从一个有趣的问题引出很多人都在关注的 Kubernetes LTS 的问题。

有趣的问题

2019 年，一个名为 apiserver LoopbackClient Server cert expired after 1 year[1] 的 issue 中提到了一个有趣的问题，如果一个 kube-apiserver 已经一年没有重启过了，那么这个 kube-apiserver 就无法再正常工作了。

issue 作者给出了自己的定位的原因：kube-apiserver 没有更新自签的 LoopbackClient 证书相关内容。从下面代码中可以看到证书过期时间被设置为了 1 年。

// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
 // let the server return it when the loopback client connects.
 certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
 if err != nil {
  return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
 }
 certProvider, err := dynamiccertificates.NewStaticSNICertKeyContent("self-signed loopback", certPem, keyPem, server.LoopbackClientServerNameOverride)
 if err != nil {
  return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
 }

---

// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names)
// for the certificate.
//
// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is:
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
// Certs/keys not existing in that directory are created.
func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
 validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
 maxAge := time.Hour * 24 * 365          // one year self-signed certs