K8S的组件kubelet证书,在K8s node节点的/var/lib/kubelet/pki下,默认生成的证书只有1年,如:
[root@gpaasdemo-node1 pki]# curl https://localhost:10250 -vk * About to connect() to localhost port 10250 (#0) * Trying ::1... * Connected to localhost (::1) port 10250 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=gpaasdemo-node1@1672802296 * start date: Jan 04 02:18:16 2023 GMT * expire date: Jan 04 02:18:16 2024 GMT * common name: gpaasdemo-node1@1672802296 * issuer: CN=gpaasdemo-node1-ca@1672802296 [root@gpaasdemo-node1 ~]# cd /var/lib/kubelet/pki [root@gpaasdemo-node1 pki]# ls kubelet-client-2023-01-04-11-18-16.pem kubelet-client-current.pem kubelet.crt kubelet.key [root@gpaasdemo-node1 pki]# openssl x509 -in kubelet.crt -noout -text |grep ' Not ' Not Before: Jan 4 02:18:16 2023 GMT Not After : Jan 4 02:18:16 2024 GMT |
正常来说,kubelet的证书过期,是不影响K8S功能的正常使用,但是在使用安全软件扫描时,会提示证书过期,如下图:
如需更新kubelet证书有效期,参考下面的步骤。
更新kubelet.crt和kubelet.key证书,不需要停止服务,正常也不会对运行的业务产生影响,但应该在业务低峰时进行操作,同时做好旧证书的备份,如果更新异常,可使用旧证书还原。
1. 在k8s master节点为每个node节点生成kubelet证书文件kubelet.crt和kubelet.key。
#将下面红色字体替换成node节点主机名称,一般通过kubectl get node查看到。-days 36500表示有效天数,100年。 #openssl req -new -newkey rsa:4096 -keyout kubelet.key -out kubelet.csr -nodes -subj "/CN=system:node:gpaasdemo-node1/O=system:nodes" -days 36500 #openssl x509 -req -days 36500 -in kubelet.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -out kubelet.crt -CAcreateserial |
master上执行完上述命令后,会在当前目录下生成:kubelet.crt kubelet.csr kubelet.key三个文件。
2. 替换node节点的kubelet证书。
在gpaasdemo-node1节点下,先备份证书:
#cp -rf /var/lib/kubelet/pki /var/lib/kubelet/pki.bak
将master生成的证书文件:kubelet.crt和 kubelet.key传到名为gpaasdemo-node1的node节点目录:/var/lib/kubelet/pki,
最后重启kubelet:systemctl restart kubelet,systemctl status kubelet查看是否正常启动,同时看看/var/log/messages日志是否有异常。
3. 检验kubelet证书是否修改成功。
在node节点上使用命令curl https://localhost:10250 -vk进行检查。
[root@gpaasdemo-node1 pki]# curl https://localhost:10250 -vk * About to connect() to localhost port 10250 (#0) * Trying ::1... * Connected to localhost (::1) port 10250 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: O=system:nodes,CN=system:node:gpaasdemo-node1 * start date: Jun 28 11:51:28 2024 GMT * expire date: Jun 04 11:51:28 2124 GMT * common name: system:node:gpaasdemo-node1 * issuer: CN=kubernetes |
在master上执行kubectl get node,确认节点是Ready状态,即表示修改成功。