目前我正在使用一个脚本在Kubernetes证书到期前续订证书。但这是一个手动过程。我必须仔细监控到期日期,并提前运行此脚本。在不更新控制平面的情况下自动更新所有控制平面证书的推荐方法是什么?kubelet的--rotate*标志是旋转所有组件(例如控制器(,还是仅用于kubelet?附言:Kubernetes集群是用kubeadm创建的。
回答以下问题:
在不更新控制平面的情况下自动更新所有控制平面证书的推荐方法是什么
根据k8s文档和最佳实践,最佳实践是使用";"自动证书续订";控制飞机升级:
自动证书续订
此功能是为解决最简单的用例而设计的;如果您对证书续订没有特定要求,并且定期执行Kubernetes版本升级(每次升级间隔不到1年(,kubeadm将负责保持集群的最新性和合理的安全性。
注意:为了保持安全,经常升级集群是最佳做法。
--Kubernetes.io:管理集群:Kubeadm证书:自动证书续订
为什么这是推荐的方式:
从最佳实践的角度来看,您应该升级control-plane以修补漏洞、添加功能并使用当前支持的版本。
每次control-plane升级都会按照说明续订证书(默认为true(:
$ kubeadm upgrade apply --help
--certificate-renewal Perform the renewal of certificates used by component changed during upgrades. (default true)
您还可以通过运行来检查control-plane证书的过期情况
$ kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 30, 2022 13:36 UTC 364d no
apiserver May 30, 2022 13:36 UTC 364d ca no
apiserver-etcd-client May 30, 2022 13:36 UTC 364d etcd-ca no
apiserver-kubelet-client May 30, 2022 13:36 UTC 364d ca no
controller-manager.conf May 30, 2022 13:36 UTC 364d no
etcd-healthcheck-client May 30, 2022 13:36 UTC 364d etcd-ca no
etcd-peer May 30, 2022 13:36 UTC 364d etcd-ca no
etcd-server May 30, 2022 13:36 UTC 364d etcd-ca no
front-proxy-client May 30, 2022 13:36 UTC 364d front-proxy-ca no
scheduler.conf May 30, 2022 13:36 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 28, 2031 13:36 UTC 9y no
etcd-ca May 28, 2031 13:36 UTC 9y no
front-proxy-ca May 28, 2031 13:36 UTC 9y no
旁注
kubelet.conf不包括在上面的列表中,因为kubeadm配置kubelet用于自动证书续订。
从默认情况下可以看到:
- kubeadm生成的客户端证书将在1年后过期
- kubeadm创建的CA将在10年后到期
还有其他功能允许您在";半自动";方法
您可以使用以下选项选择手动续订证书:
$ kubeadm certs renew
您可以自动(使用命令(续订指定的(或所有(证书:
$ kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
请具体查看输出:
You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
如前所述,您需要重新启动control-plane的组件才能使用新证书,但请记住:
$ kubectl delete pod -n kube-system kube-scheduler-ubuntu将不工作
您需要重新启动负责组件的docker容器:
$ docker ps | grep -i "scheduler"$ docker restart 8c361562701b(示例(
8c361562701b 38f903b54010 "kube-scheduler --au…" 11 minutes ago Up 11 minutes k8s_kube-scheduler_kube-scheduler-ubuntu_kube-system_dbb97c1c9c802fa7cf2ad7d07938bae9_5
b709e8fb5e6c k8s.gcr.io/pause:3.4.1 "/pause" About an hour ago Up About an hour k8s_POD_kube-scheduler-ubuntu_kube-system_dbb97c1c9c802fa7cf2ad7d07938bae9_0
如以下链接所示,kubelet可以自动续订其证书(kubeadm以启用此选项的方式配置集群(:
- Kubernetes.io:为Kubelet配置证书轮换
- Github.com:Kubernetes:Kubeadm:问题:--证书续订true不续订kubelet.conf
根据环境中使用的版本,可以禁用此功能。据我所知,目前在kubeadm管理的最新版本的k8s中,该选项默认启用。
请记住,在您开始使用任何kubernetes节点/控制平面/更新/升级到之前,请阅读";紧急升级说明";特定于您的k8s版本(示例(:
- Github.com:Kubernetes:CHANGELOG:1.21:紧急升级节点
定义证书轮换的自动方式可以采用任何一种方式,但您可以使用前面提到的命令来自动执行此过程。您需要创建一个脚本(您已经有了(,该脚本将被放入cron中,并在一段时间后启动并续订。
从kubernetes 1.8开始,增加了证书轮换。你可以在这里阅读,https://kubernetes.io/docs/tasks/tls/certificate-rotation/