proxy-client.key
-rw------- 1 root root 1679 Nov 19 17:25 sa.key
-rw------- 1 root root 451 Nov 19 17:25 sa.pub
//kubeadm自动安装的 etcd 证书也被重新生成了,除了ca证书外:
root@test-node-tmp-1:~# ls -l /etc/kubernetes/pki/etcd/
total 32
-rw-r--r-- 1 root root 1058 Nov 19 17:25 ca.crt
-rw------- 1 root root 1679 Nov 19 17:25 ca.key
-rw-r--r-- 1 root root 1159 Nov 23 10:21 healthcheck-client.crt
-rw------- 1 root root 1675 Nov 23 10:21 healthcheck-client.key
-rw-r--r-- 1 root root 1216 Nov 23 10:21 peer.crt
-rw------- 1 root root 1675 Nov 23 10:21 peer.key
-rw-r--r-- 1 root root 1216 Nov 23 10:21 server.crt
-rw------- 1 root root 1675 Nov 23 10:21 server.key
3. 重启当前节点的master组件以应用新证书文件::
根据提示,需要重启 kube-apiserver、kube-controller-manager、kube-scheduler、etcd,重启方式与上面重启 kube-apiserver 相同。
4. 复制当前节点/etc/kubernetes目录下证书文件 到 其它master节点,以更新相关的证书文件。
另,参考官方文档:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-certs/
使用外部CA续订证书
通过外部CA签发证书,需要kubeadm 生成一个CSR提交给CA。
1. 生成CSR和私钥:
kubeadm alpha certs renew apiserver --csr-only --csr-dir /tmp/apiserver.csr
- --csr-only:仅生成CSR。
- --csr-dir:生成的CSR和私钥文件保存在哪里,默认保存在/etc/kubernetes/pki
2. 查看CSR和私钥:
root@k8s-master:~# ls /tmp/apiserver.csr/
apiserver.csr apiserver.key