一 先备份原来的证书
1 | cp -r /etc/kubernetes/ssl /etc/kubernetes/sslbak |
二 重签CA证书
vi /etc/kubernetes/ssl/ca-csr.json1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "k8s",
"OU": "System"
}
],
"CA": {"expiry": "876000h"}
}
之前并没有
"CA": {"expiry": "876000h"},所以CA证书的时长默认是5年,超过5年就过期了。
执行一下命令重签1
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
重签之后会生成以下文件1
2
3-rw-r--r-- 1 root root 1005 Nov 20 11:25 ca.csr
-rw------- 1 root root 1675 Nov 20 11:25 ca-key.pem
-rw-r--r-- 1 root root 1371 Nov 20 11:25 ca.pem
二 重签组件证书
操作目录: /etc/kubernetes/ssl1
2
3
4
5
6
7
8
9
10
11# 重签 apiserver 证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
# 重签 kube-proxy 证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
# 重签 metrics-server 证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server
# 重签 admin 证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
其中 ca-config.json 不变,为:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
kubernetes-csr.json不变,为:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.17.0.1",
"10.0.32.18",
"10.0.32.1",
"10.0.32.6",
"10.0.32.7",
"localhost",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "k8s",
"OU": "System"
}
]
}
kube-proxy-csr.json 不变,为:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "k8s",
"OU": "System"
}
]
}
metrics-server-csr.json 不变,为1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17{
"CN": "aggregator",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangZhou",
"L": "GuangZhou",
"O": "k8s",
"OU": "System"
}
]
}
admin-csr.json不变,为:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "system:masters",
"OU": "System"
}
]
}
三 kubeconfig文件重新生成
因为kubeconfig文件都是依赖证书生成的,所以必须重新生成
操作目录: /etc/kubernetes
重新生成 bootstrap.kubeconfig
该文件在节点第一次加入集群时需要,后面不会访问到
脚本如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21UBE_CONFIG="/etc/kubernetes/bootstrap.kubeconfig"
KUBE_APISERVER="https://10.0.32.18:6443" # apiserver IP:PORT
TOKEN="9e7ae615183927051cc3a7b5aa8fb6c8" # 与token.csv里保持一致:/etc/kubernetes/token.csv
# 生成 kubelet bootstrap kubeconfig 配置文件
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials "kubelet-bootstrap" \
--token=${TOKEN} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user="kubelet-bootstrap" \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
重新生成 kube-proxy.kubeconfig
脚本如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21KUBE_CONFIG="/etc/kubernetes/kube-proxy.kubeconfig"
KUBE_APISERVER="https://10.0.32.18:6443" # apiserver IP:PORT
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-proxy \
--client-certificate=/etc/kubernetes/ssl/kube-proxy.pem \
--client-key=/etc/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
重新生成/root/.kube/config
确保 kubectl 命令能正常操作
脚本如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18KUBE_CONFIG="/root/.kube/config"
KUBE_APISERVER="https://10.0.32.18:6443" # apiserver IP:PORT
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials cluster-admin \
--client-certificate=/etc/kubernetes/ssl/admin.pem \
--client-key=/etc/kubernetes/ssl/admin-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=cluster-admin \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
重新生成 kubelet.kubeconfig
worker节点与master节点通信需要这个文件
脚本如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18KUBE_CONFIG="kubelet.kubeconfig"
KUBE_APISERVER="https://10.0.32.18:6443" # apiserver IP:PORT
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/ssl/admin.pem \
--client-key=/etc/kubernetes/ssl/admin-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=admin \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
四 Master替换证书与kubeconfig文件并重启
把以上生成的证书替换到 三个master节点的对应目录,并重启
需要替换的目录或文件如下:1
2
3
4/etc/kubernetes/ssl
/etc/kubernetes/bootstrap.kubeconfig
/etc/kubernetes/kube-proxy.kubeconfig
/root/.kube/config
三个master节点替换完文件后(注意备份),执行以下重启命令1
2
3systemctl restart kube-apiserver
systemctl restart kube-controller-manager
systemctl restart kube-scheduler
五 Worker节点替换帧数与kubeconfig文件并重启
/etc/kubernetes/ssl 直接备份,然后重新生成 /etc/kubernetes/ssl 目录,然后从之前生成的证书中把以下这些证书复制过来1
2
3
4
5
6
7
8
9
10-rw------- 1 root root 1679 Nov 20 22:46 admin-key.pem
-rw-r--r-- 1 root root 1415 Nov 20 22:46 admin.pem
-rw------- 1 root root 1675 Nov 20 22:46 ca-key.pem
-rw-r--r-- 1 root root 1371 Nov 20 22:46 ca.pem
-rw-r--r-- 1 root root 3243 Nov 20 22:46 etcd-key.pem
-rw-r--r-- 1 root root 1866 Nov 20 22:46 etcd.pem
-rw-r--r-- 1 root root 1679 Nov 20 22:46 etcd-root-ca-key.pem
-rw-r--r-- 1 root root 1090 Nov 20 22:46 etcd-root-ca.pem
-rw------- 1 root root 1679 Nov 20 22:46 kubernetes-key.pem
-rw-r--r-- 1 root root 1663 Nov 20 22:46 kubernetes.pem
另外,还需要复制 kubeconfig 三个文件如下:1
2
3/etc/kubernetes/bootstrap.kubeconfig
/etc/kubernetes/kube-proxy.kubeconfig
/etc/kubernetes/kubelet.kubeconfig
每个节点都重启1
systemctl restart kubelet kube-proxy flanneld docker
以上操作完之后,可以通过 kubectl get node 命令查看到节点都正常了,但是还有其他问题,导致无法正常访问页面、接口。
六 其他问题解决
所有的 k8s ServiceAccount 必须重建,否则都会因为证书不正常,导致那些需要调用apiserver的服务不正常。
通过命令 kubectl get ServiceAccounts –all-namespaces 找出所有的ServiceAccounts,找到对应的yaml文件,单独重建ServiceAccounts