MyNote
0%

重新编译kubeadm,修改默认证书时间后,安装k8s

Posted on In

重新编译kubeadm,修改默认证书时间后,安装k8s

1. 重新编译kubeadm

1.1 下载源码

1
git clone https://github.com/kubernetes/kubernetes.git

1.2 修改源代码-cert.go

  • 文件:staging/src/k8s.io/client-go/util/cert/cert.go
  • NewSelfSignedCACert 方法,签发以下证书,且默认为10年有效期:
    • front-proxy-ca.crt
    • front-proxy-client.crt
    • ca.crt
    • etcd/ca.crt
    • etcd/peer.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# 1.14.0版本开始,此文件不需要修改
vim staging/src/k8s.io/client-go/util/cert/cert.go

const duration365d = time.Hour * 24 * 365

// Config contains the basic fields required for creating a certificate
type Config struct {
        CommonName   string
        Organization []string
        AltNames     AltNames
        Usages       []x509.ExtKeyUsage
}

// AltNames contains the domain names and IP addresses that will be added
// to the API Server's x509 certificate SubAltNames field. The values will
// be passed directly to the x509.Certificate object.
type AltNames struct {
        DNSNames []string
        IPs      []net.IP
}

// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
                // 默认已调整有效期为10年;
                // 但只影响部分证书:
                NotAfter:              now.Add(duration365d * 10).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}

1.3 修改源代码pki_helpers.go

以下证书由 NewSignedCert 方法签发,但签发的证书默认只有一年有效期:

  • apiserver.crt
  • apiserver-etcd-client.crt
  • etcd/server.crt
  • etcd/healthcheck-client.crt
  • apiserver-kubelet-client.crt

vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
        serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
        if err != nil {
                return nil, err
        }
        if len(cfg.CommonName) == 0 {
                return nil, errors.New("must specify a CommonName")
        }

        keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
        if isCA {
                keyUsage |= x509.KeyUsageCertSign
        }

        RemoveDuplicateAltNames(&cfg.AltNames)

        certTmpl := x509.Certificate{
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:              cfg.AltNames.DNSNames,
                IPAddresses:           cfg.AltNames.IPs,
                SerialNumber:          serial,
                NotBefore:             caCert.NotBefore,
                NotAfter:              time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
                KeyUsage:              keyUsage,
                ExtKeyUsage:           cfg.Usages,
                BasicConstraintsValid: true,
                IsCA:                  isCA,
        }
        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}

kubeadmconstants.CertificateValiditycmd/kubeadm/app/constants/constants.go被定义

1.4 编译

1
2
3
4
5
6
7
8
9
10
11
# go环境已经准备好
# kubeadm
make WHAT=cmd/kubeadm GOFLAGS=-v

# 补充:编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 补充:编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

# 编译生成的二进制文件在 _output/bin/ 目录下

1.5 更新kubeadm

1
2
3
# 将kubeadm 文件拷贝替换系统中原有kubeadm
cp /usr/bin/kubeadm /usr/bin/kubeadm.origin
cp _output/bin/kubeadm /usr/bin/kubeadm

安装k8s

登陆所有节点

  • Ubuntu
1
2
3
4
5
6
7
apt-get update && apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubelet kubeadm

在master节点

1
kubeadm init

复制config到.kube/config

1
cp /etc/kubernetes/admin.conf .kube/config

安装pod网络

  • 初始化: - 为了使Flannel正常工作,执行kubeadm init命令时需要增加—-pod-network-cidr=10.244.0.0/16参数
1
kubeadm init ----pod-network-cidr=10.244.0.0/16
  • flannel
1
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

加入工作节点

在master上创建kubeadm token

1
kubeadm token create --print-join-command

分别到node上面执行该token

1
kubeadm join xxx.xxx.xxx.xxx:6443 --token uu17pj.lp3qs1ztewge3zok --discovery-token-ca-cert-hash sha256:c191915886503a7f5ec58fe269bf928c222e3b6401edbc3c795c743a01d9d177

1.6 检查证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@master01:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 29, 2031 09:13 UTC   9y                                      no      
apiserver                  Jan 29, 2031 09:13 UTC   9y              ca                      no      
apiserver-etcd-client      Jan 29, 2031 09:13 UTC   9y              etcd-ca                 no      
apiserver-kubelet-client   Jan 29, 2031 09:13 UTC   9y              ca                      no      
controller-manager.conf    Jan 29, 2031 09:13 UTC   9y                                      no      
etcd-healthcheck-client    Jan 29, 2031 09:13 UTC   9y              etcd-ca                 no      
etcd-peer                  Jan 29, 2031 09:13 UTC   9y              etcd-ca                 no      
etcd-server                Jan 29, 2031 09:13 UTC   9y              etcd-ca                 no      
front-proxy-client         Jan 29, 2031 09:13 UTC   9y              front-proxy-ca          no      
scheduler.conf             Jan 29, 2031 09:13 UTC   9y                                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 29, 2031 09:13 UTC   9y              no      
etcd-ca                 Jan 29, 2031 09:13 UTC   9y              no      
front-proxy-ca          Jan 29, 2031 09:13 UTC   9y              no