在Centos 7中使用kubeadm创建kubernetes集群时,它创建了一年的kubeapi证书。对我来说,这是集群的短暂时间。如何在群集设置期间创建5年证书?
* SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* Server certificate:
* subject: CN=kube-apiserver
* start date: Dec 20 14:32:00 2017 GMT
* expire date: Dec 20 14:32:00 2018 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
我试过这不起作用:
openssl genrsa -out ca.key 2048
export MASTER_IP=192.168.16.171
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
kubeadm reset
rm -rf /etc/kubernetes
mkdir -p /etc/kubernetes/ca/pki
cp ca.key ca.crt /etc/kubernetes/ca/pki/
kubeadm init
curl -k -v https://localhost:6443
Server certificate:
* subject: CN=kube-apiserver
* start date: Apr 15 21:07:24 2018 GMT
* expire date: Apr 15 21:07:25 2019 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
由于 SR
答案 0 :(得分:0)
关注certificates上的Kubernetes文档到CA证书。
如果您选择openssl或easyrsa使用--days=1825,如果您选择cfssl,则ca-config.json为5y指定.signing.default.expiry 1}}。
将结果ca.crt和ca.key放入/etc/kubernetes/ca/pki。当您运行kubeadm init时,它将检测这些文件并且不会覆盖它们;它将使用该CA密钥&证书,以签署所需的其他证书。
答案 1 :(得分:0)
查看代码后,无法更改API证书过期日期。它在代码中设置为1年。
https://github.com/kubernetes/client-go/blob/master/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}