- 浏览: 575448 次
- 性别:
- 来自: 北京
-
文章分类
- 全部博客 (267)
- 随笔 (4)
- Spring (13)
- Java (61)
- HTTP (3)
- Windows (1)
- CI(Continuous Integration) (3)
- Dozer (1)
- Apache (11)
- DB (7)
- Architecture (41)
- Design Patterns (11)
- Test (5)
- Agile (1)
- ORM (3)
- PMP (2)
- ESB (2)
- Maven (5)
- IDE (1)
- Camel (1)
- Webservice (3)
- MySQL (6)
- CentOS (14)
- Linux (19)
- BI (3)
- RPC (2)
- Cluster (9)
- NoSQL (7)
- Oracle (25)
- Loadbalance (7)
- Web (5)
- tomcat (1)
- freemarker (1)
- 制造 (0)
最新评论
-
panamera:
如果设置了连接需要密码,Dynamic Broker-Clus ...
ActiveMQ 集群配置 -
panamera:
请问你的最后一种模式Broker-C节点是不是应该也要修改持久 ...
ActiveMQ 集群配置 -
maosheng:
longshao_feng 写道楼主使用 文件共享 模式的ma ...
ActiveMQ 集群配置 -
longshao_feng:
楼主使用 文件共享 模式的master-slave,produ ...
ActiveMQ 集群配置 -
tanglanwen:
感触很深,必定谨记!
少走弯路的十条忠告
一、概述
kubeadm 是 kubernetes 提供的一个初始化集群的工具,使用起来非常方便,但是它创建的 apiserver、controller-manager 等证书默认只有一年的有效期,同时 kubelet 证书也只有一年有效期,一年之后 kubernetes 将停止服务
Kubernetes 集群根证书:
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.key
......
kubeadm 默认生成的ca证书有效期是10年,其他证书(如etcd证书,apiserver证书)有效期均为1年。
二、准备工作
[root@k8s-master etcd]# tree /etc/kubernetes/
/etc/kubernetes/
├── admin.conf
├── controller-manager.conf
├── kubelet.conf
├── manifests
│ ├── etcd.yaml
│ ├── kube-apiserver.yaml
│ ├── kube-controller-manager.yaml
│ └── kube-scheduler.yaml
├── pki
│ ├── apiserver.crt
│ ├── apiserver-etcd-client.crt
│ ├── apiserver-etcd-client.key
│ ├── apiserver.key
│ ├── apiserver-kubelet-client.crt
│ ├── apiserver-kubelet-client.key
│ ├── ca.crt
│ ├── ca.key
│ ├── etcd
│ │ ├── ca.crt
│ │ ├── ca.key
│ │ ├── healthcheck-client.crt
│ │ ├── healthcheck-client.key
│ │ ├── peer.crt
│ │ ├── peer.key
│ │ ├── server.crt
│ │ └── server.key
│ ├── front-proxy-ca.crt
│ ├── front-proxy-ca.key
│ ├── front-proxy-client.crt
│ ├── front-proxy-client.key
│ ├── sa.key
│ └── sa.pub
└── scheduler.conf
3 directories, 30 files
查看证书:
[root@k8s-master]# cd /etc/kubernetes/pki
[root@k8s-master pki]# openssl x509 -in front-proxy-client.crt -noout -text |grep Not
Not Before: Jul 29 12:07:53 2020 GMT
Not After : Jul 29 12:07:54 2021 GMT
[root@k8s-master pki]# openssl x509 -in apiserver.crt -noout -text |grep Not
Not Before: Jul 29 12:07:52 2020 GMT
Not After : Jul 29 12:07:53 2021 GMT
[root@k8s-master pki]# openssl x509 -in front-proxy-client.crt -noout -text |grep Not
Not Before: Aug 1 08:36:22 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
[root@k8s-master pki]# openssl x509 -in apiserver.crt -noout -text |grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
............
[root@k8s-master kubernetes]# find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep Not'
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/healthcheck-client.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/peer.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-etcd-client.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt|grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt|grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt|grep Not
Not Before: Aug 1 08:36:22 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
[root@k8s-master kubernetes]# find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt|grep After
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/healthcheck-client.crt|grep After
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/peer.crt|grep After
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-etcd-client.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
[root@k8s-master pki]# ls -l
总用量 56
-rw-r--r-- 1 root root 1224 7月 31 18:47 apiserver.crt
-rw-r--r-- 1 root root 1090 7月 31 18:47 apiserver-etcd-client.crt
-rw------- 1 root root 1675 7月 31 18:47 apiserver-etcd-client.key
-rw------- 1 root root 1675 7月 31 18:47 apiserver.key
-rw-r--r-- 1 root root 1099 7月 31 18:47 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 7月 31 18:47 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 8月 1 2019 ca.crt
-rw------- 1 root root 1675 8月 1 2019 ca.key
drwxr-xr-x 2 root root 162 7月 31 18:47 etcd
-rw-r--r-- 1 root root 1038 8月 1 2019 front-proxy-ca.crt
-rw------- 1 root root 1679 8月 1 2019 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 7月 31 18:47 front-proxy-client.crt
-rw------- 1 root root 1675 7月 31 18:47 front-proxy-client.key
-rw------- 1 root root 1679 8月 1 2019 sa.key
-rw------- 1 root root 451 8月 1 2019 sa.pub
[root@k8s-master pki]# openssl x509 -in ca.crt -noout -text |grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 29 08:36:24 2029 GMT
[root@k8s-master pki]# cd etcd/
[root@k8s-master etcd]# ls -l
总用量 32
-rw-r--r-- 1 root root 1017 8月 1 2019 ca.crt
-rw------- 1 root root 1679 8月 1 2019 ca.key
-rw-r--r-- 1 root root 1094 7月 31 18:47 healthcheck-client.crt
-rw------- 1 root root 1675 7月 31 18:47 healthcheck-client.key
-rw-r--r-- 1 root root 1135 7月 31 18:47 peer.crt
-rw------- 1 root root 1679 7月 31 18:47 peer.key
-rw-r--r-- 1 root root 1127 7月 31 18:47 server.crt
-rw------- 1 root root 1675 7月 31 18:47 server.key
[root@k8s-master etcd]# openssl x509 -in ca.crt -noout -text |grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 29 08:36:23 2029 GMT
备份工作(非常重要):
[root@k8s-master ]# cd /etc/kubernetes
[root@k8s-master kubernetes]# mkdir ./pki_bak
[root@k8s-master kubernetes]# mkdir ./pki_bak/etcd
[root@k8s-master kubernetes]# mkdir ./conf_bak
[root@k8s-master kubernetes]# cp pki/apiserver* ./pki_bak/
[root@k8s-master kubernetes]# cp pki/front-proxy-client.* ./pki_bak/
[root@k8s-master kubernetes]# cp pki/etcd/healthcheck-client.* ./pki_bak/etcd/
[root@k8s-master kubernetes]# cp pki/etcd/peer.* ./pki_bak/etcd/
[root@k8s-master kubernetes]# cp pki/etcd/server.* ./pki_bak/etcd/
[root@k8s-master kubernetes]# cp ./admin.conf ./conf_bak/
[root@k8s-master kubernetes]# cp ./kubelet.conf ./conf_bak/
[root@k8s-master kubernetes]# cp ./controller-manager.conf ./conf_bak/
[root@k8s-master kubernetes]# cp ./scheduler.conf ./conf_bak/
三、证书类别
1、集群根证书:
[root@k8s-master images]# ll /etc/kubernetes/pki/ca*
-rw-r--r-- 1 root root 1025 8月 1 2019 /etc/kubernetes/pki/ca.crt
-rw------- 1 root root 1675 8月 1 2019 /etc/kubernetes/pki/ca.key
2、由此集群根证书签发的证书有:
1)kube-apiserver 组件持有的服务端证书
[root@k8s-master pki]# ll /etc/kubernetes/pki/apiserver.*
-rw-r--r-- 1 root root 1224 7月 31 18:47 /etc/kubernetes/pki/apiserver.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/apiserver.key
2)kubelet 组件持有的客户端证书
[root@k8s-master pki]# ll /etc/kubernetes/pki/apiserver-kubelet-client.*
-rw-r--r-- 1 root root 1099 7月 31 18:47 /etc/kubernetes/pki/apiserver-kubelet-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/apiserver-kubelet-client.key
提示:kubelet的/var/lib/kubelet/config.yaml配置文件中一般不会明确指定服务端证书,而是只指定 ca 根证书, 让 kubelet 根据本地主机信息自动生成服务端证书并保存到配置的 cert-dir文件夹中。
[root@k8s-master kubelet]# pwd
/var/lib/kubelet
[root@k8s-master kubelet]# cat config.yaml
address: 0.0.0.0
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: cgroupfs
cgroupsPerQOS: true
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
configMapAndSecretChangeDetectionStrategy: Watch
containerLogMaxFiles: 5
containerLogMaxSize: 10Mi
contentType: application/vnd.kubernetes.protobuf
cpuCFSQuota: true
cpuCFSQuotaPeriod: 100ms
cpuManagerPolicy: none
cpuManagerReconcilePeriod: 10s
enableControllerAttachDetach: true
enableDebuggingHandlers: true
enforceNodeAllocatable:
- pods
eventBurst: 10
eventRecordQPS: 5
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s
failSwapOn: true
fileCheckFrequency: 20s
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
iptablesDropBit: 15
iptablesMasqueradeBit: 14
kind: KubeletConfiguration
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeLeaseDurationSeconds: 40
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
port: 10250
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
3)汇聚层证书
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/front-proxy-ca.*
-rw-r--r-- 1 root root 1038 8月 1 2019 /etc/kubernetes/pki/front-proxy-ca.crt
-rw------- 1 root root 1679 8月 1 2019 /etc/kubernetes/pki/front-proxy-ca.key
由此汇聚层根证书签发的证书有:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/front-proxy-client.*
-rw-r--r-- 1 root root 1058 7月 31 18:47 /etc/kubernetes/pki/front-proxy-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/front-proxy-client.key
3、etcd集群根证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/ca.*
-rw-r--r-- 1 root root 1017 8月 1 2019 /etc/kubernetes/pki/etcd/ca.crt
-rw------- 1 root root 1679 8月 1 2019 /etc/kubernetes/pki/etcd/ca.key
由此etcd根证书签发的证书有:
etcd server服务端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/server.*
-rw-r--r-- 1 root root 1127 7月 31 18:47 /etc/kubernetes/pki/etcd/server.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/etcd/server.key
etcd 集群中peer节点互相通信使用的客户端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/peer.*
-rw-r--r-- 1 root root 1135 7月 31 18:47 /etc/kubernetes/pki/etcd/peer.crt
-rw------- 1 root root 1679 7月 31 18:47 /etc/kubernetes/pki/etcd/peer.key
pod 中定义 Liveness 探针使用的客户端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/healthcheck-client.*
-rw-r--r-- 1 root root 1094 7月 31 18:47 /etc/kubernetes/pki/etcd/healthcheck-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/etcd/healthcheck-client.key
