k8s-01一键生成k8s证书
下面直接写成脚本就行放在/root/ssl下面直接执行就行备注:此为master节点生成的证书都在/opt/kubernetes/ssl下面,如果node节点想用直接scp过去192.168.56.10为master192.168.56.11node01192.168.56.12node02hosts也可以只写master节点的ip地址...
下面直接写成脚本就行 放在/root/ssl下面直接执行就行
备注:此为master节点生成的证书都在/opt/kubernetes/ssl下面,如果node节点想用 直接scp过去
192.168.56.10 为master
192.168.56.11 node01
192.168.56.12 node02
hosts也可以只写master节点的ip地址
mkdir -p /opt/kubernetes/{cfg,bin,ssl}
mkdir -p /root/ssl
yum -y install wget
cd /root/ssl/
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
\mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl
\mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson
\mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo
echo "PATH=\$PATH:/opt/kubernetes/bin" >>/etc/profile
source /etc/profile
cfssl=/opt/kubernetes/bin/cfssl
cfssl-certinfo=/opt/kubernetes/bin/cfssl-certinfo
cfssljson=/opt/kubernetes/bin/cfssljson
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.56.10",
"192.168.56.11",
"192.168.56.12",
"10.10.10.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
rm -f /opt/kubernetes/ssl/*.pem
ls -l|grep pem|awk '{print $9}'|xargs -i mv {} /opt/kubernetes/ssl/
[root@k8s-master ssl]# ll /opt/kubernetes/ssl/
total 32
-rw------- 1 root root 1679 Oct 2 10:57 admin-key.pem
-rw-r--r-- 1 root root 1399 Oct 2 10:57 admin.pem
-rw------- 1 root root 1675 Oct 2 10:57 ca-key.pem
-rw-r--r-- 1 root root 1359 Oct 2 10:57 ca.pem
-rw------- 1 root root 1675 Oct 2 10:57 kube-proxy-key.pem
-rw-r--r-- 1 root root 1403 Oct 2 10:57 kube-proxy.pem
-rw------- 1 root root 1675 Oct 2 10:57 server-key.pem
-rw-r--r-- 1 root root 1627 Oct 2 10:57 server.pem
[root@k8s-master ssl]#
[root@k8s-master ~]# ll /opt/kubernetes/bin/
total 18808
-rwxr-xr-x 1 root root 10376657 Mar 30 2016 cfssl
-rwxr-xr-x 1 root root 6595195 Mar 30 2016 cfssl-certinfo
-rwxr-xr-x 1 root root 2277873 Mar 30 2016 cfssljson
[root@k8s-master ~]#
转载于:https://blog.51cto.com/wsxxsl/2289529
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献466条内容
所有评论(0)