k8s二进制部署系列03-创建证书

提示:选择某一台服务器创建证书后进行分发即可,可选择不在集群内的服务器进行部署及制作,通常选择master01节点或批量管理(ansible)节点进行部署。

1.1 下载并部署cfssl

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64

mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

cd /etc/ssl/

1.2 创建证书

1.2.1 创建ca根证书

cat > /etc/ssl/ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF
cat > /etc/ssl/ca-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "leonshadow"
    }
  ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  • 说明:
  • signing:表示该证书可用于签名其它证书,生成的pem 证书中CA=TRUE
  • server auth:表示 client 可以用该该证书对 server 提供的证书进行验证
  • client auth:表示 server 可以用该该证书对 client 提供的证书进行验证
  • CN:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name),浏览器使用该字段验证网站是否合法
  • O:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)
  • kube-apiserver 将提取的 User、Group 作为RBAC 授权的用户标识;

1.2.2 创建kubectl管理证书

cat > /etc/ssl/admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "leonshadow"
    }
  ]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
  -ca-key=/etc/ssl/ca-key.pem \
  -config=//etc/ssl/ca-config.json \
  -profile=kubernetes admin-csr.json | cfssljson -bare admin
  • 说明:
  • 为system:masters,kube-apiserver 收到该证书后将请求的 Group 设置为 system:masters
  • 预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予所有 API的权限
  • 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空

1.2.3 创建etcd证书

cat > /etc/ssl/etcd-csr.json <<EOF
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "192.168.10.154",
    "192.168.10.155",
    "192.168.10.156"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "leonshadow"
    }
  ]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
    -ca-key=/etc/ssl/ca-key.pem \
    -config=/etc/ssl/ca-config.json \
    -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
  • 说明:
  • hosts 字段指定授权使用该证书的 etcd 节点 IP 或域名列表,这里将 etcd 集群的三个节点 IP 都列在其中

1.2.4 创建flanneld证书

cat > /etc/ssl/flanneld-csr.json <<EOF
{
  "CN": "flanneld",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "leonshadow"
    }
  ]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
  -ca-key=/etc/ssl/ca-key.pem \
  -config=/etc/ssl/ca-config.json \
  -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld

1.2.5 创建k8s master证书

提示:为了方便后期添加节点,制作证书时可以多添加几个认证IP。
cat > /etc/ssl/kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "192.168.10.160",
    "192.168.10.161",
    "192.168.10.162",
    "192.168.10.163",
    "192.168.10.164",
    "192.168.10.165",
    "192.168.10.166",
    "192.168.10.167",
    "192.168.10.168",
    "192.168.10.169",
    "192.168.10.154",
    "192.168.10.155",
    "192.168.10.156",
    "10.254.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "leonshadow"
    }
  ]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
  -ca-key=/etc/ssl/ca-key.pem \
  -config=/etc/ssl/ca-config.json \
  -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
  • 说明:
  • hosts 字段指定授权使用该证书的IP 或域名列表,这里列出了 VIP 、apiserver 节点 IP、kubernetes 服务 IP 和域名
  • 域名最后字符不能是.(如不能为default.svc.cluster.local.),否则解析时失败,提示: x509: cannot parse dnsName “kubernetes.default.svc.cluster.local.”
  • 如果使用非local 域名,如opsnull.com,则需要修改域名列表中的最后两个域名为:kubernetes.default.svc.opsnull、kubernetes.default.svc.opsnull.com
  • kubernetes 服务 IP 是 apiserver 自动创建的,一般是–service-cluster-ip-range 参数指定的网段的第一个IP,后续可以通过如下命令获取:kubectl get svc kubernetes
cat > /etc/ssl/kube-controller-manager-csr.json <<EOF
{
    "CN": "system:kube-controller-manager",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "hosts": [
      "127.0.0.1",
      "192.168.10.161",
      "192.168.10.162",
      "192.168.10.163"   # 此处为了方便后期修改节点属性,多添加一个认证IP
    ],
    "names": [
      {
        "C": "CN",
        "ST": "BeiJing",
        "L": "BeiJing",
        "O": "system:kube-controller-manager",
        "OU": "leonshadow"
      }
    ]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
  -ca-key=/etc/ssl/ca-key.pem \
  -config=/etc/ssl/ca-config.json \
  -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
  • 说明:
  • hosts 列表包含所有kube-controller-manager 节点 IP
  • CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限
cat > /etc/ssl/kube-scheduler-csr.json <<EOF
{
    "CN": "system:kube-scheduler",
    "hosts": [
      "127.0.0.1",
      "192.168.10.161",
      "192.168.10.162",
      "192.168.10.163"     # 此处为了方便后期修改节点属性,多添加一个认证IP
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
      {
        "C": "CN",
        "ST": "BeiJing",
        "L": "BeiJing",
        "O": "system:kube-scheduler",
        "OU": "leonshadow"
      }
    ]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
  -ca-key=/etc/ssl/ca-key.pem \
  -config=/etc/ssl/ca-config.json \
  -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
  • 说明:
  • hosts 列表包含所有kube-scheduler 节点 IP
  • CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限

1.2.6 创建k8s node证书

cat > /etc/ssl/kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "leonshadow"
    }
  ]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
  -ca-key=/etc/ssl/ca-key.pem \
  -config=/etc/ssl/ca-config.json \
  -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy
  • 说明:
  • CN:指定该证书的 User 为system:kube-proxy
  • 预定义的 RoleBinding system:node-proxier 将User system:kube-proxy 与 Role system:node-proxier 绑定,该 Role 授予了调用kube-apiserver Proxy 相关 API 的权限
  • 该证书只会被 kube-proxy 当做 client 证书使用,所以 hosts 字段为空

1.3 统一分发密钥

scp ca*.pem admin*.pem kubernetes*.pem flanneld*.pem kube-controller-manager*.pem kube-scheduler*.pem 192.168.10.161:/opt/kubernetes/ssl/
scp ca*.pem admin*.pem kubernetes*.pem flanneld*.pem kube-controller-manager*.pem kube-scheduler*.pem 192.168.10.162:/opt/kubernetes/ssl/
scp ca*.pem admin*.pem flanneld*.pem kube-proxy*.pem 192.168.10.163:/opt/kubernetes/ssl/
scp ca*.pem admin*.pem flanneld*.pem kube-proxy*.pem 192.168.10.164:/opt/kubernetes/ssl/
scp ca*.pem etcd*.pem 192.168.10.154:/etc/ssl/
scp ca*.pem etcd*.pem 192.168.10.155:/etc/ssl/
scp ca*.pem etcd*.pem 192.168.10.156:/etc/ssl/
温馨提示:本文最后更新于2022-12-20 20:57:47,已超过483天没有更新。某些文章具有时效性,若文章内容或图片资源有错误或已失效,请联系站长。谢谢!
转载请注明本文链接:https://blog.leonshadow.cn/763482/1185.html
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享