配置在 kube-apiserver 中用来与 etcd server 做双向认证的客户端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/apiserver-etcd-client.*
-rw-r--r-- 1 root root 1090 7月 31 18:47 /etc/kubernetes/pki/apiserver-etcd-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/apiserver-etcd-client.key
4、Serveice Account密钥:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/sa.*
-rw------- 1 root root 1679 8月 1 2019 /etc/kubernetes/pki/sa.key
-rw------- 1 root root 451 8月 1 2019 /etc/kubernetes/pki/sa.pub
Serveice Account密钥对仅提供给 kube-controller-manager 使用. kube-controller-manager 通过 sa.key 对 token 进行签名, master 节点通过公钥 sa.pub 进行签名的验证。
API Server身份验证过程:
API Server的authenticating环节支持多种身份校验方式:client cert、bearer token、static password auth等,这些方式中只要有一种方式通过authenticating(Kubernetes API Server会逐个方式尝试),那么身份校验就会通过。
一旦API Server发现client发起的request使用的是service account token的方式,API Server就会自动采用signed bearer token方式进行身份校验。而request则使用携带的service account token参与验证。该token是API Server在创建service account时用API server启动参数:–service-account-key-file的值签署(sign)生成的。如果–service-account-key-file未传入任何值,那么将默认使用–tls-private-key-file的值,即API Server的私钥(server.key)。
通过authenticating后,API Server将根据Pod username所在的group:system:serviceaccounts和system:serviceaccounts:(NAMESPACE)的权限对其进行authority 和admission control两个环节的处理。在这两个环节中,cluster管理员可以对service account的权限进行细化设置。
kubeadm 创建的集群,kube-proxy、flannel、coreDNS是以 pod 形式运行的,在 pod 中,直接使用 service account 与 kube-apiserver 进行认证,此时就不需要再单独为 kube-proxy 创建证书。
---------------------------------------------kubernetes 1.15 版本 以下方案---------------------------------------------
提示:1.12.1 使用可用
1、查看kubeadm-config配置
提示:不同的master节点使用的kubeadm配置有细微的差异,执行更新证书是,每个master在--config后面使用原来集群创建时,当前master对应的kubeadm配置文件。
[root@k8s-master kubernetes]# kubectl -n kube-system get cm kubeadm-config -oyaml
apiVersion: v1
data:
ClusterConfiguration: |
apiServerExtraArgs:
authorization-mode: Node,RBAC
apiVersion: kubeadm.k8s.io/v1alpha3
auditPolicy:
logDir: /var/log/kubernetes/audit
logMaxAge: 2
path: ""
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: ""
etcd:
local:
dataDir: /var/lib/etcd
image: ""
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.12.1
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
unifiedControlPlaneImage: ""
ClusterStatus: |
apiEndpoints:
k8s-master:
advertiseAddress: 192.101.10.80
bindPort: 6443
apiVersion: kubeadm.k8s.io/v1alpha3
kind: ClusterStatus
kind: ConfigMap
metadata:
creationTimestamp: 2019-08-01T08:36:48Z
name: kubeadm-config
namespace: kube-system
resourceVersion: "174"
selfLink: /api/v1/namespaces/kube-system/configmaps/kubeadm-config
uid: 80959d9d-b437-11e9-8e73-6c92bfa51bf6
2、创建kubeadm-cluster.yaml
# touch kubeadm-cluster.yaml
# vi kubeadm-cluster.yaml
apiServer:
apiServerExtraArgs:
authorization-mode: Node,RBAC
apiVersion: kubeadm.k8s.io/v1alpha3
auditPolicy:
logDir: /var/log/kubernetes/audit
logMaxAge: 2
path: ""
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: ""
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.12.1
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
unifiedControlPlaneImage: ""
3、查看帮助
提示:不同版本的kubeadm对于证书renew的命令有细微的差异,具体情况需要依据已经安装的kubeadm来判断。通过命令行kubeadm alpha --help输出类似如下信息:
[root@k8s-master yaml]# kubeadm alpha --help
Experimental sub-commands not yet fully functional.
Usage:
kubeadm alpha [command]
Available Commands:
phase Invoke subsets of kubeadm functions separately for a manual install.
Flags:
-h, --help help for alpha
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha [command] --help" for more information about a command.
[root@k8s-master yaml]# kubeadm alpha phase certs --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase certs [command]
Aliases:
certs, certificates
Available Commands:
all Generates all PKI assets necessary to establish the control plane
apiserver Generates the certificate for serving the kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
ca Generates the self-signed kubernetes CA to provision identities for other kuberenets components
etcd-ca Generates the self-signed CA to provision identities for etcd
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-ca Generates the self-signed CA to provision identities for front proxy
front-proxy-client Generates the client for the front proxy
renew Renews certificates for a Kubernetes cluster
sa Generates a private key for signing service account tokens along with its public key
Flags:
-h, --help help for certs
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha phase certs [command] --help" for more information about a command.
[root@k8s-master yaml]# kubeadm alpha phase certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase certs renew [flags]
kubeadm alpha phase certs renew [command]
Available Commands:
all renew all available certificates
apiserver Generates the certificate for serving the kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-client Generates the client for the front proxy
Flags:
-h, --help help for renew
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha phase certs renew [command] --help" for more information about a command.
4、重新生成master各个证书
kubeadm alpha phase certs renew etcd-healthcheck-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew etcd-peer --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew etcd-server --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew front-proxy-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew apiserver-etcd-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew apiserver-kubelet-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew apiserver --config kubeadm-cluster.yaml
5、验证证书有效期更新
[root@k8s-master images]# find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt|grep After
Not After : Aug 1 10:20:09 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/healthcheck-client.crt|grep After
Not After : Aug 1 10:19:54 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/peer.crt|grep After
Not After : Aug 1 10:20:02 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-etcd-client.crt|grep After
Not After : Aug 1 10:20:25 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt|grep After
Not After : Aug 1 10:20:32 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt|grep After
Not After : Aug 1 10:20:39 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt|grep After
Not After : Aug 1 10:20:18 2021 GMT
6、更新各个配置文件
1)查看帮助:
[root@k8s-master manifests]# kubeadm alpha phase kubeconfig --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase kubeconfig [command]
Available Commands:
admin Generates a kubeconfig file for the admin to use and for kubeadm itself
all Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
controller-manager Generates a kubeconfig file for the controller manager to use
kubelet Generates a kubeconfig file for the kubelet to use. Please note that this should be used *only* for bootstrapping purposes
scheduler Generates a kubeconfig file for the scheduler to use
user Outputs a kubeconfig file for an additional user
Flags:
-h, --help help for kubeconfig
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha phase kubeconfig [command] --help" for more information about a command.
2)备份集群配置文件并重新生成:
[root@k8s-master yaml]# find /etc/kubernetes/ -name '*.conf'|xargs -i mv {}{,bak}
[root@k8s-master yaml]# kubeadm alpha phase kubeconfig all --config kubeadm-cluster.yaml
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
或者分步执行:
kubeadm alpha phase kubeconfig kubelet --config kubeadm-cluster.yaml
kubeadm alpha phase kubeconfig admin --config kubeadm-cluster.yaml
kubeadm alpha phase kubeconfig scheduler --config kubeadm-cluster.yaml
kubeadm alpha phase kubeconfig controller-manager --config kubeadm-cluster.yaml
3)重新配置kubectl权限信息:
mv $HOME/.kube/config $HOME/.kube/config.old
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
7、更新集群验证
验证kubernetes 集群:运行 kubectl cluster-info 和 kubectl get nodes 符合预期
[root@k8s-master images]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 1y v1.12.1
k8s-node1 Ready <none> 1y v1.12.1
k8s-node2 Ready <none> 1y v1.12.1
确性kubernetes 系统相关的服务运行正常(核心是kube-apiserver,kube-controller-manager,kube-proxy, kube-flannel):kubectl get pods -n kube-system
[root@k8s-master images]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-576cbf47c7-fk7j9 1/1 Running 0 1y
coredns-576cbf47c7-p4f4q 1/1 Running 0 1y
etcd-k8s-master 1/1 Running 2 1y
kube-apiserver-k8s-master 1/1 Running 0 2h
kube-controller-manager-k8s-master 1/1 Running 1 2h
kube-flannel-ds-amd64-f2csl 1/1 Running 0 1y
kube-flannel-ds-amd64-wm2b6 1/1 Running 0 1y
kube-flannel-ds-amd64-wrnnk 1/1 Running 1 1y
kube-proxy-cz5xg 1/1 Running 0 1y
kube-proxy-fnr96 1/1 Running 0 1y
kube-proxy-xbrcb 1/1 Running 0 1y
kube-scheduler-k8s-master 1/1 Running 1 1y
kubernetes-dashboard-77fd78f978-jl98q 1/1 Running 0 218d
检查pod的运行状态:kubectl get pods --all-namespaces
[root@k8s-master images]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default bbcx-service-7c4bb5456-bksqb 1/1 Running 0 7h
default bbcx-vue-5569488679-zd75m 1/1 Running 1 7h
default cip-data-service-66ffd668dd-2l4wv 1/1 Running 0 17d
default cip-job-5fb59f9d84-4lrb4 1/1 Running 0 17d
default consul-0 1/1 Running 0 193d
...................
