Kubernetes v1.19 编译 kubeadmin 修改证书有效期到 100年 提供下载
2021-01-02 17:33
Kubernetes 1.19, August 26, 2020 原有方法继续有效! kubeadm 默认证书为一年,一年过期后,会导致 api service 不可用,使用过程中会出现:x509: certificate has expired or is not yet valid. Google 建议通过不停更新版本来自动更新证书,太坑^_^ 可以在初始化群集之前重新编译 kubeadm,证书有效期自动为 100年 已经修改好的 kubeadm 下载(1.17.0、1.18.0、1.19.0): 链接: https://pan.baidu.com/s/1EabyIm2fO4Rj5HOP_f5e9g 密码: klom
1. 获取源码
wget https://github.com/kubernetes/kubernetes/archive/v1.19.0.tar.gz
tar -zxvf v1.19.0.tar.gz
mv kubernetes-1.19.0 kubernetes
cd kubernetes
2. 修改证书有效期
修改 CA 有效期为 100年(默认为 10年)
// 这个方法里面NotAfter: now.Add(duration365d * 10).UTC()
// 默认有效期就是10年,改成100年
// 输入/NotAfter查找,回车定位
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
NotBefore: now.UTC(),
// NotAfter: now.Add(duration365d * 10).UTC(),
NotAfter: now.Add(duration365d * 100).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
return x509.ParseCertificate(certDERBytes)
修改证书有效期为 100年(默认为 1年)
// 就是这个常量定义CertificateValidity,改成*100年
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
// CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 100
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
3. 编译
3.1 Docker 镜像编译
# cat ./build/build-image/cross/VERSION
docker pull k8s.gcr.io/kube-cross:v1.15.0-1
# docker run --rm -v :/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross bash
docker run --rm -v /root/kubernetes:/go/src/k8s.io/kubernetes -it k8s.gcr.io/kube-cross:v1.15.0-1 bash
cd /go/src/k8s.io/kubernetes
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
# 退出容器
#编译完产物在 _output/bin/kubeadm 目录下,
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
#chmod +x /usr/bin/kubeadm
# 验证版本
kubeadm version
3.2 本机编译
3.2.1 软件包准备
yum install gcc make -y
yum install rsync jq -y
sudo apt install build-essential #(Following command will install essential commands like gcc, make etc.)
sudo apt install rsync jq -y
3.2.2 GoLang 环境
# cat ./build/build-image/cross/VERSION
wget https://dl.google.com/go/go1.15.linux-amd64.tar.gz
## 或者
# wget https://golang.google.cn/dl/go1.15.linux-amd64.tar.gz
tar zxvf go1.15.linux-amd64.tar.gz -C /usr/local
# 编辑/etc/profile文件添加如下:
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin
source /etc/profile
go version
go version go1.15 linux/amd64
# 编译kubeadm, 这里主要编译kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v
# 编译kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v
# 编译kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v
#编译完产物在 _output/bin/kubeadm 目录下,
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"archive", BuildDate:"2020-09-01T04:36:15Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with ‘kubectl -n kube-system get cm kubeadm-config -oyaml‘
admin.conf Aug 08, 2120 05:35 UTC 99y no
apiserver Aug 08, 2120 05:35 UTC 99y ca no
apiserver-etcd-client Aug 08, 2120 05:35 UTC 99y etcd-ca no
apiserver-kubelet-client Aug 08, 2120 05:35 UTC 99y ca no
controller-manager.conf Aug 08, 2120 05:35 UTC 99y no
etcd-healthcheck-client Aug 08, 2120 05:35 UTC 99y etcd-ca no
etcd-peer Aug 08, 2120 05:35 UTC 99y etcd-ca no
etcd-server Aug 08, 2120 05:35 UTC 99y etcd-ca no
front-proxy-client Aug 08, 2120 05:35 UTC 99y front-proxy-ca no
scheduler.conf Aug 08, 2120 05:35 UTC 99y no
ca Aug 08, 2120 05:35 UTC 99y no
etcd-ca Aug 08, 2120 05:35 UTC 99y no
front-proxy-ca Aug 08, 2120 05:35 UTC 99y no
kubeadm alpha certs renew --help
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
kubeadm alpha certs renew all
