K8S 证书轮换

发表于 更新于 分类于 阅读次数:

For kubeadm provisioned clusters

1
kubeadm alpha certs check-expiration

For all clusters

1
openssl x509 -noout -dates -in /etc/kubernetes/pki/apiserver.crt

更新过期时间

方法1: 使用 kubeadm 升级集群自动轮换证书

1
kubeadm upgrade apply --certificate-renewal v1.15.0

方法2: 使用 kubeadm 手动生成并替换证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Step 1): Backup old certs and kubeconfigs
mkdir /etc/kubernetes.bak
cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
cp /etc/kubernetes/*.conf /etc/kubernetes.bak
Kubeadm config view >kubeadm.yaml
# Step 2): Renew all certs
kubeadm alpha certs renew all --config kubeadm.yaml

# Step 3): Renew all kubeconfigs
kubeadm alpha kubeconfig user --client-name=admin
kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin  > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf

# Another way to renew kubeconfigs
# kubeadm init phase kubeconfig all --config kubeadm.yaml

# Step 4): Copy certs/kubeconfigs and restart Kubernetes services etcd 证书排除

方法3: 非 kubeadm 集群

非 kubeadm 集群请参考 配置 CA 并创建 TLS 证书 重新生成证书,并重启各个 Kubernetes 服务。
kubelet 证书自动轮换
Kubelet 从 v1.8.0 开始支持证书轮换,当证书过期时,可以自动生成新的密钥,并从 Kubernetes API 申请新的证书。

证书轮换的开启方法如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Step 1): Config kube-controller-manager
kube-controller-manager --experimental-cluster-signing-duration=87600h \
                --feature-gates=RotateKubeletClientCertificate=true \ #新版本已经GA可以不配置
                ...

# Step 2): Config RBAC
# Refer https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval

# Step 3): Config Kubelet
kubelet --feature-gates=RotateKubeletClientCertificate=true \ #新版本已经GA可以不配置
                --cert-dir=/var/lib/kubelet/pki \
                --rotate-certificates \
                --rotate-server-certificates \
                ...

撤销证书:
Kubernetes 目前还不支持通过 Certificate Rovocation List (CRL) 来撤销证书。所以,目前撤销证书的唯一方法就是使用新的 CA 重新生成所有证书,然后再重启所有服务。