SundayHK
环境
- kubernetes:1.32.7
- kubekey: 3.1.10
git clone https://github.com/kubesphere/kubekey.git -b v3.1.10
cd kubekeyroot@ansible23:~/kubekey# make kk
root@ansible23:~/kubekey# ls -l bin/kk
-rwxr-xr-x 1 root root 84802305 Aug 17 23:35 bin/kk
cp bin/kk /usr/local/bin/查看 KubeKey 支持的 Kubernetes 版本列表
kk version --show-supported-k8s调整etcd证书100年
kubekey etcd ca证书有效期为10年,这里调整为100年
vim cmd/kk/pkg/utils/certs/certs.go
const (
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100 // 100 year
// CertificateBlockType is a possible value for pem.Block.Type.
CertificateBlockType = "CERTIFICATE"
rsaKeySize = 2048
)注: 如
~/kubekey/pki/etcd若有证书,则会直接使用,不会再次生成,编译源码后,需检查删除该目录的证书文件root@ansible23:~# ls -l kubekey/pki/etcd/ total 32 -rw-r--r-- 1 root root 1675 Aug 17 23:38 admin-k8s-master1-key.pem -rw-r--r-- 1 root root 1403 Aug 17 23:38 admin-k8s-master1.pem -rw-r--r-- 1 root root 1675 Aug 17 23:38 ca-key.pem -rw-r--r-- 1 root root 1090 Aug 17 23:38 ca.pem -rw-r--r-- 1 root root 1679 Aug 17 23:38 member-k8s-master1-key.pem -rw-r--r-- 1 root root 1407 Aug 17 23:38 member-k8s-master1.pem -rw-r--r-- 1 root root 1675 Aug 17 23:38 node-k8s-master1-key.pem -rw-r--r-- 1 root root 1403 Aug 17 23:38 node-k8s-master1.pem
调整kubernetes证书100年
kubernetes源码证书100年
git clone --max-depth 1 --branch v1.32.7 https://github.com/kubernetes/kubernetes.git
cd kubernetesstaging/src/k8s.io/client-go/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil {
return nil, err
}
serial = new(big.Int).Add(serial, big.NewInt(1))
notBefore := now.UTC()
if !cfg.NotBefore.IsZero() {
notBefore = cfg.NotBefore.UTC()
}
tmpl := x509.Certificate{
SerialNumber: serial,
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: notBefore,
NotAfter: now.Add(duration365d * 100).UTC(), // 100 year
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}cmd/kubeadm/app/constants/constants.go
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDir defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDir = "tmp"
// CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm
CertificateBackdate = time.Minute * 5
// CertificateValidityPeriod defines the validity period for all the signed certificates generated by kubeadm
CertificateValidityPeriod = time.Hour * 24 * 365 * 100 // 100 year
// CACertificateValidityPeriod defines the validity period for all the signed CA certificates generated by kubeadm
CACertificateValidityPeriod = time.Hour * 24 * 365 * 100 // 100 year编译kubeadm并放到kk下载目录
make WHAT=cmd/kubeadm GOFLAGS=-v
mkdir -p ~kubekey/kube/v1.32.5/amd64/
cp _output/local/bin/linux/amd64/kubeadm ~/kubekey/kube/v1.32.5/amd64/kubekey kubeadm跳过文件哈希检查
cd ~/kubekey
vim cmd/kk/pkg/binaries/kubernetes.gofunc K8sFilesDownloadHTTP(kubeConf *common.KubeConf, path, version, arch string, pipelineCache *cache.Cache) error {
etcd := files.NewKubeBinary("etcd", arch, kubekeyapiv1alpha2.DefaultEtcdVersion, path, kubeConf.Arg.DownloadCommand)
kubeadm := files.NewKubeBinary("kubeadm", arch, version, path, kubeConf.Arg.DownloadCommand)
...
if kubeConf.Cluster.Kubernetes.ContainerManager == kubekeyapiv1alpha2.Docker {
...
binariesMap := make(map[string]*files.KubeBinary)
for _, binary := range binaries {
if err := binary.CreateBaseDir(); err != nil {
return errors.Wrapf(errors.WithStack(err), "create file %s base dir failed", binary.FileName)
}
logger.Log.Messagef(common.LocalHost, "downloading %s %s %s ...", arch, binary.ID, binary.Version)
binariesMap[binary.ID] = binary
// kubeadm 跳过哈希检查
if util.IsExist(binary.Path()) {
if binary.ID == "kubeadm" {
continue
}
// download it again if it's incorrect
if err := binary.SHA256Check(); err != nil {
p := binary.Path()
_ = exec.Command("/bin/sh", "-c", fmt.Sprintf("rm -f %s", p)).Run()
} else {
logger.Log.Messagef(common.LocalHost, "%s exists", binary.ID)
continue
}
}
...
