自定义 RKE2/K3s 证书有效期

RKE2/K3s 生成的证书默认有效期为一年,通过 CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS 可以自定义有效期。

检查目前证书情况,可以看到都是一年有效期:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@rke2-cilium-01:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
Not Before: Nov 13 07:09:59 2024 GMT
Not After : Apr 9 10:44:08 2026 GMT
root@rke2-cilium-01:~# rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:rke2-cilium-01,O=system:nodes is ok, expires at 2026-06-13T06:03:07Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-cilium-01 is ok, expires at 2026-06-13T06:03:06Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2026-06-13T06:03:07Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2026-06-13T06:03:07Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2026-05-22T02:21:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z

在节点上,准备如下配置,随后通过 rke2 certificate rotate 命令,或者在 Rancher 上轮换证书即可:

1
2
3
4
# Agent 节点则为 /etc/default/rke2-agent
cat << EOF > /etc/default/rke2-server
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOF

轮换后证书情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@rke2-cilium-01:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
Not Before: Nov 13 07:09:59 2024 GMT
Not After : Jun 14 11:48:31 2035 GMT
root@rke2-cilium-01:~# rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-06-14T11:48:33Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2035-06-14T11:48:31Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-06-14T11:48:33Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:rke2-cilium-01,O=system:nodes is ok, expires at 2035-06-14T11:48:32Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-cilium-01 is ok, expires at 2035-06-14T11:48:32Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1731481799 is ok, expires at 2034-11-11T07:09:59Z

但这个配置似乎对 kube-scheduler 和 kube-controller-manager 的证书无效。

Author

Warner Chen

Posted on

2025-06-16

Updated on

2025-06-16

Licensed under

You need to set install_url to use ShareThis. Please set it in _config.yml.
You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.