0
点赞
收藏
分享

微信扫一扫

一文学会kubelet证书更新

有点d伤 2021-09-24 阅读 56
PaaS

1、修改master主机kube-controller配置,三个master主机都要修改

  • 添加两个参数
vi /etc/kubernetes/manifests/kube-controller-manager.yaml 
- --cluster-signing-duration=87600h0m0s 
- --feature-gates=RotateKubeletServerCertificate=true 
- --experimental-cluster-signing-duration=87600h0m0s 

2、修改所有主机的kubelet配置

修改master主机kubelet配置,三个master主机都要修改,同理继续修改node节点/etc/sysconfig/kubelet配置文件

vi /etc/sysconfig/kubelet 
KUBELET_EXTRA_ARGS=--fail-swap-on=false --feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletClientCertificate=true --rotate-certificates 

3、检查旧证书有效期限

openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not 
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not 

# tls启动引导:https://kubernetes.io/zh/docs/reference/command-line-tools- 
reference/kubelet-tls-bootstrapping/#bootstrap-tokens 

4、创建三个ClusterRole

vi approve-node-client-csr.yaml 
# A ClusterRole which instructs the CSR approver to approve a user requesting
# node client credentials.kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
name: approve-node-client-csr 
rules: 
- apiGroups: ["certificates.k8s.io"] 
resources: ["certificatesigningrequests/nodeclient"] 
verbs: ["create"] 

vi approve-node-client-renewal-csr.yaml
# A ClusterRole which instructs the CSR approver to approve a node renewing its
# own client credentials.kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
name: approve-node-client-renewal-csr 
rules: 
- apiGroups: ["certificates.k8s.io"] 
resources: ["certificatesigningrequests/selfnodeclient"] 
verbs: ["create"] 

vi approve-node-server-renewal-csr.yaml 
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
name: approve-node-server-renewal-csr 
rules: 
- apiGroups: ["certificates.k8s.io"] 
resources: ["certificatesigningrequests/selfnodeserver"] 
verbs: ["create"] 

执行创建集群角色命令

kubectl apply -f approve-node-client-csr.yaml 
kubectl apply -f approve-node-client-renewal-csr.yaml 
kubectl apply -f approve-node-server-renewal-csr.yaml 

5、创建ClusterRole完成后,绑定角色权限

  • 自动批准 kubelet 的首次 CSR 请求(用于与 apiserver 通讯的证书)
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=approve-node-client-csr --group=system:bootstrappers 
  • 自动批准 kubelet 发起的用于 10250 端口鉴权证书的 CSR 请求(包括后续 renew)
kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=approve-node-server-renewal-csr --group=system:nodes 
  • 自动批准 kubelet 后续 renew 用于与 apiserver 通讯证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=approve-node-client-renewal-csr --group=system:nodes 

vi auto-approve-csrs-for-group.yaml 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
name: auto-approve-csrs-for-group 
subjects: 
- kind: Group 
name: system:bootstrappers 
apiGroup: rbac.authorization.k8s.io 
roleRef: 
kind: ClusterRole 
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient 
apiGroup: rbac.authorization.k8s.io 
vi auto-approve-renewals-for-nodes.yaml 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata:name: auto-approve-renewals-for-nodes 
subjects: 
- kind: Group 
name: system:nodes 
apiGroup: rbac.authorization.k8s.io 
roleRef: 
kind: ClusterRole 
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 
apiGroup: rbac.authorization.k8s.io 
vi create-csrs-for-bootstrapping.yaml 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
name: create-csrs-for-bootstrapping 
subjects: 
- kind: Group 
name: system:bootstrappers 
apiGroup: rbac.authorization.k8s.io 
roleRef: 
kind: ClusterRole 
name: system:node-bootstrapper 
apiGroup: rbac.authorization.k8s.io 
  • 执行创建集群角色绑定命令
kubectl apply -f auto-approve-csrs-for-group.yaml 
kubectl apply -f auto-approve-renewals-for-nodes.yaml 
kubectl apply -f create-csrs-for-bootstrapping.yaml 
  • 验证创建的集群角色和绑定关系
kubectl get ClusterRole 
kubectl get clusterrolebinding 

6、设置kubelet签发证书bootstrap和账号授权

kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set-cluster 
default-cluster --server='https://k8s.yunlearn.org:6443' --certificate- 
authority=/etc/kubernetes/pki/ca.crt 
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set- 
credentials default-auth --token=9cgr05.vl1g1tae2vshltdu 
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set-context 
default-context --user=default-auth --cluster=default-cluster 
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig use-context 
default-context 

7、登录到k8s集群node节点,添加以下配置文件

vi /etc/kubernetes/bootstrap-kubelet.conf 
apiVersion: v1 
kind: Config 
clusters: 
- cluster: 
certificate-authority: /etc/kubernetes/pki/ca.crt 
server: https://k8s.yunlearn.org:6443 
name: default-cluster 
contexts: 
- context:
cluster: default-cluster 
user: default-auth 
name: default-context 
current-context: default-context 
preferences: {} 
users: 
- name: default-auth 
user: 
token: 9cgr05.vl1g1tae2vshltdu 

8、登录到k8s集群node节点,切到目录/var/lib/kubelet/pki

  • 登录192.168.1.13主机
  • 备份旧证书后,删除所有旧证书文件,重启kubelet
cp -rp /var/lib/kubelet/pki /var/lib/kubelet/pki.old 
rm -rf /var/lib/kubelet/pki/* 
systemctl daemon-reload 
systemctl restart kubelet 
  • 重启成功后,自动生成证书
  • 检查证书有效期限
openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not 
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not 

9、登录到k8s集群master节点,进入目录/var/lib/kubelet/pki

备份旧证书后,删除所有旧证书文件,重启kubelet

cp -rp /var/lib/kubelet/pki /var/lib/kubelet/pki.old 
rm -rf /var/lib/kubelet/pki/* 
systemctl daemon-reload 
systemctl restart kubelet 
  • 重启成功后,自动生成证书
  • 检查证书有效期限
openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not 
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not
举报

相关推荐

0 条评论