修改kubeadm证书有效时长

git clone  https://github.com/kubernetes/kubernetes.git	# 拉取整个kubernetes仓库

# kubeadm v1.14.3
git checkout -b remotes/origin/release-1.14 v1.14.3

git checkout -b remotes/origin/release-1.18 v1.18.19
# 修改 CA 有效期为 100 年（默认为 10 年）

vim ./staging/src/k8s.io/client-go/util/cert/cert.go
// 这个方法里面NotAfter:              now.Add(duration365d * 10).UTC()
// 默认有效期就是10年，改成100年
// 按/NotAfter查找
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
                // NotAfter:              now.Add(duration365d * 10).UTC(),
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)

vim ./cmd/kubeadm/app/constants/constants.go

// 就是这个常量定义CertificateValidity，改成*100年
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        // CertificateValidity = time.Hour * 24 * 365
        CertificateValidity = time.Hour * 24 * 365 * 100

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"

# kubeadm v1.19.11
git checkout -b remotes/origin/release-1.19 v1.19.11

# kubeadm v1.21.1
git checkout -b remotes/origin/release-1.21 v1.21.1

#回到kubernetes代码目录
cd kubernetes

#用修改过时间的代码重新编译kubeadm
make WHAT=cmd/kubeadm 

# 备份旧的kubeadm命令，并将新编辑的kubeadm 复制或者通过软链接的方式替换原来的kubeadm

mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
ln -s /usr/src/kubernetes/_output/bin/kubeadm /usr/bin/kubeadm

上一页rancher2.1.6使用笔记下一页数据库相关

最后更新于1年前