kubeadm修改证书过期时间

kubeadm搭建的集群证书默认ca是时间,其他组件的证书是一年如果一年没有执行升级的操作就会过期

所以一劳永逸直接修改kubeadm证书时间

修改证书时间

  • ca 证书

./staging/src/k8s.io/client-go/util/cert/cert.go

NewSelfSignedCACert这个函数的NotAfter字段

// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 //修改为99
  • 组件证书

./cmd/kubeadm/app/constants/constants.go

CertificateValidity 这个变量

tmpl := x509.Certificate{
  SerialNumber: new(big.Int).SetInt64(0),
  Subject: pkix.Name{
    CommonName:   cfg.CommonName,
    Organization: cfg.Organization,
  },
  DNSNames:              []string{cfg.CommonName},
  NotBefore:             now.UTC(),
  NotAfter:              now.Add(duration365d * 10).UTC(), // 修改为99
  KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
  BasicConstraintsValid: true,
  IsCA:                  true,
}

重新编译

make all WHAT=cmd/kubeadm GOFLAGS=-v

编译好的二进制文件中在_output/bin/kubeadm

建议先使用yum等工具安装官方的kubeadm之后进行二进制替换

参考资料

https://blog.51cto.com/legehappy/4895615