k8s-1.9.1-步骤三(创建证书)
----------------------------------------------------------------------------------------------------------------------------执行主机:192.168.1.15or16or18创建admin-csr.jsoncat >/root/kubernetes/server
·
----------------------------------------------------------------------------------------------------------------------------
执行主机:192.168.1.15or16or18
创建admin-csr.json
cat >/root/kubernetes/server/bin/ssl/admin-csr.json <<'HERE'
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "system:masters",
"OU": "System"
}
]
}
HERE
创建k8s-gencert.json
cat >/root/kubernetes/server/bin/ssl/k8s-gencert.json <<'HERE'
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
HERE
创建k8s-root-ca-csr.json
cat >/root/kubernetes/server/bin/ssl/k8s-root-ca-csr.json <<'HERE'
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "k8s",
"OU": "System"
}
]
}
HERE
创建kube-proxy-csr.json
cat >/root/kubernetes/server/bin/ssl/kube-proxy-csr.json <<'HERE'
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "k8s",
"OU": "System"
}
]
}
HERE
创建kubernetes-csr.json
#注:此处需要将dns首ip,etcd,k8s-master,k8s-node节点的ip都填上
cat >/root/kubernetes/server/bin/ssl/kubernetes-csr.json <<'HERE'
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.1.15",
"192.168.1.16",
"192.168.1.18",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "k8s",
"OU": "System"
}
]
}
HERE
----------------------------------------------------------------------------------------------------------------------------
执行主机:192.168.1.15or16or18
生成通用证书以及kubeconfig
进入ssl目录,共创建了五个文件cd /root/kubernetes/server/bin/ssl/
生成证书
cfssl gencert --initca=true k8s-root-ca-csr.json | cfssljson --bare k8s-root-ca
for targetName in kubernetes admin kube-proxy; do cfssl gencert --ca k8s-root-ca.pem --ca-key k8s-root-ca-key.pem --config k8s-gencert.json --profile kubernetes $targetName-csr.json | cfssljson --bare $targetName done
----------------------------------------------------------------------------------------------------------------------------
执行主机:192.168.1.15or16or18
生成kubectl配置
注:此处定义api-server的服务ip,此处用为以后HA模式准备,所以配置127.0.0.1,如果你的master是单节点,请配置成单个apiserver:6443的ip即可
注:我做的3master+node,但是没做ha,这里要每台指定各自的ip
export KUBE_APISERVER="https://192.168.1.15:6443"
cd /root/kubernetes/server/bin/ssl/
export KUBE_APISERVER="https://192.168.1.15:6443"
export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
echo "Tokne: ${BOOTSTRAP_TOKEN}"
cat > token.csv <<EOF${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"EOF
注:会创建一个token.csv文件
echo "Create kubelet bootstrapping kubeconfig..."
将k8s-root-ca.pem,apiserver地址写入bootstrap.kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=k8s-root-ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
注:会创建一个bootstrap.kubeconfig文件
bootstrap.kubeconfig文件内容
将token.csv文件内容写入bootstrap.kubeconfig文件
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig
bootstrap.kubeconfig文件内容
设置set-context环境项,kubelet-bootstrap用户
kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig
bootstrap.kubeconfig文件内容
将set-context写入bootstrap.kubeconfig文件
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
bootstrap.kubeconfig文件内容
echo "Create kube-proxy kubeconfig..."
将k8s-root-ca.pem,apiserver地址写入kube-proxy.kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=k8s-root-ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
注:会创建一个kube-proxy.kubeconfig文件
kube-proxy.kubeconfig文件内容
将kube-proxy.pem写入kube-proxy.kubeconfig文件
kubectl config set-credentials kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kube-proxy.kubeconfig文件内容
设置set-context环境项,kube-proxy用户
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kube-proxy.kubeconfig文件内容
将set-context写入bootstrap.kubeconfig文件
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
kube-proxy.kubeconfig文件内容
生成高级审计配置
cat >> audit-policy.yaml <<EOF
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata
EOF
注:会生成一个audit-policy.yaml文件
生成集群管理员admin kubeconfig配置文件供kubectl调用
#admin set-cluster
kubectl config set-cluster kubernetes \
--certificate-authority=k8s-root-ca.pem\
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=./kubeconfig
注:会生成一个kubeconfig文件
kubeconfig文件内容
#admin set-credentials
kubectl config set-credentials kubernetes-admin \
--client-certificate=admin.pem \
--client-key=admin-key.pem \
--embed-certs=true \
--kubeconfig=./kubeconfig
kubeconfig文件内容
#admin set-context
kubectl config set-context kubernetes-admin@kubernetes \
--cluster=kubernetes \
--user=kubernetes-admin \
--kubeconfig=./kubeconfig
kubeconfig文件内容
#admin set default context
kubectl config use-context kubernetes-admin@kubernetes \
--kubeconfig=./kubeconfig
kubeconfig文件内容
#创建ssl文件夹
for node in {k8s-master-1,k8s-master-2,k8s-master-3};do
ssh ${node} "mkdir -p /etc/kubernetes/ssl/ "
done
#下发证书文件
for ssl in {k8s-master-1,k8s-master-2,k8s-master-3};do
rsync -avzP /root/kubernetes/server/bin/ssl/ ${ssl}:/etc/kubernetes/ssl/
done
注:下发后需要更改kubeconfig的apiserver地址
server:
https://192.168.1.15:6443
server:
https://192.168.1.16:6443
server: https://192.168.1.18:6443
#创建master /root/.kube 目录,复制超级admin授权config
for master in {k8s-master-1,k8s-master-2,k8s-master-3};do
ssh ${master} "mkdir -p /root/.kube ; \cp -f /etc/kubernetes/ssl/kubeconfig /root/.kube/config "
done
注:最后注意每台kubelet的配置文件需要更改kube-apiserver地址的有
/lib/systemd/system/kubelet.service
/root/.kube/config
/etc/kubernetes/ssl/bootstrap.kubeconfig
/etc/kubernetes/ssl/kubelet.kubeconfig
/etc/kubernetes/ssl/kube-proxy.kubeconfig
更多推荐
已为社区贡献7条内容
所有评论(0)