免责声明:延长证书有效期期限将降低PKI的安全性,请勿在需要保证生产安全的场合使用该方法。
长话短说
Git仓库:kubernetes/kubernetes
$ git clone https://github.com/kubernetes/kubernetes.git $ cd kubernetes # 编辑源码 $ git checkout release-1.15 $ vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go $ git diff --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -571,7 +571,7 @@ func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certifi IPAddresses: cfg.AltNames.IPs, SerialNumber: serial, NotBefore: caCert.NotBefore, - NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(), + NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity * 100).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: cfg.Usages, # 编译二进制 $ go version go version go1.12.7 linux/amd64 $ go build ./cmd/kubeadm # 使用二进制更新证书 $ ./kubeadm alpha certs renew all certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healtcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed # 检查新证书期限 $ cfssl-certinfo -cert /etc/kubernetes/pki/apiserver.crt|grep not "not_before": "2019-08-28T02:04:17Z", "not_after": "2119-08-04T03:52:33Z",
www#gaodaima.com来源gaodai$ma#com搞$代*码*网搞代码
搞代码网(gaodaima.com)提供的所有资源部分来自互联网,如果有侵犯您的版权或其他权益,请说明详细缘由并提供版权或权益证明然后发送到邮箱[email protected],我们会在看到邮件的第一时间内为您处理,或直接联系QQ:872152909。本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:kubeadm1.15修改证书续期到100年
转载请注明原文链接:kubeadm1.15修改证书续期到100年
