k8s kubelet 自动证书轮换

自动轮换流程

1. 证书即将过期时(默认剩余时间 < 30% 有效期),kubelet 自动生成新 CSR。
2. 新 CSR 提交到 API Server,等待审批。
3. 审批通过后,kubelet 获取新证书并替换旧证书。
4. 新旧证书并行使用一段时间,确保服务不中断。

默认的自动审批 ClusterRole

ClusterRole 说明

system:certificates.k8s.io:certificatesigningrequests:selfnodeclient**
    用于自动审批 kubelet 客户端证书(如节点注册证书)。

system:certificates.k8s.io:certificatesigningrequests:selfnodeserver**
    用于自动审批 kubelet 服务端证书(如 kubelet 服务端 TLS 证书)。

查看默认的自动审批 ClusterRole

kubectl get clusterrole | grep -E 'selfnodeclient|selfnodeserver'
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   2023-03-01T16:54:22Z

自动审批的 ClusterRoleBinding

查看 ClusterRoleBinding

自动审批通常通过将 ClusterRole 绑定到 节点组(system:nodes)来实现
kubectl get clusterrolebinding -o custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[0].name | grep -E 'selfnodeclient|selfnodeserver'
kubeadm:node-autoapprove-certificate-rotation          system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   system:nodes

验证具体绑定规则

kubectl describe clusterrolebinding kubeadm:node-autoapprove-certificate-rotation
Name:         kubeadm:node-autoapprove-certificate-rotation
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
Subjects:
  Kind   Name          Namespace
  ----   ----          ---------
  Group  system:nodes

服务端证书自动审批

启用配置

kubectl create clusterrolebinding auto-approve-node-server-csr \
  --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeserver \
  --group=system:nodes

验证所有配置

kubectl get clusterrolebinding -o custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[0].name | grep -E 'selfnodeclient|selfnodeserver'
kubeadm:node-autoapprove-certificate-rotation          system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   system:nodes
auto-approve-node-server-csr                  system:certificates.k8s.io:certificatesigningrequests:selfnodeserver  system:nodes

kubelet 配置

/var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
rotateCertificates: true  # 启用证书自动轮换
serverTLSBootstrap: true  # 允许 kubelet 启动时自动申请证书

查看证书有效期

sudo openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -noout -dates

手动审批

查看证书申请状态

kubectl get csr -A | grep Pending

手动审批

/usr/local/bin/kubectl get csr|grep Pen| awk '{print $1}'|xargs /usr/local/bin/kubectl certificate approve
posted @ 2025-03-27 09:57  小吉猫  阅读(205)  评论(0)    收藏  举报