- 已编辑
代码用的 master分支,我修改的文件为:kubekey/util/secret/certificates.go,修改的函数为:
// newSelfSignedCACert creates a CA certificate. func newSelfSignedCACert(key *rsa.PrivateKey) (*x509.Certificate, error) { cfg := certs.Config{ CommonName: "kubernetes", } now := time.Now().UTC() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, NotBefore: now.Add(time.Minute * -5), NotAfter: now.Add(time.Hour * 24 * 365 * 100), // 100 years KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, MaxPathLenZero: true, BasicConstraintsValid: true, MaxPathLen: 0, IsCA: true, } b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) if err != nil { return nil, errors.Wrapf(err, "failed to create self signed CA certificate: %+v", tmpl) } c, err := x509.ParseCertificate(b) return c, errors.WithStack(err) }
修改的内容为:
将: NotAfter: now.Add(time.Hour * 24 * 365 * 10), // 10 years
改为:NotAfter: now.Add(time.Hour * 24 * 365 * 100), // 100 years 修改后, 我 运行了下面的命令
make clean
make kk编译也成功了,我用 编译的 kk 命令安装好集群后查看ca证书的过期时间依然是10年
[root@base ~]# kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-568d4f5458-58wsp 1/1 Running 0 14m
kube-system calico-node-5h6mh 1/1 Running 0 14m
kube-system coredns-745fc8d6b-727x9 1/1 Running 0 14m
kube-system coredns-745fc8d6b-sq8kh 1/1 Running 0 14m
kube-system kube-apiserver-k8s-master-01 1/1 Running 0 14m
kube-system kube-controller-manager-k8s-master-01 1/1 Running 0 14m
kube-system kube-proxy-gjlvg 1/1 Running 0 14m
kube-system kube-scheduler-k8s-master-01 1/1 Running 0 14m
kube-system kube-vip-k8s-master-01 1/1 Running 0 14m
kube-system nodelocaldns-dlsrn 1/1 Running 0 14m
[root@base ~]#
[root@base ~]# kk certs check-expiration -f config-sample.yaml
_ __ _ _ __
| | / / | | | | / /
| |/ / _ _| |__ ___| |/ / ___ _ _
| \| | | | '_ \ / _ \ \ / _ \ | | |
| |\ \ |_| | |_) | __/ |\ \ __/ |_| |
\_| \_/\__,_|_.__/ \___\_| \_/\___|\__, |
__/ |
|___/
14:11:40 CST [GreetingsModule] Greetings
14:11:41 CST message: [k8s-master-01]
Greetings, KubeKey!
14:11:41 CST success: [k8s-master-01]
14:11:41 CST [CheckCertsModule] Check cluster certs
14:11:42 CST success: [k8s-master-01]
14:11:42 CST [PrintClusterCertsModule] Display cluster certs form
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY NODE
apiserver.crt Mar 19, 2026 06:08 UTC 364d ca k8s-master-01
apiserver-kubelet-client.crt Mar 19, 2026 06:08 UTC 364d ca k8s-master-01
front-proxy-client.crt Mar 19, 2026 06:08 UTC 364d front-proxy-ca k8s-master-01
admin.conf Mar 19, 2026 06:08 UTC 364d k8s-master-01
controller-manager.conf Mar 19, 2026 06:08 UTC 364d k8s-master-01
scheduler.conf Mar 19, 2026 06:08 UTC 364d k8s-master-01
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME NODE
ca.crt Mar 17, 2035 06:08 UTC 9y k8s-master-01
front-proxy-ca.crt Mar 17, 2035 06:08 UTC 9y k8s-master-01
14:11:42 CST success: [LocalHost]
14:11:42 CST Pipeline[CheckCertsPipeline] execute successfully
[root@base ~]#请问我该如何修改