k8s证书过期处理 手动生成证书、凭证

前言

证书管理是确保集群安全运行的一个关键环节。下面我将详细解答如何处理过期证书,以及手动生成和替换证书的流程和适用场景。

证书过期处理

如果 Kubernetes 集群中的证书过期,可能会导致集群出现各种异常,例如:

• API Server 停止工作
• kubelet 无法与 API Server 通信
• kube-controller-manager 和 kube-scheduler 停止工作
• etcd 集群出现通信问题

因此,一旦发现证书过期,我们需要尽快对其进行更新。具体的操作步骤如下:

查看过期证书

• 使用kubeadm部署的k8s

  # 检查证书到期时间
  kubeadm certs check-expiration 
  # 更新所有证书
  kubeadm certs renew all 
  # 更新 kubelet 证书 在每个工作节点上使用  更新 kubelet 证书 更新完成后需要重启 
  kubeadm certs renew kubelet-client
  

• 使用mac上docker desktop k8s
  这个略微繁琐

# 检测集群状态
kubectl cluster-info
# 将输入如下内容
# Kubernetes control plane is running at https://kubernetes.docker.internal:6443
# CoreDNS is running at https://kubernetes.docker.internal:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy# To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
# 输出 证书过期时间
echo | openssl s_client -showcerts -connect kubernetes.docker.internal:6443 2>/dev/null | openssl x509 -noout -enddate
# notAfter=May 15 07:17:02 2025 GMT

手动生成证书

在某些特殊情况下,我们可能需要手动生成并替换证书,比如:

Kubernetes 集群中某些特殊组件(如 Ingress Controller)需要使用自定义证书
需要为客户端生成专用的客户端证书
现有证书遗失或损坏,需要重新生成

我们可以使用 openssl 来生成

openssl

openssl can manually generate certificates for your cluster.

• 下载安装

• Generate a ca.key with 2048bit:

  openssl genrsa -out ca.key 2048
  

• According to the ca.key generate a ca.crt (use -days to set the certificate effective time):

  # -subj 参数用于指定证书 Subject 名称
  openssl req -x509 -new -nodes -key ca.key -subj "/CN=kubernetes.docker.internal" -days 10000 -out ca.crt
  

• Generate a server.key with 2048bit:

  openssl genrsa -out server.key 2048
  

• 基于 server.key 生成 server.csr

  openssl req -new -key server.key -out server.csr 
  # You are about to be asked to enter information that will be incorporated
  # into your certificate request.
  # What you are about to enter is what is called a Distinguished Name or a DN.
  # There are quite a few fields but you can leave some blank
  # For some fields there will be a default value,
  # If you enter '.', the field will be left blank.
  -----
  # Country Name (2 letter code) [AU]:CN
  # State or Province Name (full name) [Some-State]:XX
  # Locality Name (eg, city) []:XX
  # Organization Name (eg, company) [Internet Widgits Pty Ltd]:xa
  # Organizational Unit Name (eg, section) []:xa
  # Common Name (e.g. server FQDN or YOUR name) []:CA
  # Email Address []:1@qq.com# Please enter the following 'extra' attributes
  # to be sent with your certificate request
  # A challenge password []:
  # An optional company name []:
  

• Generate the server certificate using the ca.key, ca.crt and server.csr:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000  -sha256

• View the certificate signing request:

openssl req  -noout -text -in ./server.csr

• View the certificate:

openssl x509  -noout -text -in ./server.crt

Finally, add the same parameters into the API server start parameters.

• 分发自签名 CA 证书
  客户端节点可能会拒绝承认自签名 CA 证书有效。 对于非生产部署，您可以将自签名 CA 证书分发给所有客户端并刷新有效证书的本地列表。
  在每个客户端上执行以下操作：

  sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
  sudo update-ca-certificates
  

官方文档： https://kubernetes.io/docs/tasks/administer-cluster/certificates/

good day ！！！