kubeadm修改证书过期时间
kubeadm搭建的集群证书默认ca是时间,其他组件的证书是一年如果一年没有执行升级的操作就会过期
所以一劳永逸直接修改kubeadm证书时间
修改证书时间
- ca 证书
./staging/src/k8s.io/client-go/util/cert/cert.go
NewSelfSignedCACert这个函数的NotAfter字段
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 //修改为99
- 组件证书
./cmd/kubeadm/app/constants/constants.go
CertificateValidity 这个变量
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(), // 修改为99
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
重新编译
make all WHAT=cmd/kubeadm GOFLAGS=-v
编译好的二进制文件中在_output/bin/kubeadm
建议先使用yum等工具安装官方的kubeadm之后进行二进制替换