---------------------------------------------kubernetes 1.15 版本 以上方案---------------------------------------------
提示:kubernetes 1.16.3 ;1.18.2 使用可用,1.12.1 使用不可用
第一种方案:
1、查看具体过期时间
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Jul 29, 2021 12:07 UTC 362d no
apiserver Jul 29, 2021 12:07 UTC 362d no
apiserver-etcd-client Jul 29, 2021 12:07 UTC 362d no
apiserver-kubelet-client Jul 29, 2021 12:07 UTC 362d no
controller-manager.conf Jul 29, 2021 12:07 UTC 362d no
etcd-healthcheck-client Jul 29, 2021 12:07 UTC 362d no
etcd-peer Jul 29, 2021 12:07 UTC 362d no
etcd-server Jul 29, 2021 12:07 UTC 362d no
front-proxy-client Jul 29, 2021 12:07 UTC 362d no
scheduler.conf Jul 29, 2021 12:07 UTC 362d no
2、查看帮助
[root@hadoop009 images]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm alpha certs renew [command] --help" for more information about a command.
提示:由help可知,证书更新可针对单个证书更新
3、更新证书
更新所有证书,对证书进行续期,续期一年:
$ kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
提示:更新操作需要在所有master节点执行
4、验证续期
# ls -l
总用量 56
-rw-r--r-- 1 root root 1220 7月 31 22:48 apiserver.crt
-rw-r--r-- 1 root root 1090 7月 31 22:48 apiserver-etcd-client.crt
-rw------- 1 root root 1679 7月 31 22:48 apiserver-etcd-client.key
-rw------- 1 root root 1675 7月 31 22:48 apiserver.key
-rw-r--r-- 1 root root 1099 7月 31 22:48 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 7月 31 22:48 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 7月 29 20:07 ca.crt
-rw------- 1 root root 1679 7月 29 20:07 ca.key
drwxr-xr-x 2 root root 162 7月 29 20:07 etcd
-rw-r--r-- 1 root root 1038 7月 29 20:07 front-proxy-ca.crt
-rw------- 1 root root 1675 7月 29 20:07 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 7月 31 22:48 front-proxy-client.crt
-rw------- 1 root root 1679 7月 31 22:48 front-proxy-client.key
-rw------- 1 root root 1675 7月 29 20:07 sa.key
-rw------- 1 root root 451 7月 29 20:07 sa.pub
# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 01, 2021 07:38 UTC 364d no
apiserver Aug 01, 2021 07:38 UTC 364d ca no
apiserver-etcd-client Aug 01, 2021 07:38 UTC 364d etcd-ca no
apiserver-kubelet-client Aug 01, 2021 07:38 UTC 364d ca no
controller-manager.conf Aug 01, 2021 07:38 UTC 364d no
etcd-healthcheck-client Aug 01, 2021 07:38 UTC 364d etcd-ca no
etcd-peer Aug 01, 2021 07:38 UTC 364d etcd-ca no
etcd-server Aug 01, 2021 07:38 UTC 364d etcd-ca no
front-proxy-client Aug 01, 2021 07:38 UTC 364d front-proxy-ca no
scheduler.conf Aug 01, 2021 07:38 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jul 27, 2030 13:01 UTC 9y no
etcd-ca Jul 27, 2030 13:01 UTC 9y no
front-proxy-ca Jul 27, 2030 13:01 UTC 9y no
[root@hadoop010 etcd]# kubectl -n kube-system get cm kubeadm-config -oyaml
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 192.101.11.162:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.18.2
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
ClusterStatus: |
apiEndpoints:
hadoop010:
advertiseAddress: 192.101.11.162
bindPort: 6443
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterStatus
kind: ConfigMap
metadata:
creationTimestamp: "2020-07-29T13:02:16Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ClusterConfiguration: {}
f:ClusterStatus: {}
manager: kubeadm
operation: Update
time: "2020-07-29T13:02:16Z"
name: kubeadm-config
namespace: kube-system
resourceVersion: "157"
selfLink: /api/v1/namespaces/kube-system/configmaps/kubeadm-config
uid: 2e049082-fa64-4e2e-ad73-af9fc94a051e
5、启用证书
在每台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。
# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
或者
# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
提示:启用操作需要在所有master节点执行。
6、更新.kube下的配置文件
$ mv $HOME/.kube/config $HOME/.kube/config.old
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ kubectl get nodes
7、更新集群验证
验证kubernetes 集群:运行 kubectl cluster-info 和 kubectl get nodes 符合预期。
[root@k8s-master images]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 1y v1.12.1
k8s-node1 Ready <none> 1y v1.12.1
k8s-node2 Ready <none> 1y v1.12.1
确性kubernetes 系统相关的服务运行正常(核心是kube-apiserver,kube-controller-manager,kube-proxy, kube-flannel):kubectl get pods -n kube-system
[root@k8s-master images]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-576cbf47c7-fk7j9 1/1 Running 0 1y
coredns-576cbf47c7-p4f4q 1/1 Running 0 1y
etcd-k8s-master 1/1 Running 2 1y
kube-apiserver-k8s-master 1/1 Running 0 2h
kube-controller-manager-k8s-master 1/1 Running 1 2h
kube-flannel-ds-amd64-f2csl 1/1 Running 0 1y
kube-flannel-ds-amd64-wm2b6 1/1 Running 0 1y
kube-flannel-ds-amd64-wrnnk 1/1 Running 1 1y
kube-proxy-cz5xg 1/1 Running 0 1y
kube-proxy-fnr96 1/1 Running 0 1y
kube-proxy-xbrcb 1/1 Running 0 1y
kube-scheduler-k8s-master 1/1 Running 1 1y
kubernetes-dashboard-77fd78f978-jl98q 1/1 Running 0 218d
检查pod的运行状态:kubectl get pods --all-namespaces
[root@k8s-master images]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default bbcx-service-7c4bb5456-bksqb 1/1 Running 0 7h
default bbcx-vue-5569488679-zd75m 1/1 Running 1 7h
default cip-data-service-66ffd668dd-2l4wv 1/1 Running 0 17d
default cip-job-5fb59f9d84-4lrb4 1/1 Running 0 17d
default consul-0 1/1 Running 0 193d
...................
第二种方案:
1、备份导出kubeadm集群配置
# kubeadm config view > kubeadm-cluster.yaml
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.16.3
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
2、查看具体过期时间
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Jul 29, 2021 12:07 UTC 362d no
apiserver Jul 29, 2021 12:07 UTC 362d no
apiserver-etcd-client Jul 29, 2021 12:07 UTC 362d no
apiserver-kubelet-client Jul 29, 2021 12:07 UTC 362d no
controller-manager.conf Jul 29, 2021 12:07 UTC 362d no
etcd-healthcheck-client Jul 29, 2021 12:07 UTC 362d no
etcd-peer Jul 29, 2021 12:07 UTC 362d no
etcd-server Jul 29, 2021 12:07 UTC 362d no
front-proxy-client Jul 29, 2021 12:07 UTC 362d no
scheduler.conf Jul 29, 2021 12:07 UTC 362d no
3、查看帮助
[root@hadoop009 images]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm alpha certs renew [command] --help" for more information about a command.
提示:由help可知,证书更新可针对单个证书更新
4、更新证书
# kubeadm alpha certs renew all --config=kubeadm-cluster.yaml #更新所有证书
提示:在保存kubeadm-cluster.yaml文件的目录下执行
提示:更新操作需要在所有master节点执行
5、确认验证
# kubeadm alpha certs check-expiration
6、启用证书
在每台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。
# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
或者
# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
提示:启用操作需要在所有master节点执行。
7、更新.kube下的配置文件
$ mv $HOME/.kube/config $HOME/.kube/config.old
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ kubectl get nodes
8、更新集群验证
验证kubernetes 集群:运行 kubectl cluster-info 和 kubectl get nodes 符合预期。
[root@k8s-master images]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 1y v1.12.1
k8s-node1 Ready <none> 1y v1.12.1
k8s-node2 Ready <none> 1y v1.12.1
确性kubernetes 系统相关的服务运行正常(核心是kube-apiserver,kube-controller-manager,kube-proxy, kube-flannel):kubectl get pods -n kube-system
[root@k8s-master images]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-576cbf47c7-fk7j9 1/1 Running 0 1y
coredns-576cbf47c7-p4f4q 1/1 Running 0 1y
etcd-k8s-master 1/1 Running 2 1y
kube-apiserver-k8s-master 1/1 Running 0 2h
kube-controller-manager-k8s-master 1/1 Running 1 2h
kube-flannel-ds-amd64-f2csl 1/1 Running 0 1y
kube-flannel-ds-amd64-wm2b6 1/1 Running 0 1y
kube-flannel-ds-amd64-wrnnk 1/1 Running 1 1y
kube-proxy-cz5xg 1/1 Running 0 1y
kube-proxy-fnr96 1/1 Running 0 1y
kube-proxy-xbrcb 1/1 Running 0 1y
kube-scheduler-k8s-master 1/1 Running 1 1y
kubernetes-dashboard-77fd78f978-jl98q 1/1 Running 0 218d
检查pod的运行状态:kubectl get pods --all-namespaces
[root@k8s-master images]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default bbcx-service-7c4bb5456-bksqb 1/1 Running 0 7h
default bbcx-vue-5569488679-zd75m 1/1 Running 1 7h
default cip-data-service-66ffd668dd-2l4wv 1/1 Running 0 17d
default cip-job-5fb59f9d84-4lrb4 1/1 Running 0 17d
default consul-0 1/1 Running 0 193d
...................
