Posted Updated 8 minutes read (About 1171 words)

自定义 RKE2/K3s 证书有效期

RKE2/K3s 生成的证书默认有效期为一年,通过 CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS 可以自定义有效期。

检查目前证书情况,可以看到都是一年有效期:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@docker-test-0:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
            Not Before: Jun 24 03:47:19 2025 GMT
            Not After : Jun 24 03:58:22 2026 GMT
root@docker-test-0:~# rke2 certificate check --output table
INFO[0000] Server detected, checking agent and server certificates

CERTIFICATE                       SUBJECT                                      STATUS  EXPIRES
-----------                       -------                                      ------  -------
client-kube-proxy.crt             CN=system:kube-proxy                         OK      2026-06-24T03:58:24Z
client-kube-proxy.crt             CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-rke2-cloud-controller.crt  CN=rke2-cloud-controller-manager             OK      2026-06-24T03:58:22Z
client-rke2-cloud-controller.crt  CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-controller.crt             CN=system:kube-controller-manager            OK      2026-06-24T03:58:22Z
client-controller.crt             CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client.crt                        CN=etcd-client                               OK      2026-06-24T03:58:22Z
client.crt                        CN=etcd-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
server-client.crt                 CN=etcd-server                               OK      2026-06-24T03:58:22Z
server-client.crt                 CN=etcd-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
peer-server-client.crt            CN=etcd-peer                                 OK      2026-06-24T03:58:22Z
peer-server-client.crt            CN=etcd-peer-ca@1750736839                   OK      2035-06-22T03:47:19Z
client-scheduler.crt              CN=system:kube-scheduler                     OK      2026-06-24T03:58:22Z
client-scheduler.crt              CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-supervisor.crt             CN=system:rke2-supervisor,O=system:masters   OK      2026-06-24T03:58:22Z
client-supervisor.crt             CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-kubelet.crt                CN=system:node:docker-test-0,O=system:nodes  OK      2026-06-24T03:58:24Z
client-kubelet.crt                CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
serving-kubelet.crt               CN=docker-test-0                             OK      2026-06-24T03:58:23Z
serving-kubelet.crt               CN=rke2-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-rke2-controller.crt        CN=system:rke2-controller                    OK      2026-06-24T03:58:24Z
client-rke2-controller.crt        CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-kube-apiserver.crt         CN=system:apiserver,O=system:masters         OK      2026-06-24T03:58:22Z
client-kube-apiserver.crt         CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
serving-kube-apiserver.crt        CN=kube-apiserver                            OK      2026-06-24T03:58:22Z
serving-kube-apiserver.crt        CN=rke2-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-admin.crt                  CN=system:admin,O=system:masters             OK      2026-06-24T03:58:22Z
client-admin.crt                  CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-auth-proxy.crt             CN=system:auth-proxy                         OK      2026-06-24T03:58:22Z
client-auth-proxy.crt             CN=rke2-request-header-ca@1750736839         OK      2035-06-22T03:47:19Z
1
2
3
4
5
6
7
8
9
10
11
12
13
root@docker-test-1:~# rke2 certificate check --output table
INFO[0000] Agent detected, checking agent certificates

CERTIFICATE                 SUBJECT                                      STATUS  EXPIRES
-----------                 -------                                      ------  -------
client-kube-proxy.crt       CN=system:kube-proxy                         OK      2026-06-24T03:58:44Z
client-kube-proxy.crt       CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-kubelet.crt          CN=system:node:docker-test-1,O=system:nodes  OK      2026-06-24T03:58:44Z
client-kubelet.crt          CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
serving-kubelet.crt         CN=docker-test-1                             OK      2026-06-24T03:58:44Z
serving-kubelet.crt         CN=rke2-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-rke2-controller.crt  CN=system:rke2-controller                    OK      2026-06-24T03:58:45Z
client-rke2-controller.crt  CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z

在节点上,准备如下配置,随后通过 rke2 certificate rotate 命令,或者在 Rancher 上轮换证书即可:

1
2
3
cat << EOF > /etc/default/rke2-server
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOF
1
2
3
cat << EOF > /etc/default/rke2-agent
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOF

轮换后证书情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@docker-test-0:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
            Not Before: Jun 24 03:47:19 2025 GMT
            Not After : Jun 22 04:00:54 2035 GMT
root@docker-test-0:~# rke2 certificate check --output table
INFO[0000] Server detected, checking agent and server certificates

