kubeadm替换证书为100年

半兽人 发表于: 2024-07-16   最后更新时间: 2024-07-16 16:33:30  
{{totalSubscript}} 订阅, 223 游览

获取源码

k8s_version="v1.25.15"
git clone --depth=1 -b ${k8s_version} https://github.com/kubernetes/kubernetes.git

或者自己找源码下载:https://github.com/kubernetes/kubernetes/tags

修改源码

改为100年:

sed -i 's/CertificateValidity = time.Hour \* 24 \* 365$/CertificateValidity = time.Hour \* 24 \* 365 \* 100/' ./cmd/kubeadm/app/constants/constants.go
sed -i 's/now.Add(duration365d \* 10)/now.Add(duration365d \* 100)/g' ./staging/src/k8s.io/client-go/util/cert/cert.go

查看改之后的变化:

[root@kubernetes]# git diff
diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go
index f316b9db8ce..9cc62f38d21 100644
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@@ -46,7 +46,7 @@ const (
        // CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm
        CertificateBackdate = time.Minute * 5
        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
-       CertificateValidity = time.Hour * 24 * 365
+       CertificateValidity = time.Hour * 24 * 365 * 100

        // DefaultCertificateDir defines default certificate directory
        DefaultCertificateDir = "pki"
diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go
index 91e171271af..8c7c914618b 100644
--- a/staging/src/k8s.io/client-go/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/util/cert/cert.go
@@ -77,7 +77,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
                },
                DNSNames:              []string{cfg.CommonName},
                NotBefore:             notBefore,
-               NotAfter:              now.Add(duration365d * 10).UTC(),
+               NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,

拉取编译镜像

docker pull "registry.k8s.io/build-image/kube-cross:$(cat ./build/build-image/cross/VERSION)"

安装buildx


mkdir -p ~/.docker/cli-plugins
wget https://github.com/docker/buildx/releases/download/v0.11.2/buildx-v0.11.2.linux-amd64 -O ~/.docker/cli-plugins/docker-buildx
chmod +x ~/.docker/cli-plugins/docker-buildx

编译

bash build/run.sh make kubeadm

查看

查看编译好的kubeadm版本:

_output/dockerized/bin/linux/amd64/kubeadm version

把编译好的kubeadm,覆盖原有的,然后执行:

kubeadm certs renew all
kubernetes k8s kubeadm
更新于 2024-07-16
半兽人

查看kubernetes更多相关的文章或提一个关于kubernetes的问题,也可以与我们一起分享文章