kubeadm 是 kubernetes 提供的一个初始化集群的工具,使用起来非常方便,但是它创建的 apiserver、controller-manager 等证书默认只有一年的有效期,同时 kubelet 证书也只有一年有效期,一年之后 kubernetes 将停止服务
Kubernetes 集群根证书:
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.key
......
kubeadm 默认生成的ca证书有效期是10年,其他证书(如etcd证书,apiserver证书)有效期均为1年。
二、准备工作
[root@k8s-master etcd]# tree /etc/kubernetes/
/etc/kubernetes/
├── admin.conf
├── controller-manager.conf
├── kubelet.conf
├── manifests
│ ├── etcd.yaml
│ ├── kube-apiserver.yaml
│ ├── kube-controller-manager.yaml
│ └── kube-scheduler.yaml
├── pki
│ ├── apiserver.crt
│ ├── apiserver-etcd-client.crt
│ ├── apiserver-etcd-client.key
│ ├── apiserver.key
│ ├── apiserver-kubelet-client.crt
│ ├── apiserver-kubelet-client.key
│ ├── ca.crt
│ ├── ca.key
│ ├── etcd
│ │ ├── ca.crt
│ │ ├── ca.key
│ │ ├── healthcheck-client.crt
│ │ ├── healthcheck-client.key
│ │ ├── peer.crt
│ │ ├── peer.key
│ │ ├── server.crt
│ │ └── server.key
│ ├── front-proxy-ca.crt
│ ├── front-proxy-ca.key
│ ├── front-proxy-client.crt
│ ├── front-proxy-client.key
│ ├── sa.key
│ └── sa.pub
└── scheduler.conf
3 directories, 30 files
查看证书:
[root@k8s-master]# cd /etc/kubernetes/pki
[root@k8s-master pki]# openssl x509 -in front-proxy-client.crt -noout -text |grep Not
Not Before: Jul 29 12:07:53 2020 GMT
Not After : Jul 29 12:07:54 2021 GMT
[root@k8s-master pki]# openssl x509 -in apiserver.crt -noout -text |grep Not
Not Before: Jul 29 12:07:52 2020 GMT
Not After : Jul 29 12:07:53 2021 GMT
[root@k8s-master pki]# openssl x509 -in front-proxy-client.crt -noout -text |grep Not
Not Before: Aug 1 08:36:22 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
[root@k8s-master pki]# openssl x509 -in apiserver.crt -noout -text |grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
............
[root@k8s-master kubernetes]# find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep Not'
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/healthcheck-client.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/peer.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-etcd-client.crt|grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt|grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt|grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt|grep Not
Not Before: Aug 1 08:36:22 2019 GMT
Not After : Jul 31 10:47:04 2021 GMT
[root@k8s-master kubernetes]# find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt|grep After
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/healthcheck-client.crt|grep After
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/peer.crt|grep After
Not After : Jul 31 10:47:03 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-etcd-client.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt|grep After
Not After : Jul 31 10:47:04 2021 GMT
[root@k8s-master pki]# ls -l
总用量 56
-rw-r--r-- 1 root root 1224 7月 31 18:47 apiserver.crt
-rw-r--r-- 1 root root 1090 7月 31 18:47 apiserver-etcd-client.crt
-rw------- 1 root root 1675 7月 31 18:47 apiserver-etcd-client.key
-rw------- 1 root root 1675 7月 31 18:47 apiserver.key
-rw-r--r-- 1 root root 1099 7月 31 18:47 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 7月 31 18:47 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 8月 1 2019 ca.crt
-rw------- 1 root root 1675 8月 1 2019 ca.key
drwxr-xr-x 2 root root 162 7月 31 18:47 etcd
-rw-r--r-- 1 root root 1038 8月 1 2019 front-proxy-ca.crt
-rw------- 1 root root 1679 8月 1 2019 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 7月 31 18:47 front-proxy-client.crt
-rw------- 1 root root 1675 7月 31 18:47 front-proxy-client.key
-rw------- 1 root root 1679 8月 1 2019 sa.key
-rw------- 1 root root 451 8月 1 2019 sa.pub
[root@k8s-master pki]# openssl x509 -in ca.crt -noout -text |grep Not
Not Before: Aug 1 08:36:24 2019 GMT
Not After : Jul 29 08:36:24 2029 GMT
[root@k8s-master pki]# cd etcd/
[root@k8s-master etcd]# ls -l
总用量 32
-rw-r--r-- 1 root root 1017 8月 1 2019 ca.crt
-rw------- 1 root root 1679 8月 1 2019 ca.key
-rw-r--r-- 1 root root 1094 7月 31 18:47 healthcheck-client.crt
-rw------- 1 root root 1675 7月 31 18:47 healthcheck-client.key
-rw-r--r-- 1 root root 1135 7月 31 18:47 peer.crt
-rw------- 1 root root 1679 7月 31 18:47 peer.key
-rw-r--r-- 1 root root 1127 7月 31 18:47 server.crt
-rw------- 1 root root 1675 7月 31 18:47 server.key
[root@k8s-master etcd]# openssl x509 -in ca.crt -noout -text |grep Not
Not Before: Aug 1 08:36:23 2019 GMT
Not After : Jul 29 08:36:23 2029 GMT
备份工作(非常重要):
[root@k8s-master ]# cd /etc/kubernetes
[root@k8s-master kubernetes]# mkdir ./pki_bak
[root@k8s-master kubernetes]# mkdir ./pki_bak/etcd
[root@k8s-master kubernetes]# mkdir ./conf_bak
[root@k8s-master kubernetes]# cp pki/apiserver* ./pki_bak/
[root@k8s-master kubernetes]# cp pki/front-proxy-client.* ./pki_bak/
[root@k8s-master kubernetes]# cp pki/etcd/healthcheck-client.* ./pki_bak/etcd/
[root@k8s-master kubernetes]# cp pki/etcd/peer.* ./pki_bak/etcd/
[root@k8s-master kubernetes]# cp pki/etcd/server.* ./pki_bak/etcd/
[root@k8s-master kubernetes]# cp ./admin.conf ./conf_bak/
[root@k8s-master kubernetes]# cp ./kubelet.conf ./conf_bak/
[root@k8s-master kubernetes]# cp ./controller-manager.conf ./conf_bak/
[root@k8s-master kubernetes]# cp ./scheduler.conf ./conf_bak/
三、证书类别
1、集群根证书:
[root@k8s-master images]# ll /etc/kubernetes/pki/ca*
-rw-r--r-- 1 root root 1025 8月 1 2019 /etc/kubernetes/pki/ca.crt
-rw------- 1 root root 1675 8月 1 2019 /etc/kubernetes/pki/ca.key
2、由此集群根证书签发的证书有:
1)kube-apiserver 组件持有的服务端证书
[root@k8s-master pki]# ll /etc/kubernetes/pki/apiserver.*
-rw-r--r-- 1 root root 1224 7月 31 18:47 /etc/kubernetes/pki/apiserver.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/apiserver.key
2)kubelet 组件持有的客户端证书
[root@k8s-master pki]# ll /etc/kubernetes/pki/apiserver-kubelet-client.*
-rw-r--r-- 1 root root 1099 7月 31 18:47 /etc/kubernetes/pki/apiserver-kubelet-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/apiserver-kubelet-client.key
提示:kubelet的/var/lib/kubelet/config.yaml配置文件中一般不会明确指定服务端证书,而是只指定 ca 根证书, 让 kubelet 根据本地主机信息自动生成服务端证书并保存到配置的 cert-dir文件夹中。
[root@k8s-master kubelet]# pwd
/var/lib/kubelet
[root@k8s-master kubelet]# cat config.yaml
address: 0.0.0.0
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: cgroupfs
cgroupsPerQOS: true
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
configMapAndSecretChangeDetectionStrategy: Watch
containerLogMaxFiles: 5
containerLogMaxSize: 10Mi
contentType: application/vnd.kubernetes.protobuf
cpuCFSQuota: true
cpuCFSQuotaPeriod: 100ms
cpuManagerPolicy: none
cpuManagerReconcilePeriod: 10s
enableControllerAttachDetach: true
enableDebuggingHandlers: true
enforceNodeAllocatable:
- pods
eventBurst: 10
eventRecordQPS: 5
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s
failSwapOn: true
fileCheckFrequency: 20s
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
iptablesDropBit: 15
iptablesMasqueradeBit: 14
kind: KubeletConfiguration
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeLeaseDurationSeconds: 40
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
port: 10250
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
3)汇聚层证书
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/front-proxy-ca.*
-rw-r--r-- 1 root root 1038 8月 1 2019 /etc/kubernetes/pki/front-proxy-ca.crt
-rw------- 1 root root 1679 8月 1 2019 /etc/kubernetes/pki/front-proxy-ca.key
由此汇聚层根证书签发的证书有:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/front-proxy-client.*
-rw-r--r-- 1 root root 1058 7月 31 18:47 /etc/kubernetes/pki/front-proxy-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/front-proxy-client.key
3、etcd集群根证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/ca.*
-rw-r--r-- 1 root root 1017 8月 1 2019 /etc/kubernetes/pki/etcd/ca.crt
-rw------- 1 root root 1679 8月 1 2019 /etc/kubernetes/pki/etcd/ca.key
由此etcd根证书签发的证书有:
etcd server服务端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/server.*
-rw-r--r-- 1 root root 1127 7月 31 18:47 /etc/kubernetes/pki/etcd/server.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/etcd/server.key
etcd 集群中peer节点互相通信使用的客户端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/peer.*
-rw-r--r-- 1 root root 1135 7月 31 18:47 /etc/kubernetes/pki/etcd/peer.crt
-rw------- 1 root root 1679 7月 31 18:47 /etc/kubernetes/pki/etcd/peer.key
pod 中定义 Liveness 探针使用的客户端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/etcd/healthcheck-client.*
-rw-r--r-- 1 root root 1094 7月 31 18:47 /etc/kubernetes/pki/etcd/healthcheck-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/etcd/healthcheck-client.key
配置在 kube-apiserver 中用来与 etcd server 做双向认证的客户端证书:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/apiserver-etcd-client.*
-rw-r--r-- 1 root root 1090 7月 31 18:47 /etc/kubernetes/pki/apiserver-etcd-client.crt
-rw------- 1 root root 1675 7月 31 18:47 /etc/kubernetes/pki/apiserver-etcd-client.key
4、Serveice Account密钥:
[root@k8s-master kubelet]# ll /etc/kubernetes/pki/sa.*
-rw------- 1 root root 1679 8月 1 2019 /etc/kubernetes/pki/sa.key
-rw------- 1 root root 451 8月 1 2019 /etc/kubernetes/pki/sa.pub
Serveice Account密钥对仅提供给 kube-controller-manager 使用. kube-controller-manager 通过 sa.key 对 token 进行签名, master 节点通过公钥 sa.pub 进行签名的验证。
