这样安装的集群证书有效期是一年吧?kubeadm源码里面写死的是1年。
Closed this issue · 7 comments
leeningli commented
RT
cookeem commented
是的,快过期之前再用kubeadm重新生成一次证书就可以了。
leeningli commented
证书重新生成有单独的步骤吗?不是在kubeadm init时候生成的吗?中途重新生成的方法是怎么样的?对集群以及集群上的业务会有影响的吧。
salwell commented
还有1年的时效限制啊,是每个master中ca.key和ca.crt要更换,还是使用ca.key和ca.crt签署apiserver证书?
salwell commented
不过1年时间,早就换了N个版本了···
cookeem commented
$ kubeadm alpha phase certs --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase certs [command]
Aliases:
certs, certificates
Available Commands:
all Generates all PKI assets necessary to establish the control plane
apiserver Generates an API server serving certificate and key
apiserver-etcd-client Generates a client certificate for the API server to connect to etcd securely
apiserver-kubelet-client Generates a client certificate for the API server to connect to the kubelets securely
ca Generates a self-signed kubernetes CA to provision identities for components of the cluster
etcd-ca Generates a self-signed CA to provision identities for etcd
etcd-healthcheck-client Generates a client certificate for liveness probes to healthcheck etcd
etcd-peer Generates an etcd peer certificate and key
etcd-server Generates an etcd serving certificate and key
front-proxy-ca Generates a front proxy CA certificate and key for a Kubernetes cluster
front-proxy-client Generates a front proxy CA client certificate and key for a Kubernetes cluster
sa Generates a private key for signing service account tokens along with its public keycookeem commented
如果ca证书没有过期,是不需要替换的。v1.13的kubeam开始支持cert renew,官方推荐的方式。
如果你是用v1.11.X版本,建议进行升级,最近爆出来高危漏洞,可获取集群所有节点的root权限,建议进行升级到v1.11.5。 @dotbalo
cookeem commented
还没有,但是据说已经不是alpha了