k8s:通过域名生成证书
正确方式"hosts": ["*.etcd"],完整生成证书的示例见附件[root@node1 certs]# cat /root/k8s/cfg/etcdETCD_OPTS="--name=etcd-2 \--listen-peer-urls=https://192.168.56.169:2380 \--initial-advertise-peer-urls=https://etcd2.etcd
·
1. 证书 需要修改地方
etcd证书生成
"hosts": [
"*.etcd"
],
注意:可以写成" *.etcd",不能写成"etcd.*",不能写成"etcd.*.com"
apiserver证书生成
"hosts": [
"*.apiserver"
],
controller-manager证书生成
"hosts": [
"*.controller-manager"
],
scheduler证书生成
"hosts": [
"*.scheduler"
],
2. 配置文件 需要修改地方
etcd的配置文件
--initial-advertise-peer-urls=https://etcd2.etcd:2380 \
--initial-cluster=etcd-2=https://etcd2.etcd:2380,etcd-3=https://etcd3.etcd:2380 \
apiserver的配置文件
--etcd-servers=https://etcd2.etcd:2379,https://etcd3.etcd:2379
controller-manager 配置
--master=https://69.apiserver:6443
scheduler 配置
--master=https://69.apiserver:6443
注意:所有的.kubeconfig文件中server都需要写成域名的形式
3. hosts文件 需要修改地方
192.168.56.169 etcd2.etcd
192.168.56.170 etcd3.etcd
192.168.56.169 69.apiserver
192.168.56.169 69.controller-manager
192.168.56.169 69.scheduler
[root@node1 certs]#
[root@node1 certs]# ETCDCTL_API=3 /usr/local/bin/etcdctl --cacert=ca.pem --cert=server.pem --key=server-key.pem --endpoints="https://etcd2.etcd:2379,https://etcd3.etcd:2379" endpoint health --write-out=table
+-------------------------+--------+-------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+-------------------------+--------+-------------+-------+
| https://etcd2.etcd:2379 | true | 24.840193ms | |
| https://etcd3.etcd:2379 | true | 38.965901ms | |
+-------------------------+--------+-------------+-------+
[root@node1 certs]#
etcd域名错误日志
[root@node1 certs]# systemctl status etcd
● etcd.service - Kubernetes etcd
Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)
Active: activating (start) since 二 2022-03-29 00:20:22 CST; 1min 21s ago
Main PID: 17099 (etcd)
Tasks: 8
Memory: 18.3M
CGroup: /system.slice/etcd.service
└─17099 /usr/local/bin/etcd --name=etcd-2 --listen-peer-urls=https://192.168.56.169:2380 --initial-advertise-peer-urls=https://etcd.etcd2:2380...
3月 29 00:21:44 node1 etcd[17099]: raft2022/03/29 00:21:44 INFO: 944c57446dfcc81 received MsgVoteResp from 944c57446dfcc81 at term 7290
3月 29 00:21:44 node1 etcd[17099]: raft2022/03/29 00:21:44 INFO: 944c57446dfcc81 [logterm: 1, index: 2] sent MsgVote request to 48dbac03b0d1b25...term 7290
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41454" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41456" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41458" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41460" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41462" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41464" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41468" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41466" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
Hint: Some lines were ellipsized, use -l to show in full.
[root@node1 certs]#
3月 28 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 is starting a new election at term 221
3月 28 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 became candidate at term 222
3月 28 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 received MsgVoteResp from 944c57446dfcc81 at term 222
3月 28 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 [logterm: 1, index: 2] sent MsgVote request to 48dbac03b0d1b253 at term 222
3月 28 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48132" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 28 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48134" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 28 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48138" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 28 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48136" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
3月 29 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 is starting a new election at term 7031
3月 29 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 became candidate at term 7032
3月 29 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 received MsgVoteResp from 48dbac03b0d1b253 at term 7032
3月 29 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 [logterm: 1, index: 2] sent MsgVote request to 944c57446dfcc81 at term 7032
3月 29 00:19:00 node2 etcd[124469]: rejected connection from "192.168.56.169:36922" (error "remote error: tls: bad certificate", ServerName "etcd.etcd3")
3月 29 00:19:00 node2 etcd[124469]: rejected connection from "192.168.56.169:36924" (error "remote error: tls: bad certificate", ServerName "etcd.etcd3")
3月 29 00:19:00 node2 etcd[124469]: rejected connection from "192.168.56.169:36926" (error "remote error: tls: bad certificate", ServerName "etcd.etcd3")
附件
生成证书
cat<<EOF > ca-config.json
{
"signing":{
"default":{
"expiry":"87600h"
},
"profiles":{
"kubernetes":{
"expiry":"87600h",
"usages":[
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat<<EOF > ca-csr.json
{
"CN":"kubernetes",
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat<<EOF > server-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"*.etcd"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
cat<<EOF > admin-csr.json
{
"CN":"admin",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"system:masters",
"OU":"System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
cat<<EOF > sa-csr.json
{
"CN":"sa",
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -initca sa-csr.json | cfssljson -bare sa -
openssl x509 -in sa.pem -pubkey -noout > sa.pub
cat<<EOF > apiserver-csr.json
{
"CN":"kubernetes",
"hosts":[
"127.0.0.1",
"*.apiserver"
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluste.local"
],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver
cat<<EOF > kube-controller-manager-csr.json
{
"CN":"system:kube-controller-manager",
"hosts":[
"127.0.0.1",
"*.controller-manager"
],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
cat<<EOF > kube-scheduler-csr.json
{
"CN":"system:kube-scheduler",
"hosts":[
"127.0.0.1",
"*.scheduler"
],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
cat<<EOF > apiserver-kubelet-client-csr.json
{
"CN":"kube-apiserver-kubelet-client",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"system:masters",
"OU":"System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes apiserver-kubelet-client-csr.json | cfssljson -bare apiserver-kubelet-client
cat<<EOF > kube-proxy-csr.json
{
"CN":"system:kube-proxy",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
cat<<EOF > proxy-client-ca-csr.json
{
"CN":"front-proxy",
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -initca proxy-client-ca-csr.json | cfssljson -bare proxy-client-ca -
cat<<EOF > proxy-client-csr.json
{
"CN":"front-proxy",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing",
"O":"k8s",
"OU":"System"
}
]
}
EOF
cfssl gencert -ca=proxy-client-ca.pem -ca-key=proxy-client-ca-key.pem -config=ca-config.json -profile=kubernetes proxy-client-csr.json | cfssljson -bare proxy-client
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献10条内容
所有评论(0)