1、创建ca
创建ca-config.json
vim ca-config.json
i
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "43800h"
}
}
}
}
创建ca-csr.json
vim ca-csr.json
i
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "Kubernetes",
"OU": "CA"
}
]
}
2、创建ca证书,私钥,证书请求文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
3、替换ca文件,更新证书,重启主服务
替换文件
mv ca.pem ca.crt
mv ca-key.pem ca.key
\cp -ra ca.crt ca.key /etc/kubernetes/pki/
\cp -ra ca.csr /etc/kubernetes/pki/
替换public
cat ca.crt |base64 -w 0
kubectl edit cm/cluster-info -n kube-public
#替换certificate-authority-data下的内容
更新证书
kubeadm certs renew all
重启主服务
cd /etc/kubernetes/manifests/
mv kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml ..
sleep 5
mv ../kube-* ./
cd ..
cat admin.conf > kubelet.conf
cp admin.conf /root/.kube/config
4、替换kubelet 证书
rm -rf /var/lib/kubelet/pki/* && systemctl daemon-reload && systemctl restart kubelet
文档更新时间: 2023-10-10 13:36 作者:张尚