API Server身份验证过程:
API Server的authenticating环节支持多种身份校验方式:client cert、bearer token、static password auth等,这些方式中只要有一种方式通过authenticating(Kubernetes API Server会逐个方式尝试),那么身份校验就会通过。
一旦API Server发现client发起的request使用的是service account token的方式,API Server就会自动采用signed bearer token方式进行身份校验。而request则使用携带的service account token参与验证。该token是API Server在创建service account时用API server启动参数:–service-account-key-file的值签署(sign)生成的。如果–service-account-key-file未传入任何值,那么将默认使用–tls-private-key-file的值,即API Server的私钥(server.key)。
通过authenticating后,API Server将根据Pod username所在的group:system:serviceaccounts和system:serviceaccounts:(NAMESPACE)的权限对其进行authority 和admission control两个环节的处理。在这两个环节中,cluster管理员可以对service account的权限进行细化设置。
kubeadm 创建的集群,kube-proxy、flannel、coreDNS是以 pod 形式运行的,在 pod 中,直接使用 service account 与 kube-apiserver 进行认证,此时就不需要再单独为 kube-proxy 创建证书。
---------------------------------------------kubernetes 1.15 版本 以下方案---------------------------------------------
提示:1.12.1 使用可用
1、查看kubeadm-config配置
提示:不同的master节点使用的kubeadm配置有细微的差异,执行更新证书是,每个master在--config后面使用原来集群创建时,当前master对应的kubeadm配置文件。
[root@k8s-master kubernetes]# kubectl -n kube-system get cm kubeadm-config -oyaml
apiVersion: v1
data:
ClusterConfiguration: |
apiServerExtraArgs:
authorization-mode: Node,RBAC
apiVersion: kubeadm.k8s.io/v1alpha3
auditPolicy:
logDir: /var/log/kubernetes/audit
logMaxAge: 2
path: ""
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: ""
etcd:
local:
dataDir: /var/lib/etcd
image: ""
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.12.1
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
unifiedControlPlaneImage: ""
ClusterStatus: |
apiEndpoints:
k8s-master:
advertiseAddress: 192.101.10.80
bindPort: 6443
apiVersion: kubeadm.k8s.io/v1alpha3
kind: ClusterStatus
kind: ConfigMap
metadata:
creationTimestamp: 2019-08-01T08:36:48Z
name: kubeadm-config
namespace: kube-system
resourceVersion: "174"
selfLink: /api/v1/namespaces/kube-system/configmaps/kubeadm-config
uid: 80959d9d-b437-11e9-8e73-6c92bfa51bf6
2、创建kubeadm-cluster.yaml
# touch kubeadm-cluster.yaml
# vi kubeadm-cluster.yaml
apiServer:
apiServerExtraArgs:
authorization-mode: Node,RBAC
apiVersion: kubeadm.k8s.io/v1alpha3
auditPolicy:
logDir: /var/log/kubernetes/audit
logMaxAge: 2
path: ""
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: ""
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.12.1
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
unifiedControlPlaneImage: ""
3、查看帮助
提示:不同版本的kubeadm对于证书renew的命令有细微的差异,具体情况需要依据已经安装的kubeadm来判断。通过命令行kubeadm alpha --help输出类似如下信息:
[root@k8s-master yaml]# kubeadm alpha --help
Experimental sub-commands not yet fully functional.
Usage:
kubeadm alpha [command]
Available Commands:
phase Invoke subsets of kubeadm functions separately for a manual install.
Flags:
-h, --help help for alpha
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha [command] --help" for more information about a command.
[root@k8s-master yaml]# kubeadm alpha phase certs --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase certs [command]
Aliases:
certs, certificates
Available Commands:
all Generates all PKI assets necessary to establish the control plane
apiserver Generates the certificate for serving the kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
ca Generates the self-signed kubernetes CA to provision identities for other kuberenets components
etcd-ca Generates the self-signed CA to provision identities for etcd
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-ca Generates the self-signed CA to provision identities for front proxy
front-proxy-client Generates the client for the front proxy
renew Renews certificates for a Kubernetes cluster
sa Generates a private key for signing service account tokens along with its public key
Flags:
-h, --help help for certs
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha phase certs [command] --help" for more information about a command.
[root@k8s-master yaml]# kubeadm alpha phase certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase certs renew [flags]
kubeadm alpha phase certs renew [command]
Available Commands:
all renew all available certificates
apiserver Generates the certificate for serving the kubernetes API
apiserver-etcd-client Generates the client apiserver uses to access etcd
apiserver-kubelet-client Generates the Client certificate for the API server to connect to kubelet
etcd-healthcheck-client Generates the client certificate for liveness probes to healtcheck etcd
etcd-peer Generates the credentials for etcd nodes to communicate with each other
etcd-server Generates the certificate for serving etcd
front-proxy-client Generates the client for the front proxy
Flags:
-h, --help help for renew
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha phase certs renew [command] --help" for more information about a command.
4、重新生成master各个证书
kubeadm alpha phase certs renew etcd-healthcheck-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew etcd-peer --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew etcd-server --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew front-proxy-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew apiserver-etcd-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew apiserver-kubelet-client --config kubeadm-cluster.yaml
kubeadm alpha phase certs renew apiserver --config kubeadm-cluster.yaml
5、验证证书有效期更新
[root@k8s-master images]# find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt|grep After
Not After : Aug 1 10:20:09 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/healthcheck-client.crt|grep After
Not After : Aug 1 10:19:54 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/peer.crt|grep After
Not After : Aug 1 10:20:02 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-etcd-client.crt|grep After
Not After : Aug 1 10:20:25 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt|grep After
Not After : Aug 1 10:20:32 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt|grep After
Not After : Aug 1 10:20:39 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt|grep After
Not After : Aug 1 10:20:18 2021 GMT
6、更新各个配置文件
1)查看帮助:
[root@k8s-master manifests]# kubeadm alpha phase kubeconfig --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha phase kubeconfig [command]
Available Commands:
admin Generates a kubeconfig file for the admin to use and for kubeadm itself
all Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
controller-manager Generates a kubeconfig file for the controller manager to use
kubelet Generates a kubeconfig file for the kubelet to use. Please note that this should be used *only* for bootstrapping purposes
scheduler Generates a kubeconfig file for the scheduler to use
user Outputs a kubeconfig file for an additional user
Flags:
-h, --help help for kubeconfig
Global Flags:
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
-v, --v Level log level for V logs
Use "kubeadm alpha phase kubeconfig [command] --help" for more information about a command.
2)备份集群配置文件并重新生成:
[root@k8s-master yaml]# find /etc/kubernetes/ -name '*.conf'|xargs -i mv {}{,bak}
[root@k8s-master yaml]# kubeadm alpha phase kubeconfig all --config kubeadm-cluster.yaml
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
或者分步执行:
kubeadm alpha phase kubeconfig kubelet --config kubeadm-cluster.yaml
kubeadm alpha phase kubeconfig admin --config kubeadm-cluster.yaml
kubeadm alpha phase kubeconfig scheduler --config kubeadm-cluster.yaml
kubeadm alpha phase kubeconfig controller-manager --config kubeadm-cluster.yaml
3)重新配置kubectl权限信息:
mv $HOME/.kube/config $HOME/.kube/config.old
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
7、更新集群验证
验证kubernetes 集群:运行 kubectl cluster-info 和 kubectl get nodes 符合预期
[root@k8s-master images]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 1y v1.12.1
k8s-node1 Ready <none> 1y v1.12.1
k8s-node2 Ready <none> 1y v1.12.1
确性kubernetes 系统相关的服务运行正常(核心是kube-apiserver,kube-controller-manager,kube-proxy, kube-flannel):kubectl get pods -n kube-system
[root@k8s-master images]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-576cbf47c7-fk7j9 1/1 Running 0 1y
coredns-576cbf47c7-p4f4q 1/1 Running 0 1y
etcd-k8s-master 1/1 Running 2 1y
kube-apiserver-k8s-master 1/1 Running 0 2h
kube-controller-manager-k8s-master 1/1 Running 1 2h
kube-flannel-ds-amd64-f2csl 1/1 Running 0 1y
kube-flannel-ds-amd64-wm2b6 1/1 Running 0 1y
kube-flannel-ds-amd64-wrnnk 1/1 Running 1 1y
kube-proxy-cz5xg 1/1 Running 0 1y
kube-proxy-fnr96 1/1 Running 0 1y
kube-proxy-xbrcb 1/1 Running 0 1y
kube-scheduler-k8s-master 1/1 Running 1 1y
kubernetes-dashboard-77fd78f978-jl98q 1/1 Running 0 218d
检查pod的运行状态:kubectl get pods --all-namespaces
[root@k8s-master images]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default bbcx-service-7c4bb5456-bksqb 1/1 Running 0 7h
default bbcx-vue-5569488679-zd75m 1/1 Running 1 7h
default cip-data-service-66ffd668dd-2l4wv 1/1 Running 0 17d
default cip-job-5fb59f9d84-4lrb4 1/1 Running 0 17d
default consul-0 1/1 Running 0 193d
...................