}
func KubernetesArtifactBinariesDownload(manifest *common.ArtifactManifest, path, arch, k8sVersion string) error {
kubeadm := files.NewKubeBinary("kubeadm", arch, k8sVersion, path, manifest.Arg.DownloadCommand)
...
for _, binary := range binaries {
if err := binary.CreateBaseDir(); err != nil {
return errors.Wrapf(errors.WithStack(err), "create file %s base dir failed", binary.FileName)
}
logger.Log.Messagef(common.LocalHost, "downloading %s %s %s ...", arch, binary.ID, binary.Version)
if util.IsExist(binary.Path()) {
// kubeadm 跳过哈希检查
if binary.ID == "kubeadm" {
continue
}
// download it again if it's incorrect
if err := binary.SHA256Check(); err != nil {
_ = exec.Command("/bin/sh", "-c", fmt.Sprintf("rm -f %s", binary.Path())).Run()
} else {
continue
}
}
if err := binary.Download(); err != nil {
return fmt.Errorf("Failed to download %s binary: %s error: %w ", binary.ID, binary.GetCmd(), err)
}
}
return nil
}make clean
make kk
cp bin/kk /usr/local/bin/
rm -rf ~/kubekey/pki/etcd/*生成配置集群文件
kk create config --with-kubernetes v1.32.7注:密钥不支持sudo,目前只能用password
apiVersion: kubekey.kubesphere.io/v1alpha2
kind: Cluster
metadata:
name: sample
spec:
hosts:
- {name: k8s-master1, address: 192.168.77.121, internalAddress: 192.168.77.121, user: sunday, password: "sunday"}
- {name: k8s-node1, address: 192.168.77.122, internalAddress: 192.168.77.122, user: sunday, password: "sunday"}
roleGroups:
etcd:
- k8s-master1
control-plane:
- k8s-master1
worker:
- k8s-master1
- k8s-node1
controlPlaneEndpoint:
## Internal loadbalancer for apiservers
# internalLoadbalancer: haproxy
domain: apiserver-lb121.sundayhk.com
address: ""
port: 6443
system:
timezone: "Asia/Shanghai"
rpms:
- nfs-utils
debs:
- nfs-common
kubernetes:
kubeletArgs:
- --root-dir=/data/kubelet
version: v1.32.5
clusterName: cluster.local
autoRenewCerts: true
containerManager: containerd
etcd:
type: kubekey
dataDir: "/data/etcd"
network:
plugin: calico
kubePodsCIDR: 10.121.64.0/16
kubeServiceCIDR: 10.121.0.0/16
## multus support. https://github.com/k8snetworkplumbingwg/multus-cni
multusCNI:
enabled: false
registry:
privateRegistry: ""
namespaceOverride: ""
auths:
"harbor.sundayhk.com":
username: "k8s"
password: "Sundayhk.com"
skipTLSVerify: false
registryMirrors: ["https://docker.m.daocloud.io","https://docker.1ms.run","https://dockerpull.pw"]
insecureRegistries: []
containerdDataDir: /data/containerd
addons: []创建集群
export KKZONE=cn
./kk create cluster -f config-sample.yaml查看证书有效期
root@k8s-master1:/etc/ssl/etcd/ssl# openssl x509 -in ca.pem -noout -dates
notBefore=Aug 17 17:21:58 2025 GMT
notAfter=Jul 24 17:21:58 2125 GMT
root@k8s-master1:~# openssl x509 -in /etc/ssl/etcd/ssl/admin-k8s-master1.pem -noout -dates
notBefore=Aug 17 17:21:58 2025 GMT
notAfter=Jul 24 17:21:58 2125 GMTroot@k8s-master1:/etc/ssl/etcd# kubeadm certs check-expiration
[check-expiration] Reading configuration from the "kubeadm-config" ConfigMap in namespace "kube-system"...
[check-expiration] Use 'kubeadm init phase upload-config --config your-config.yaml' to re-upload it.
W0818 01:43:30.556899 21891 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.121.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 24, 2125 17:22 UTC 99y ca no
apiserver Jul 24, 2125 17:22 UTC 99y ca no
apiserver-kubelet-client Jul 24, 2125 17:22 UTC 99y ca no
controller-manager.conf Jul 24, 2125 17:22 UTC 99y ca no
front-proxy-client Jul 24, 2125 17:22 UTC 99y front-proxy-ca no
scheduler.conf Jul 24, 2125 17:22 UTC 99y ca no
super-admin.conf Jul 24, 2125 17:22 UTC 99y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jul 24, 2125 17:22 UTC 99y no
front-proxy-ca Jul 24, 2125 17:22 UTC 99y no
