提示:选择某一台服务器创建证书后进行分发即可,可选择不在集群内的服务器进行部署及制作,通常选择master01节点或批量管理(ansible)节点进行部署。
1.1 下载并部署cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo cd /etc/ssl/
1.2 创建证书
1.2.1 创建ca根证书
cat > /etc/ssl/ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOFcat > /etc/ssl/ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -initca ca-csr.json | cfssljson -bare ca -
- 说明:
- signing:表示该证书可用于签名其它证书,生成的pem 证书中CA=TRUE
- server auth:表示 client 可以用该该证书对 server 提供的证书进行验证
- client auth:表示 server 可以用该该证书对 client 提供的证书进行验证
- CN:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name),浏览器使用该字段验证网站是否合法
- O:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)
- kube-apiserver 将提取的 User、Group 作为RBAC 授权的用户标识;
1.2.2 创建kubectl管理证书
cat > /etc/ssl/admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=//etc/ssl/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin
- 说明:
- 为system:masters,kube-apiserver 收到该证书后将请求的 Group 设置为 system:masters
- 预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予所有 API的权限
- 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空
1.2.3 创建etcd证书
cat > /etc/ssl/etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.10.154",
"192.168.10.155",
"192.168.10.156"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -ca=/etc/ssl/ca.pem \
-ca-key=/etc/ssl/ca-key.pem \
-config=/etc/ssl/ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
- 说明:
- hosts 字段指定授权使用该证书的 etcd 节点 IP 或域名列表,这里将 etcd 集群的三个节点 IP 都列在其中
1.2.4 创建flanneld证书
cat > /etc/ssl/flanneld-csr.json <<EOF
{
"CN": "flanneld",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld
1.2.5 创建k8s master证书
提示:为了方便后期添加节点,制作证书时可以多添加几个认证IP。
cat > /etc/ssl/kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.10.160",
"192.168.10.161",
"192.168.10.162",
"192.168.10.163",
"192.168.10.164",
"192.168.10.165",
"192.168.10.166",
"192.168.10.167",
"192.168.10.168",
"192.168.10.169",
"192.168.10.154",
"192.168.10.155",
"192.168.10.156",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
- 说明:
- hosts 字段指定授权使用该证书的IP 或域名列表,这里列出了 VIP 、apiserver 节点 IP、kubernetes 服务 IP 和域名
- 域名最后字符不能是.(如不能为default.svc.cluster.local.),否则解析时失败,提示: x509: cannot parse dnsName "kubernetes.default.svc.cluster.local."
- 如果使用非local 域名,如opsnull.com,则需要修改域名列表中的最后两个域名为:kubernetes.default.svc.opsnull、kubernetes.default.svc.opsnull.com
- kubernetes 服务 IP 是 apiserver 自动创建的,一般是--service-cluster-ip-range 参数指定的网段的第一个IP,后续可以通过如下命令获取:kubectl get svc kubernetes
cat > /etc/ssl/kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.10.161",
"192.168.10.162",
"192.168.10.163" # 此处为了方便后期修改节点属性,多添加一个认证IP
],
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-controller-manager",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
- 说明:
- hosts 列表包含所有kube-controller-manager 节点 IP
- CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限
cat > /etc/ssl/kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"hosts": [
"127.0.0.1",
"192.168.10.161",
"192.168.10.162",
"192.168.10.163" # 此处为了方便后期修改节点属性,多添加一个认证IP
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-scheduler",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
- 说明:
- hosts 列表包含所有kube-scheduler 节点 IP
- CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限
1.2.6 创建k8s node证书
cat > /etc/ssl/kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "leonshadow"
}
]
}
EOFcfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
- 说明:
- CN:指定该证书的 User 为system:kube-proxy
- 预定义的 RoleBinding system:node-proxier 将User system:kube-proxy 与 Role system:node-proxier 绑定,该 Role 授予了调用kube-apiserver Proxy 相关 API 的权限
- 该证书只会被 kube-proxy 当做 client 证书使用,所以 hosts 字段为空
1.3 统一分发密钥
scp ca*.pem admin*.pem kubernetes*.pem flanneld*.pem kube-controller-manager*.pem kube-scheduler*.pem 192.168.10.161:/opt/kubernetes/ssl/ scp ca*.pem admin*.pem kubernetes*.pem flanneld*.pem kube-controller-manager*.pem kube-scheduler*.pem 192.168.10.162:/opt/kubernetes/ssl/ scp ca*.pem admin*.pem flanneld*.pem kube-proxy*.pem 192.168.10.163:/opt/kubernetes/ssl/ scp ca*.pem admin*.pem flanneld*.pem kube-proxy*.pem 192.168.10.164:/opt/kubernetes/ssl/ scp ca*.pem etcd*.pem 192.168.10.154:/etc/ssl/ scp ca*.pem etcd*.pem 192.168.10.155:/etc/ssl/ scp ca*.pem etcd*.pem 192.168.10.156:/etc/ssl/
我的微信
如果有技术上的问题可以扫一扫我的微信