---------------------------------------------kubernetes 1.15 版本 以上方案---------------------------------------------
提示:kubernetes 1.16.3 ;1.18.2 使用可用,1.12.1 使用不可用
第一种方案:
1、查看具体过期时间
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Jul 29, 2021 12:07 UTC 362d no
apiserver Jul 29, 2021 12:07 UTC 362d no
apiserver-etcd-client Jul 29, 2021 12:07 UTC 362d no
apiserver-kubelet-client Jul 29, 2021 12:07 UTC 362d no
controller-manager.conf Jul 29, 2021 12:07 UTC 362d no
etcd-healthcheck-client Jul 29, 2021 12:07 UTC 362d no
etcd-peer Jul 29, 2021 12:07 UTC 362d no
etcd-server Jul 29, 2021 12:07 UTC 362d no
front-proxy-client Jul 29, 2021 12:07 UTC 362d no
scheduler.conf Jul 29, 2021 12:07 UTC 362d no
2、查看帮助
[root@hadoop009 images]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm alpha certs renew [command] --help" for more information about a command.
提示:由help可知,证书更新可针对单个证书更新
3、更新证书
更新所有证书,对证书进行续期,续期一年:
$ kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
提示:更新操作需要在所有master节点执行
4、验证续期
# ls -l
总用量 56
-rw-r--r-- 1 root root 1220 7月 31 22:48 apiserver.crt
-rw-r--r-- 1 root root 1090 7月 31 22:48 apiserver-etcd-client.crt
-rw------- 1 root root 1679 7月 31 22:48 apiserver-etcd-client.key
-rw------- 1 root root 1675 7月 31 22:48 apiserver.key
-rw-r--r-- 1 root root 1099 7月 31 22:48 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 7月 31 22:48 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 7月 29 20:07 ca.crt
-rw------- 1 root root 1679 7月 29 20:07 ca.key
drwxr-xr-x 2 root root 162 7月 29 20:07 etcd
-rw-r--r-- 1 root root 1038 7月 29 20:07 front-proxy-ca.crt
-rw------- 1 root root 1675 7月 29 20:07 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 7月 31 22:48 front-proxy-client.crt
-rw------- 1 root root 1679 7月 31 22:48 front-proxy-client.key
-rw------- 1 root root 1675 7月 29 20:07 sa.key
-rw------- 1 root root 451 7月 29 20:07 sa.pub
# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 01, 2021 07:38 UTC 364d no
apiserver Aug 01, 2021 07:38 UTC 364d ca no
apiserver-etcd-client Aug 01, 2021 07:38 UTC 364d etcd-ca no
apiserver-kubelet-client Aug 01, 2021 07:38 UTC 364d ca no
controller-manager.conf Aug 01, 2021 07:38 UTC 364d no
etcd-healthcheck-client Aug 01, 2021 07:38 UTC 364d etcd-ca no
etcd-peer Aug 01, 2021 07:38 UTC 364d etcd-ca no
etcd-server Aug 01, 2021 07:38 UTC 364d etcd-ca no
front-proxy-client Aug 01, 2021 07:38 UTC 364d front-proxy-ca no
scheduler.conf Aug 01, 2021 07:38 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jul 27, 2030 13:01 UTC 9y no
etcd-ca Jul 27, 2030 13:01 UTC 9y no
front-proxy-ca Jul 27, 2030 13:01 UTC 9y no
[root@hadoop010 etcd]# kubectl -n kube-system get cm kubeadm-config -oyaml
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 192.101.11.162:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.18.2
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
ClusterStatus: |
apiEndpoints:
hadoop010:
advertiseAddress: 192.101.11.162
bindPort: 6443
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterStatus
kind: ConfigMap
metadata:
creationTimestamp: "2020-07-29T13:02:16Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ClusterConfiguration: {}
f:ClusterStatus: {}
manager: kubeadm
operation: Update
time: "2020-07-29T13:02:16Z"
name: kubeadm-config
namespace: kube-system
resourceVersion: "157"
selfLink: /api/v1/namespaces/kube-system/configmaps/kubeadm-config
uid: 2e049082-fa64-4e2e-ad73-af9fc94a051e
5、启用证书
在每台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。
# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
或者
# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
提示:启用操作需要在所有master节点执行。
6、更新.kube下的配置文件
$ mv $HOME/.kube/config $HOME/.kube/config.old
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ kubectl get nodes
7、更新集群验证
验证kubernetes 集群:运行 kubectl cluster-info 和 kubectl get nodes 符合预期。
[root@k8s-master images]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 1y v1.12.1
k8s-node1 Ready <none> 1y v1.12.1
k8s-node2 Ready <none> 1y v1.12.1
确性kubernetes 系统相关的服务运行正常(核心是kube-apiserver,kube-controller-manager,kube-proxy, kube-flannel):kubectl get pods -n kube-system
[root@k8s-master images]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-576cbf47c7-fk7j9 1/1 Running 0 1y
coredns-576cbf47c7-p4f4q 1/1 Running 0 1y
etcd-k8s-master 1/1 Running 2 1y
kube-apiserver-k8s-master 1/1 Running 0 2h
kube-controller-manager-k8s-master 1/1 Running 1 2h
kube-flannel-ds-amd64-f2csl 1/1 Running 0 1y
kube-flannel-ds-amd64-wm2b6 1/1 Running 0 1y
kube-flannel-ds-amd64-wrnnk 1/1 Running 1 1y
kube-proxy-cz5xg 1/1 Running 0 1y
kube-proxy-fnr96 1/1 Running 0 1y
kube-proxy-xbrcb 1/1 Running 0 1y
kube-scheduler-k8s-master 1/1 Running 1 1y
kubernetes-dashboard-77fd78f978-jl98q 1/1 Running 0 218d
检查pod的运行状态:kubectl get pods --all-namespaces
[root@k8s-master images]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default bbcx-service-7c4bb5456-bksqb 1/1 Running 0 7h
default bbcx-vue-5569488679-zd75m 1/1 Running 1 7h
default cip-data-service-66ffd668dd-2l4wv 1/1 Running 0 17d
default cip-job-5fb59f9d84-4lrb4 1/1 Running 0 17d
default consul-0 1/1 Running 0 193d
...................
第二种方案:
1、备份导出kubeadm集群配置
# kubeadm config view > kubeadm-cluster.yaml
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.16.3
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
2、查看具体过期时间
kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Jul 29, 2021 12:07 UTC 362d no
apiserver Jul 29, 2021 12:07 UTC 362d no
apiserver-etcd-client Jul 29, 2021 12:07 UTC 362d no
apiserver-kubelet-client Jul 29, 2021 12:07 UTC 362d no
controller-manager.conf Jul 29, 2021 12:07 UTC 362d no
etcd-healthcheck-client Jul 29, 2021 12:07 UTC 362d no
etcd-peer Jul 29, 2021 12:07 UTC 362d no
etcd-server Jul 29, 2021 12:07 UTC 362d no
front-proxy-client Jul 29, 2021 12:07 UTC 362d no
scheduler.conf Jul 29, 2021 12:07 UTC 362d no
3、查看帮助
[root@hadoop009 images]# kubeadm alpha certs renew --help
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm alpha certs renew [flags]
kubeadm alpha certs renew [command]
Available Commands:
admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
all Renew all available certificates
apiserver Renew the certificate for serving the Kubernetes API
apiserver-etcd-client Renew the certificate the apiserver uses to access etcd
apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use
etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd
etcd-peer Renew the certificate for etcd nodes to communicate with each other
etcd-server Renew the certificate for serving etcd
front-proxy-client Renew the certificate for the front proxy client
scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Flags:
-h, --help help for renew
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm alpha certs renew [command] --help" for more information about a command.
提示:由help可知,证书更新可针对单个证书更新
4、更新证书
# kubeadm alpha certs renew all --config=kubeadm-cluster.yaml #更新所有证书
提示:在保存kubeadm-cluster.yaml文件的目录下执行
提示:更新操作需要在所有master节点执行
5、确认验证
# kubeadm alpha certs check-expiration
6、启用证书
在每台Master上执行重启kube-apiserver、kube-controller、kube-scheduler、etcd这4个容器,以便使证书生效。
# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
或者
# docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
提示:启用操作需要在所有master节点执行。
7、更新.kube下的配置文件
$ mv $HOME/.kube/config $HOME/.kube/config.old
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ kubectl get nodes
8、更新集群验证
验证kubernetes 集群:运行 kubectl cluster-info 和 kubectl get nodes 符合预期。
[root@k8s-master images]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 1y v1.12.1
k8s-node1 Ready <none> 1y v1.12.1
k8s-node2 Ready <none> 1y v1.12.1
确性kubernetes 系统相关的服务运行正常(核心是kube-apiserver,kube-controller-manager,kube-proxy, kube-flannel):kubectl get pods -n kube-system
[root@k8s-master images]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-576cbf47c7-fk7j9 1/1 Running 0 1y
coredns-576cbf47c7-p4f4q 1/1 Running 0 1y
etcd-k8s-master 1/1 Running 2 1y
kube-apiserver-k8s-master 1/1 Running 0 2h
kube-controller-manager-k8s-master 1/1 Running 1 2h
kube-flannel-ds-amd64-f2csl 1/1 Running 0 1y
kube-flannel-ds-amd64-wm2b6 1/1 Running 0 1y
kube-flannel-ds-amd64-wrnnk 1/1 Running 1 1y
kube-proxy-cz5xg 1/1 Running 0 1y
kube-proxy-fnr96 1/1 Running 0 1y
kube-proxy-xbrcb 1/1 Running 0 1y
kube-scheduler-k8s-master 1/1 Running 1 1y
kubernetes-dashboard-77fd78f978-jl98q 1/1 Running 0 218d
检查pod的运行状态:kubectl get pods --all-namespaces
[root@k8s-master images]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default bbcx-service-7c4bb5456-bksqb 1/1 Running 0 7h
default bbcx-vue-5569488679-zd75m 1/1 Running 1 7h
default cip-data-service-66ffd668dd-2l4wv 1/1 Running 0 17d
default cip-job-5fb59f9d84-4lrb4 1/1 Running 0 17d
default consul-0 1/1 Running 0 193d
...................
