09 k8s ca证书更换文件 - Powered by MinDoc

1、创建ca

创建ca-config.json

vim ca-config.json
i
{
  "signing": {
    "default": {
      "expiry": "43800h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "43800h"
      }
    }
  }
}

创建ca-csr.json

vim ca-csr.json
i
{
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Beijing",
      "L": "Beijing",
      "O": "Kubernetes",
      "OU": "CA"
    }
  ]
}

2、创建ca证书，私钥，证书请求文件

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

3、替换ca文件，更新证书，重启主服务

替换文件

mv ca.pem ca.crt
mv ca-key.pem ca.key
\cp -ra ca.crt ca.key /etc/kubernetes/pki/
\cp -ra ca.csr /etc/kubernetes/pki/

替换public

cat ca.crt |base64 -w 0
kubectl edit cm/cluster-info -n kube-public
#替换certificate-authority-data下的内容

更新证书

kubeadm certs renew all

重启主服务

cd /etc/kubernetes/manifests/
mv kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml ..
sleep 5
mv ../kube-* ./
cd ..
cat admin.conf > kubelet.conf
cp admin.conf /root/.kube/config

4、替换kubelet 证书

rm -rf /var/lib/kubelet/pki/* && systemctl daemon-reload && systemctl restart kubelet

附件

cfssl.tgz

文档更新时间: 2023-10-10 13:36 作者：张尚