Posted 2025-06-16Updated 2025-06-1611 minutes read (About 1659 words)

自定义 RKE2/K3s 证书有效期

RKE2/K3s 生成的证书默认有效期为一年，通过 CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS 可以自定义有效期。

检查目前证书情况，可以看到都是一年有效期：

root@rke2-cilium-01:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
            Not Before: Nov 13 07:09:59 2024 GMT
            Not After : Apr  9 10:44:08 2026 GMT
root@rke2-cilium-01:~# rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:rke2-cilium-01,O=system:nodes is ok, expires at 2026-06-13T06:03:07Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-cilium-01 is ok, expires at 2026-06-13T06:03:06Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2026-06-13T06:03:07Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2026-06-13T06:03:07Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z

在节点上，准备如下配置，随后通过 rke2 certificate rotate 命令，或者在 Rancher 上轮换证书即可：

# Agent 节点则为 /etc/default/rke2-agent
cat << EOF > /etc/default/rke2-server
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOF

轮换后证书情况：

root@rke2-cilium-01:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
            Not Before: Nov 13 07:09:59 2024 GMT
            Not After : Jun 14 11:48:31 2035 GMT
root@rke2-cilium-01:~# rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-06-14T11:48:33Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-06-14T11:48:33Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:rke2-cilium-01,O=system:nodes is ok, expires at 2035-06-14T11:48:32Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-cilium-01 is ok, expires at 2035-06-14T11:48:32Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z

但这个配置似乎对 kube-scheduler 和 kube-controller-manager 的证书无效。

自定义 RKE2/K3s 证书有效期

https://warnerchen.github.io/2025/06/16/自定义-RKE2-K3s-证书有效期/

Author

Warner Chen

Posted on

2025-06-16

Updated on

2025-06-16

Licensed under

#suse

You need to set install_url to use ShareThis. Please set it in _config.yml.

自定义 RKE2/K3s 证书有效期

Author

Posted on

Updated on

Licensed under

Like this article? Support the author with

Comments

Links

Recents

Archives

Tags

Subscribe for updates

follow.it