kubeadm1.15修改证书续期到100年

注意,延长证书有效期期限将降低PKI的安全性,请勿在需要保证生产安全的场合使用该方法。

Git仓库:kubernetes/kubernetes

$ git clone https://github.com/kubernetes/kubernetes.git

$ cd kubernetes
# 编辑源码
$ git checkout release-1.15
$ vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
$ git diff
--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
@@ -571,7 +571,7 @@ func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certifi
                IPAddresses:  cfg.AltNames.IPs,
                SerialNumber: serial,
                NotBefore:    caCert.NotBefore,
-               NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
+               NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity * 100).UTC(),
                KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
                ExtKeyUsage:  cfg.Usages,

# 编译二进制
$ go version
go version go1.12.7 linux/amd64
$ go build ./cmd/kubeadm

# 使用二进制更新证书
$ ./kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

# 检查新证书期限
$ cfssl-certinfo -cert /etc/kubernetes/pki/apiserver.crt|grep not
  "not_before": "2019-08-28T02:04:17Z",
  "not_after": "2119-08-04T03:52:33Z",

文章已创建 23

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

相关文章

开始在上面输入您的搜索词,然后按回车进行搜索。按ESC取消。

返回顶部