发表评论
-
HTTPS的加密原理解读
2021-12-31 11:25 327一、为什么需要加密? 因为http的内容是明文传输的,明文数据 ... -
容器技术的基石: cgroup、namespace和联合文件系统
2021-12-09 10:47 786Docker 是基于 Linux Kernel 的 Names ... -
链路追踪skywalking安装部署
2021-10-21 12:06 851APM 安装部署: 一、下载 版本目录地址:http://a ... -
自动化运维 Ansible 安装部署
2021-08-20 19:06 868一、概述 Ansible 实现了批量系统配置、批量程序部署、 ... -
Linux 下 Kafka Cluster 搭建
2021-07-08 11:23 1015概述 http://kafka.apachecn.org/q ... -
ELK RPM 安装配置
2021-06-22 18:59 655相关组件: 1)filebeat。用于收集日志组件,经测试其 ... -
在Kubernetes上部署 Redis 三主三从 集群
2021-03-10 16:25 738NFS搭建见: Linux NFS搭建与配置(https:// ... -
docker-compose 部署ELK(logstash->elasticsearch->kibana)
2020-11-11 18:02 1682概述: ELK是三个开源软件的缩写,分别表示:elastic ... -
Kubernetes1.16.3下部署node-exporter+alertmanager+prometheus+grafana 监控系统
2020-10-28 10:48 1138准备工作 建议将所有的yaml文件存在如下目录: # mkd ... -
Linux NFS 搭建与配置
2020-10-21 17:58 458一、NFS 介绍 NFS 是 Network FileSys ... -
K8S 备份及升级
2020-10-20 15:48 919一、准备工作 查看集群版本: # kubectl get no ... -
API 网关 kong 的 konga 配置使用
2020-09-23 10:46 4391一、Kong 概述: kong的 ... -
云原生技术 Docker、K8S
2020-09-02 16:53 588容器的三大好处 1.资源 ... -
Kubernetes 应用编排、管理与运维
2020-08-24 16:40 617一、kubectl 运维命令 kubectl control ... -
API 网关 kong/konga 安装部署
2020-08-25 17:34 686一、概述 Kong是Mashape开 ... -
Linux 下 Redis Cluster 搭建
2020-08-13 09:14 824Redis集群演变过程: 单 ... -
Kubernetes离线安装的本地yum源构建
2020-08-08 22:41 602一、需求场景 在K8S的使用过程中有时候会遇到在一些无法上网 ... -
kubeadm方式部署安装kubernetes
2020-07-29 08:01 2480一、前提准备: 0、升级更新系统(切记升级一下,曾被坑过) ... -
Kubernetes 部署 Nginx 集群
2020-07-20 09:32 936一.设置标签 为了保证nginx之能分配到nginx服务器需要 ... -
Prometheus 外部监控 Kubernetes 集群
2020-07-10 15:59 2153大多情况都是将 Prometheus 通过 yaml 安装在 ...
相关推荐
但这需要对Kubernetes证书管理有深入理解,操作过程较复杂。 2. **使用kubeadm**:kubeadm提供了一个方便的命令`kubeadm alpha phase kubeconfig all --certificate-renewal=true`来尝试自动更新控制平面的证书。...
【kubernetes】环境准备及K8S安装【最新完整版】 1.证书延期10年 2../update-kubeadm-cert.sh all
内容概要:本文详细介绍了如何利用Simulink对BUCK电路进行PI闭环控制仿真。首先解释了BUCK电路的基本原理及其数学表达式,接着逐步指导如何在Simulink中构建仿真模型,包括选择合适的元件如电源、开关、电感、电容等,并设置了具体的参数。然后重点讲解了PI控制器的设计方法,展示了如何通过MATLAB代码实现PI控制算法,并讨论了不同参数对控制系统的影响。最后,通过观察和分析仿真结果的关键波形,探讨了如何优化PI控制器参数以获得更好的输出效果。 适合人群:从事电力电子设计的研究人员和技术爱好者,尤其是那些希望深入了解BUCK电路及其控制机制的人群。 使用场景及目标:适用于需要掌握BUCK电路工作原理以及PI闭环控制方法的学习者;旨在提高对电力电子系统的理解和优化能力。 其他说明:文中提供了详细的步骤和实例,有助于读者更好地理解和应用所学知识。此外,还提到了一些常见的挑战和解决方案,例如如何避免电压过冲、优化负载响应时间和减少输出电压纹波等问题。
MFC-Windows应用程序设计-第2章-Windows应用程序的类封装.pptx
MCS51单片机指令系统数据传送类指令.pptx
PLC电源模块维修重点技术实例.doc
内容概要:本文详细介绍了如何利用西门子S7-1200 PLC构建一个高精度的恒温水箱控制系统。首先讨论了硬件选择与配置,包括PT100温度传感器、模拟量模块的选择以及滤波时间的优化。接着深入探讨了PID控制算法的应用,包括参数整定技巧、移动平均滤波的应用以及PWM输出控制方法。此外,还涉及了人机界面的设计,强调了报警机制的优化和现场调试的经验分享。文中提供了多个实用的SCL代码片段,帮助读者更好地理解和实施具体的技术细节。 适合人群:从事工业自动化领域的工程师和技术人员,尤其是对PLC编程和温度控制感兴趣的初学者。 使用场景及目标:适用于需要精确温度控制的工业应用场景,如食品加工、生物制药等行业。目标是将温度波动控制在±0.5℃以内,确保生产过程的稳定性。 其他说明:文中不仅提供了详细的理论讲解,还结合了大量的实际案例和调试经验,有助于读者快速掌握相关技术和应对常见问题。
内容概要:本文详细介绍了利用COMSOL进行太赫兹波段石墨烯超表面吸波器的设计与仿真的全过程。首先,通过几何建模创建了基于矩形堆叠的石墨烯单元结构,并设置了合适的材料参数,特别是石墨烯的表面电导率采用Kubo公式表示。接着,针对边界条件进行了细致设定,如使用完美匹配层(PML)和Floquet周期边界条件,确保计算效率和准确性。然后,通过参数扫描和优化,研究了不同费米能级对吸收峰的影响,实现了吸收频段的动态调控。最后,通过后处理和动画制作,展示了吸收峰随费米能级变化的动态效果,并提供了具体的MATLAB和COMSOL代码示例。 适合人群:从事太赫兹器件设计、电磁仿真以及石墨烯材料应用的研究人员和技术人员。 使用场景及目标:适用于希望深入了解太赫兹波段吸波器设计原理及其动态调控特性的科研工作者。目标是通过实际操作和理论分析相结合,掌握石墨烯超表面吸波器的设计方法和优化技巧。 其他说明:文中提供的具体步骤和代码示例有助于快速上手COMSOL仿真工具,同时强调了常见问题的解决方法,如收敛问题和网格划分策略。
内容概要:本文详细介绍了两轮平衡车和扭扭车的完整设计方案,涵盖硬件和软件两个方面。硬件部分包括主控芯片(如STM32F103)、传感器(如MPU6050)的选择与布局,以及PCB设计要点,强调了电机驱动模块的布线规则和电磁干扰防护措施。软件部分则聚焦于核心算法,如PID控制和卡尔曼滤波,用于处理传感器数据并实现车辆的平衡和运动控制。此外,文章还讨论了烧写程序、调试文件和BOM清单等量产相关的内容,分享了许多实用经验和技巧。 适合人群:对两轮平衡车和扭扭车设计感兴趣的电子工程师、硬件开发者和嵌入式程序员。 使用场景及目标:帮助读者掌握从原理图设计到量产的全流程,包括硬件选型、PCB布局、程序编写、调试方法和批量生产的注意事项。目标是让读者能够独立完成一套完整的两轮平衡车或扭扭车项目。 其他说明:文中提供了大量实战经验和技术细节,如PID参数调优、PCB布局技巧、电机驱动优化等,有助于提高产品的稳定性和可靠性。
内容概要:文章详细介绍了汽车电子软件A/B分区方案,这是一种用于汽车电子系统软件管理的最佳实践。A/B分区通过将存储空间划分为两个独立分区,分别保存完整的软件镜像,实现软件的无感更新、提高系统可靠性和支持远程更新(OTA)。具体工作流程包括从当前分区启动、下载更新包、分区验证、切换准备、重启运行以及回滚与故障处理。其核心优势在于减少停机时间、增强可靠性和安全性、助力OTA更新及提升用户体验。然而,该方案也面临存储空间需求大、更新管理复杂和功耗性能优化等挑战。文章最后提出了优化存储空间、简化更新管理和优化功耗的具体措施。 适合人群:汽车电子工程师、汽车制造商技术人员、对汽车电子系统感兴趣的工程师和技术爱好者。 使用场景及目标:①理解A/B分区的工作机制及其在汽车电子系统中的应用;②掌握A/B分区在软件更新过程中的具体操作流程;③了解A/B分区带来的优势及其面临的挑战,为实际项目提供参考。 其他说明:A/B分区方案已在新能源汽车和新势力造车中广泛应用,未来将在智能汽车和自动驾驶技术中发挥更大作用。文章强调了长期主义的重要性,鼓励读者在技术发展中保持耐心和持续学习的态度。
