Using kubeadm why would you want to manually gener

2019-07-17 04:41发布

问题:

I'm trying to follow this tutorial.

  1. What would be the advantage of generating the certs yourself instead of depending on kubeadm?
  2. if you create the certs yourself, does the auto-rotation happens after setting up the cluster from kubeadm?

Thanks!

回答1:

  1. No major advantage. kubeadm does the same: generate self-signed certs. The only mini advantage is that you could add some custom values in the CSR, such as a City, Organization, etc.

  2. Not really.

    • There's a kubelet certificate rotation flag --rotate-certificates that needs to be enabled.
    • There's also the certificate rotation from the masters and kubeadm can help with that with these commands:

      mkdir /etc/kubernetes/pkibak
      mv /etc/kubernetes/pki/* /etc/kubernetes/pkibak
      rm /etc/kubernetes/pki/*
      kubeadm init phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=x.x.x.x,x.x.x.x
      systemctl restart docker
      

If you'd like to regenerate the admin.conf file, you can also use kubeadm:

$ kubeadm init phase kubeconfig admin \
  --cert-dir /etc/kubernetes/pki \
  --kubeconfig-dir /tmp/.


回答2:

I am creating all the certs by myself, the reason behind that is

  1. The kubernetes cluster we use might not be updated every year, so we need certificates with longer expiry. Our applications doesn't support random docker restart and we are not accepting the kubeadm phase command to regenerate the certificates and restart the docker. Hence we created all the certificates with 5 years of expiry and provided it to kubeadm and it is working fine. Now, we don't have to worry about our certificate expiry every year.

  2. No kubeadm doesn't provide the auto rotate facility of certificates, this is the reason we needed longer expiry of certificates in the first place.

Hope this helps.



标签: kubernetes