Skip to content

RKE2

インストール

👀 : 公式ガイド : https://docs.rke2.io/install/quickstart

👀 : Ansible Role : https://github.com/lablabs/ansible-role-rke2

tls 有効期限

CAは 10年 , その他は 1年 .

👀 : https://kubernetes.io/ja/docs/tasks/tls/certificate-rotation/

👀 : https://docs.rke2.io/security/certificates

RKE2 client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time RKE2 starts.

By default, RKE2 generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed.

tls 有効期限確認

  • kubeadm が install されている場合. 

    # kubeadm certs check-expiration
    👀 : https://kubernetes.io/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E6%9C%89%E5%8A%B9%E6%9C%9F%E9%99%90%E3%81%AE%E7%A2%BA%E8%AA%8D

  • kubeadm が install されていない場合, rke2-server の node で確認. 

    # openssl x509 -in /var/lib/rancher/rke2/server/tls/server-ca.crt -noout -enddate
# openssl x509 -in /var/lib/rancher/rke2/server/tls/client-ca.crt -noout -enddate
# openssl x509 -in /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt -noout -enddate