内容概要:本文详细介绍了利用粒子群优化(Particle Swarm Optimization, PSO)算法,在光伏电池受到局部阴影遮挡的情况下实现最大功率点跟踪(Maximum Power Point Tracking, MPPT)的方法。文中首先解释了阴影条件下光伏电池输出特性的变化,即P-V曲线由单一峰值变为多峰形态,使得传统的扰动观测法难以找到全局最大功率点。接着阐述了PSO算法的基本原理及其在MPPT中的具体实现方式,包括粒子初始化、速度和位置更新规则以及如何处理电压突变引起的系统震荡等问题。此外还讨论了粒子数量的选择、参数动态调整策略、适应度函数改进等方面的内容,并通过实验验证了该方法的有效性和优越性。 适合人群:从事光伏发电系统研究与开发的技术人员,尤其是关注提高光伏系统在非理想环境下工作效率的研究者。 使用场景及目标:适用于存在局部阴影遮挡情况下的光伏电站或分布式光伏发电系统的优化设计,旨在提高此类条件下光伏系统的能量转化效率。 其他说明:文中不仅提供了详细的理论推导和技术细节,还有具体的代码片段用于辅助理解和实施。同时指出,在实际应用中可以根据不同的应用场景灵活调整相关参数配置,如粒子数目、惯性权重等,从而达到更好的性能表现。
office办公软件培训.pptx
2025免费微信小程序毕业设计成品,包括源码+数据库+往届论文资料,附带启动教程和安装包。 启动教程:https://www.bilibili.com/video/BV1BfB2YYEnS 讲解视频:https://www.bilibili.com/video/BV1BVKMeZEYr 技术栈:Uniapp+Vue.js+SpringBoot+MySQL。 开发工具:Idea+VSCode+微信开发者工具。
内容概要:本文详细介绍了如何使用Matlab进行平行泊车和垂直泊车的路径规划与仿真。首先解释了平行泊车的基本原理,即基于车辆运动学模型,通过控制转向角和速度来规划从初始位置到目标车位的平滑路径。接着展示了具体的Matlab代码实现,包括初始化参数设置、路径规划的循环迭代以及最终的路径绘图。对于垂直泊车,则强调了其独特的路径规划逻辑,分为接近车位和转向进入两个阶段,并给出了相应的代码示例。此外,还讨论了一些高级话题,如使用双圆弧+直线组合方案、五次多项式轨迹生成、PID控制器实现轨迹跟踪等方法来优化路径规划。同时提到了碰撞检测模块的实现方式及其重要性。 适合人群:对自动驾驶技术感兴趣的初学者或有一定编程基础的研发人员。 使用场景及目标:适用于希望深入了解自动驾驶泊车原理和技术细节的人群,特别是那些想要动手实践并掌握Matlab编程技巧的学习者。通过学习本文提供的代码示例,读者能够更好地理解平行泊车和垂直泊车的具体实现过程,从而为进一步研究提供坚实的基础。 其他说明:文中提到的所有代码均为简化版本,旨在帮助读者快速入门。实际应用中可能需要考虑更多因素,例如车辆的实际尺寸、环境感知模块的集成等。此外,作者还分享了许多实用的经验和技巧,如如何避免常见的错误、如何优化代码性能等。
内容概要:本文详细介绍了如何使用连续小波变换(CWT)、卷积神经网络(CNN)和支持向量机(SVM)进行滚动轴承故障诊断的方法。首先,通过对东南大学提供的轴承数据集进行预处理,将一维振动信号转换为时频图。然后,构建了一个CNN-SVM混合模型,其中CNN用于提取时频图的特征,SVM用于分类。文中还讨论了如何选择合适的小波基、尺度范围以及如何防止过拟合等问题。此外,作者提供了T-SNE可视化工具来评估模型性能,并分享了一些实用的避坑指南。 适合人群:从事机械设备故障诊断的研究人员和技术人员,尤其是那些对振动信号处理有一定了解的人。 使用场景及目标:适用于工业环境中对旋转机械设备的故障检测和预测。主要目标是提高故障诊断的准确性,减少误判率,确保设备的安全稳定运行。 其他说明:文中提到的所有代码均已在Matlab环境下验证通过,并附有详细的注释和解释。对于初学者来说,建议逐步跟随代码实现,理解每一步骤背后的原理。
内容概要:本文详细介绍了基于三菱F5U系列PLC的恒压测试设备开发过程,涵盖了ST语言编程和梯形图逻辑控制的综合应用。主要内容包括设备的整体功能概述,如递增调压和恒压保持两大功能;ST语言在数据处理方面的优势,如从触摸屏读取设置数据、处理压力传感器数据等;梯形图在逻辑控制方面的作用,如实现递增和恒压模式的切换;触摸屏程序设计,确保良好的人机交互体验;以及监控曲线和历史记录的实现方法。文中还特别强调了ST语言和梯形图混合编程的优势和注意事项。 适合人群:具备一定PLC编程基础的电气工程师和技术人员。 使用场景及目标:适用于工业自动化领域的恒压测试设备开发,旨在提高系统的灵活性和可靠性,帮助工程师更好地理解和应用ST语言和梯形图编程。 其他说明:文章提供了多个具体的代码示例和实用技巧,如数据类型转换、环形缓冲区设计、急停逻辑等,有助于读者在实际项目中借鉴和应用。
内容概要:本文由一位汽车电子工程师撰写,主要介绍了CAPL语言及其在CANoe中的调试功能。CAPL是一种专用于CANoe的类C编程语言,支持节点仿真、报文收发、自动化测试等功能。CAPL文件分为.can和.cin两种类型,程序结构包含头文件、全局变量、事件函数和自定义函数。CAPL基于事件驱动,常见事件包括系统事件、报文事件、时间事件等。CAPL支持多种数据类型和复杂数据结构。CANoe的CAPL Debug功能允许用户在仿真或测试过程中对CAPL代码进行调试,通过设置断点、单步执行等方式检查代码逻辑和变量值,确保代码满足需求。; 适合人群:具有汽车电子开发背景,尤其是从事汽车总线网络开发、测试和分析的工程师。; 使用场景及目标:①掌握CAPL语言的基本语法和特性,熟悉CAPL文件结构和编程规范;②学会使用CANoe中的CAPL Debug功能,能够设置断点、单步调试并查看变量变化,确保代码正确性和可靠性;③提升对汽车总线网络开发和测试的理解和实践能力。; 阅读建议:本文详细介绍了CAPL语言及其调试功能,建议读者在学习过程中结合实际项目进行实践,逐步掌握CAPL编程技巧和调试方法。同时,注意理解CAPL的事件驱动机制和数据类型,这对编写高效、可靠的CAPL代码至关重要。
内容概要:本文详细介绍了基于SSM(Spring + SpringMVC + MyBatis)框架的ERP生产管理系统的源码实现及其关键特性。首先探讨了系统的权限控制设计,采用Shiro实现按钮级别的权限管理,确保不同角色拥有不同的操作权限。接着分析了设备管理模块,展示了MyBatis动态SQL的应用以及设备状态更新的灵活性。工艺监控模块利用EasyUI DataGrid实现实时数据刷新,结合后端分页查询提高性能。质量监控模块则通过Spring事务注解实现异常数据处理的原子性。此外,系统采用了Shiro进行用户密码加密,增强了安全性。最后讨论了系统的布局设计和数据可视化的实现。 适合人群:具备一定Java开发经验的研发人员,特别是对SSM框架有初步了解并希望深入了解其实战应用的技术人员。 使用场景及目标:适用于需要构建或改进企业内部生产管理系统的开发团队。主要目标是通过研究现有系统的实现细节,掌握SSM框架的最佳实践,提升系统的稳定性和功能性。 其他说明:文中提到的许多技术细节如权限控制、事务管理和数据可视化等,不仅有助于理解SSM框架的工作原理,还能为实际项目提供宝贵的参考。
内容概要:本文继续深入介绍 AUTOSAR BSW 层的关键模块,主要包括诊断模块、硬件I/O抽象模块和操作系统OS。诊断模块包含诊断通信管理器(DCM)、诊断事件管理器(DEM)和功能禁止管理器(FIM),它们分别负责通信协议实现、事件管理和功能控制,确保ECU在不同情况下的正确响应。硬件I/O抽象模块通过将硬件接口抽象化,使上层软件无需关心底层硬件细节,提高了系统的可移植性和维护性。操作系统OS分为SC1到SC4四个等级,从基本任务调度到高级别的内存和时间保护,适应不同功能安全级别的需求,保障了多任务环境下的数据一致性和实时性能。 适合人群:对汽车电子控制系统有一定了解的研发人员,尤其是从事AUTOSAR相关工作的工程师和技术人员。 使用场景及目标:①理解AUTOSAR架构下BSW层各模块的具体功能和相互关系;②掌握诊断模块在汽车ECU中的应用及其重要性;③学习硬件I/O抽象模块的设计思路和实现方法;④了解AUTOSAR OS的不同分类及其在不同安全等级产品中的应用。 阅读建议:由于涉及到较多的专业术语和技术细节,建议读者先熟悉AUTOSAR的基础概念,再逐步深入理解各模块的工作原理和应用场景。同时,结合实际项目经验进行对比学习,有助于更好地掌握本文内容。
多语言笔记系列:操作数据库-C#程序