CERTIFICATE                       SUBJECT                                      STATUS  EXPIRES
-----------                       -------                                      ------  -------
client-supervisor.crt             CN=system:rke2-supervisor,O=system:masters   OK      2035-06-22T04:00:54Z
client-supervisor.crt             CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-kube-proxy.crt             CN=system:kube-proxy                         OK      2035-06-22T04:00:56Z
client-kube-proxy.crt             CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-kube-apiserver.crt         CN=system:apiserver,O=system:masters         OK      2035-06-22T04:00:54Z
client-kube-apiserver.crt         CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
serving-kube-apiserver.crt        CN=kube-apiserver                            OK      2035-06-22T04:00:54Z
serving-kube-apiserver.crt        CN=rke2-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-rke2-cloud-controller.crt  CN=rke2-cloud-controller-manager             OK      2035-06-22T04:00:54Z
client-rke2-cloud-controller.crt  CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client.crt                        CN=etcd-client                               OK      2035-06-22T04:00:54Z
client.crt                        CN=etcd-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
server-client.crt                 CN=etcd-server                               OK      2035-06-22T04:00:54Z
server-client.crt                 CN=etcd-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
peer-server-client.crt            CN=etcd-peer                                 OK      2035-06-22T04:00:54Z
peer-server-client.crt            CN=etcd-peer-ca@1750736839                   OK      2035-06-22T03:47:19Z
client-scheduler.crt              CN=system:kube-scheduler                     OK      2035-06-22T04:00:54Z
client-scheduler.crt              CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-rke2-controller.crt        CN=system:rke2-controller                    OK      2035-06-22T04:00:56Z
client-rke2-controller.crt        CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-admin.crt                  CN=system:admin,O=system:masters             OK      2035-06-22T04:00:54Z
client-admin.crt                  CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-auth-proxy.crt             CN=system:auth-proxy                         OK      2035-06-22T04:00:54Z
client-auth-proxy.crt             CN=rke2-request-header-ca@1750736839         OK      2035-06-22T03:47:19Z
client-controller.crt             CN=system:kube-controller-manager            OK      2035-06-22T04:00:54Z
client-controller.crt             CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-kubelet.crt                CN=system:node:docker-test-0,O=system:nodes  OK      2035-06-22T04:00:56Z
client-kubelet.crt                CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
serving-kubelet.crt               CN=docker-test-0                             OK      2035-06-22T04:00:55Z
serving-kubelet.crt               CN=rke2-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
1
2
3
4
5
6
7
8
9
10
11
12
13
root@docker-test-1:~# rke2 certificate check --output table
INFO[0000] Agent detected, checking agent certificates

CERTIFICATE                 SUBJECT                                      STATUS  EXPIRES
-----------                 -------                                      ------  -------
client-kube-proxy.crt       CN=system:kube-proxy                         OK      2035-06-22T04:01:16Z
client-kube-proxy.crt       CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-kubelet.crt          CN=system:node:docker-test-1,O=system:nodes  OK      2035-06-22T04:01:16Z
client-kubelet.crt          CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z
serving-kubelet.crt         CN=docker-test-1                             OK      2035-06-22T04:01:16Z
serving-kubelet.crt         CN=rke2-server-ca@1750736839                 OK      2035-06-22T03:47:19Z
client-rke2-controller.crt  CN=system:rke2-controller                    OK      2035-06-22T04:01:16Z
client-rke2-controller.crt  CN=rke2-client-ca@1750736839                 OK      2035-06-22T03:47:19Z

但这个配置似乎对 kube-schedulerkube-controller-manager 的证书无效:

1
2
3
4
5
6
root@docker-test-0:~# openssl x509 -in /var/lib/rancher/rke2/server/tls/kube-controller-manager/kube-controller-manager.crt -text -noout | grep Not
            Not Before: Jun 24 03:01:14 2025 GMT
            Not After : Jun 24 03:01:14 2026 GMT
root@docker-test-0:~# openssl x509 -in /var/lib/rancher/rke2/server/tls/kube-scheduler/kube-scheduler.crt -text -noout | grep Not
            Not Before: Jun 24 03:01:14 2025 GMT
            Not After : Jun 24 03:01:14 2026 GMT

自定义 RKE2/K3s 证书有效期

https://warnerchen.github.io/2025/06/16/自定义-RKE2-K3s-证书有效期/

Author

Warner Chen

Posted on

2025-06-16

Updated on

2025-06-24

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Recents

Archives

Tags

ai2
ansible1
calico1
cert-manager1
cisco1
container5
containerd1
containers1
docker2
elasticsearch1
elk1
etcd3
fluentd1
harbor1
istio2
jenkins2
jfrog1
kafka1
kubernetes9
linux4
metallb1
mysql1
nexus1
others2
prometheus3
redis2
suse35
web1
zookeeper1
面试1
首页1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×