一、背景 当前独立集群的 tkestack,底层使用的是 1.15.1 版本的 kubeadm,kubeadm 默认证书续签为一年,每年都需要续签,过程繁琐
因此拉取开源版本的 kubeadm 的 release-1.15 分支进行源码修改(改成100年)
$ vim ./cmd/kubeadm/app/constants/constants.go
重新编译:
kubeadm
二、更新 参考:tkestack集群证书过期时间检查和更新
1.集群证书过期时间查看 因独立集群有效期较短,我们主要针对独立集群进行说明
global集群比较特殊,为了访问外网开启了snat,默认路由走了tunnat,导致kubeadm命令无法执行,需要进行如下额外操作:
ip r s //获取当前路由表
ip r delete default dev tunnat //删除默认tunnat路由
ip r add default dev eth1 //添加eth1为默认路由
使用kubeadm检查和更新证书
ip r delete default dev eth1 //删除eth1默认路由
ip r add default dev tunnat //把tunnat路由加回去
kubeadm alpha certs check-expiration –config=/etc/kubernetes/kubeadm-config.yaml
2.集群证书有效期更新 使用kubeadm命名即可更新集群的证书
kubeadm alpha certs renew all –config=/etc/kubernetes/kubeadm-config.yaml
kubeadm命令仅针对当前机器,即用此命令查询和更新的都是当前机器的证书,对ha的集群,需要在所有master上分别执行
kubeadm更新证书后,当前master上各组件还是使用的老证书,需要重启服务启动新证书(apiserver, scheduler, controller-manager, etcd)
- 重启组件更新证书
#!/bin/bash
tar -zcf /etc/kubernetes-`date +%Y%m%d%H%M`.tar.gz /etc/kubernetes/
mkdir /root/royliang && cd /root/royliang
wget https://mirrors.tencent.com/repository/generic/tkeops/kubeadm
chmod 777 kubeadm
./kubeadm alpha certs renew all #--config=/etc/kubernetes/kubeadm-config.yaml
./kubeadm alpha certs check-expiration #--config=/etc/kubernetes/kubeadm-config.yaml
mv /etc/kubernetes/manifests/etcd.yaml /etc/kubernetes/
sleep 3s
docker ps | grep etcd | grep -v pause
mv /etc/kubernetes/etcd.yaml /etc/kubernetes/manifests/
mv /etc/kubernetes/manifests/kube-controller-manager.yaml /etc/kubernetes/
mv /etc/kubernetes/manifests/kube-scheduler.yaml /etc/kubernetes/
mv /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/
sleep 3s
docker ps | grep -v pause | grep -E "kube-controller-manager|kube-scheduler|kube-apiserver"
mv /etc/kubernetes/kube-controller-manager.yaml /etc/kubernetes/manifests/
mv /etc/kubernetes/kube-scheduler.yaml /etc/kubernetes/manifests/
mv /etc/kubernetes/kube-apiserver.yaml /etc/kubernetes/manifests/
sleep 10s
docker ps | grep -v pause | grep -E "kube-controller-manager|kube-scheduler|kube-apiserver|etcd"