1 查看当前有效期kubeadm certs check-expiration2 备份证书和etcd数据#备份证书 mkdir /etc/kubernetes.bak cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak cp /etc/kubernetes/*.conf /etc/kubernetes.bak #备份etcd数据目录 cp -r /var/lib/etcd /var/lib/etcd.bak3 重新编译kubeadm#下载源码 https://github.com/kubernetes/kubernetes/releases/tag/v1.27.4 vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go // NewSignedCert creates a signed certificate using the given CA certificate and key func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) { // returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max). const duration365d time.Hour * 24 * 365 * 10 ##增加变量设置为10年 serial, err : cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1)) if err ! nil { return nil, err } serial new(big.Int).Add(serial, big.NewInt(1)) if len(cfg.CommonName) 0 { return nil, errors.New(must specify a CommonName) } keyUsage : x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature if isCA { keyUsage | x509.KeyUsageCertSign } RemoveDuplicateAltNames(cfg.AltNames) notAfter : time.Now().Add(duration365d).UTC() #将原代码替换成这一行 if cfg.NotAfter ! nil { notAfter *cfg.NotAfter } certTmpl : x509.Certificate{ Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: cfg.AltNames.DNSNames, IPAddresses: cfg.AltNames.IPs, SerialNumber: serial, NotBefore: caCert.NotBefore, NotAfter: notAfter, KeyUsage: keyUsage, ExtKeyUsage: cfg.Usages, BasicConstraintsValid: true, IsCA: isCA, } certDERBytes, err : x509.CreateCertificate(cryptorand.Reader, certTmpl, caCert, key.Public(), caKey) if err ! nil { return nil, err } return x509.ParseCertificate(certDERBytes) }编译kubeadmin并将生成的kubeadm替换下原命令$ make WHATcmd/kubeadm GOFLAGS-v $ ls _output/bin/kubeadm _output/bin/kubeadm#替换下 rootk8s-master02:~# mv /usr/local/bin/kubeadm /usr/local/bin/kubeadm.bak rootk8s-master02:~# chmod x /usr/local/bin/kubeadm4 更新证书#使用新kubeadm更新证书 kubeadm certs renew all #重启api-server、controller-manager、scheduler rootk8s-master02:/etc/kubernetes/manifests# ls kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml6 补充我在按照上述办法重新编译1.33.4版本的kubeadm时发现还是只能最多更新一年的时间后来把下面的代码注释掉后并把时间改成了9年才成功的const duration365d time.Hour * 24 * 365 * 9 ........... notAfter : time.Now().Add(duration365d).UTC() //notAfter : notBefore.Add(kubeadmconstants.CertificateValidityPeriod) // if !cfg.NotAfter.IsZero() { // notAfter cfg.NotAfter // }
k8s证书有效期修改为10年
发布时间:2026/6/30 13:29:01
1 查看当前有效期kubeadm certs check-expiration2 备份证书和etcd数据#备份证书 mkdir /etc/kubernetes.bak cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak cp /etc/kubernetes/*.conf /etc/kubernetes.bak #备份etcd数据目录 cp -r /var/lib/etcd /var/lib/etcd.bak3 重新编译kubeadm#下载源码 https://github.com/kubernetes/kubernetes/releases/tag/v1.27.4 vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go // NewSignedCert creates a signed certificate using the given CA certificate and key func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) { // returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max). const duration365d time.Hour * 24 * 365 * 10 ##增加变量设置为10年 serial, err : cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1)) if err ! nil { return nil, err } serial new(big.Int).Add(serial, big.NewInt(1)) if len(cfg.CommonName) 0 { return nil, errors.New(must specify a CommonName) } keyUsage : x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature if isCA { keyUsage | x509.KeyUsageCertSign } RemoveDuplicateAltNames(cfg.AltNames) notAfter : time.Now().Add(duration365d).UTC() #将原代码替换成这一行 if cfg.NotAfter ! nil { notAfter *cfg.NotAfter } certTmpl : x509.Certificate{ Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: cfg.AltNames.DNSNames, IPAddresses: cfg.AltNames.IPs, SerialNumber: serial, NotBefore: caCert.NotBefore, NotAfter: notAfter, KeyUsage: keyUsage, ExtKeyUsage: cfg.Usages, BasicConstraintsValid: true, IsCA: isCA, } certDERBytes, err : x509.CreateCertificate(cryptorand.Reader, certTmpl, caCert, key.Public(), caKey) if err ! nil { return nil, err } return x509.ParseCertificate(certDERBytes) }编译kubeadmin并将生成的kubeadm替换下原命令$ make WHATcmd/kubeadm GOFLAGS-v $ ls _output/bin/kubeadm _output/bin/kubeadm#替换下 rootk8s-master02:~# mv /usr/local/bin/kubeadm /usr/local/bin/kubeadm.bak rootk8s-master02:~# chmod x /usr/local/bin/kubeadm4 更新证书#使用新kubeadm更新证书 kubeadm certs renew all #重启api-server、controller-manager、scheduler rootk8s-master02:/etc/kubernetes/manifests# ls kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml6 补充我在按照上述办法重新编译1.33.4版本的kubeadm时发现还是只能最多更新一年的时间后来把下面的代码注释掉后并把时间改成了9年才成功的const duration365d time.Hour * 24 * 365 * 9 ........... notAfter : time.Now().Add(duration365d).UTC() //notAfter : notBefore.Add(kubeadmconstants.CertificateValidityPeriod) // if !cfg.NotAfter.IsZero() { // notAfter cfg.NotAfter // }
实现100%通过率](http://pic.xiahunao.cn/yaotu/华为OD机试2025C卷-字符串变换最小次数[100分]( Java _ Python3 _ C++ _ C语言 _ JsNode _ Go)实现100%通过率)
实现100%通过率](http://pic.xiahunao.cn/yaotu/华为OD机试2025C卷-内存资源分配[100分]( Java _ Python3 _ C++ _ C语言 _ JsNode _ Go)实现100%通过率)
