1、修改master主机kube-controller配置,三个master主机都要修改
- 添加两个参数
vi /etc/kubernetes/manifests/kube-controller-manager.yaml
- --cluster-signing-duration=87600h0m0s
- --feature-gates=RotateKubeletServerCertificate=true
- --experimental-cluster-signing-duration=87600h0m0s
2、修改所有主机的kubelet配置
修改master主机kubelet配置,三个master主机都要修改,同理继续修改node节点/etc/sysconfig/kubelet配置文件
vi /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS=--fail-swap-on=false --feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletClientCertificate=true --rotate-certificates
3、检查旧证书有效期限
openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not
# tls启动引导:https://kubernetes.io/zh/docs/reference/command-line-tools-
reference/kubelet-tls-bootstrapping/#bootstrap-tokens
4、创建三个ClusterRole
vi approve-node-client-csr.yaml
# A ClusterRole which instructs the CSR approver to approve a user requesting
# node client credentials.kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: approve-node-client-csr
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/nodeclient"]
verbs: ["create"]
vi approve-node-client-renewal-csr.yaml
# A ClusterRole which instructs the CSR approver to approve a node renewing its
# own client credentials.kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: approve-node-client-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeclient"]
verbs: ["create"]
vi approve-node-server-renewal-csr.yaml
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeserver"]
verbs: ["create"]
执行创建集群角色命令
kubectl apply -f approve-node-client-csr.yaml
kubectl apply -f approve-node-client-renewal-csr.yaml
kubectl apply -f approve-node-server-renewal-csr.yaml
5、创建ClusterRole完成后,绑定角色权限
- 自动批准 kubelet 的首次 CSR 请求(用于与 apiserver 通讯的证书)
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=approve-node-client-csr --group=system:bootstrappers
- 自动批准 kubelet 发起的用于 10250 端口鉴权证书的 CSR 请求(包括后续 renew)
kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=approve-node-server-renewal-csr --group=system:nodes
- 自动批准 kubelet 后续 renew 用于与 apiserver 通讯证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=approve-node-client-renewal-csr --group=system:nodes
vi auto-approve-csrs-for-group.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-approve-csrs-for-group
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
vi auto-approve-renewals-for-nodes.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: auto-approve-renewals-for-nodes
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
vi create-csrs-for-bootstrapping.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: create-csrs-for-bootstrapping
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:node-bootstrapper
apiGroup: rbac.authorization.k8s.io
- 执行创建集群角色绑定命令
kubectl apply -f auto-approve-csrs-for-group.yaml
kubectl apply -f auto-approve-renewals-for-nodes.yaml
kubectl apply -f create-csrs-for-bootstrapping.yaml
- 验证创建的集群角色和绑定关系
kubectl get ClusterRole
kubectl get clusterrolebinding
6、设置kubelet签发证书bootstrap和账号授权
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set-cluster
default-cluster --server='https://k8s.yunlearn.org:6443' --certificate-
authority=/etc/kubernetes/pki/ca.crt
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set-
credentials default-auth --token=9cgr05.vl1g1tae2vshltdu
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig set-context
default-context --user=default-auth --cluster=default-cluster
kubectl config --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig use-context
default-context
7、登录到k8s集群node节点,添加以下配置文件
vi /etc/kubernetes/bootstrap-kubelet.conf
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://k8s.yunlearn.org:6443
name: default-cluster
contexts:
- context:
cluster: default-cluster
user: default-auth
name: default-context
current-context: default-context
preferences: {}
users:
- name: default-auth
user:
token: 9cgr05.vl1g1tae2vshltdu
8、登录到k8s集群node节点,切到目录/var/lib/kubelet/pki
- 登录192.168.1.13主机
- 备份旧证书后,删除所有旧证书文件,重启kubelet
cp -rp /var/lib/kubelet/pki /var/lib/kubelet/pki.old
rm -rf /var/lib/kubelet/pki/*
systemctl daemon-reload
systemctl restart kubelet
- 重启成功后,自动生成证书
- 检查证书有效期限
openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not
9、登录到k8s集群master节点,进入目录/var/lib/kubelet/pki
备份旧证书后,删除所有旧证书文件,重启kubelet
cp -rp /var/lib/kubelet/pki /var/lib/kubelet/pki.old
rm -rf /var/lib/kubelet/pki/*
systemctl daemon-reload
systemctl restart kubelet
- 重启成功后,自动生成证书
- 检查证书有效期限
openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep Not
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -text -noout | grep Not