提示:选择某一台服务器创建证书后进行分发即可,可选择不在集群内的服务器进行部署及制作,通常选择master01节点或批量管理(ansible)节点进行部署。
1.1 下载并部署cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo cd /etc/ssl/
1.2 创建证书
1.2.1 创建ca根证书
cat > /etc/ssl/ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF
cat > /etc/ssl/ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "leonshadow" } ] } EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
- 说明:
- signing:表示该证书可用于签名其它证书,生成的pem 证书中CA=TRUE
- server auth:表示 client 可以用该该证书对 server 提供的证书进行验证
- client auth:表示 server 可以用该该证书对 client 提供的证书进行验证
- CN:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name),浏览器使用该字段验证网站是否合法
- O:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)
- kube-apiserver 将提取的 User、Group 作为RBAC 授权的用户标识;
1.2.2 创建kubectl管理证书
cat > /etc/ssl/admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "leonshadow" } ] } EOF
cfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=//etc/ssl/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin
- 说明:
- 为system:masters,kube-apiserver 收到该证书后将请求的 Group 设置为 system:masters
- 预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予所有 API的权限
- 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空
1.2.3 创建etcd证书
cat > /etc/ssl/etcd-csr.json <<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.10.154", "192.168.10.155", "192.168.10.156" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "leonshadow" } ] } EOF
cfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
- 说明:
- hosts 字段指定授权使用该证书的 etcd 节点 IP 或域名列表,这里将 etcd 集群的三个节点 IP 都列在其中
1.2.4 创建flanneld证书
cat > /etc/ssl/flanneld-csr.json <<EOF { "CN": "flanneld", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "leonshadow" } ] } EOF
cfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld
1.2.5 创建k8s master证书
提示:为了方便后期添加节点,制作证书时可以多添加几个认证IP。
cat > /etc/ssl/kubernetes-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.10.160", "192.168.10.161", "192.168.10.162", "192.168.10.163", "192.168.10.164", "192.168.10.165", "192.168.10.166", "192.168.10.167", "192.168.10.168", "192.168.10.169", "192.168.10.154", "192.168.10.155", "192.168.10.156", "10.254.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "leonshadow" } ] } EOF
cfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
- 说明:
- hosts 字段指定授权使用该证书的IP 或域名列表,这里列出了 VIP 、apiserver 节点 IP、kubernetes 服务 IP 和域名
- 域名最后字符不能是.(如不能为default.svc.cluster.local.),否则解析时失败,提示: x509: cannot parse dnsName "kubernetes.default.svc.cluster.local."
- 如果使用非local 域名,如opsnull.com,则需要修改域名列表中的最后两个域名为:kubernetes.default.svc.opsnull、kubernetes.default.svc.opsnull.com
- kubernetes 服务 IP 是 apiserver 自动创建的,一般是--service-cluster-ip-range 参数指定的网段的第一个IP,后续可以通过如下命令获取:kubectl get svc kubernetes
cat > /etc/ssl/kube-controller-manager-csr.json <<EOF { "CN": "system:kube-controller-manager", "key": { "algo": "rsa", "size": 2048 }, "hosts": [ "127.0.0.1", "192.168.10.161", "192.168.10.162", "192.168.10.163" # 此处为了方便后期修改节点属性,多添加一个认证IP ], "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-controller-manager", "OU": "leonshadow" } ] } EOF
cfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
- 说明:
- hosts 列表包含所有kube-controller-manager 节点 IP
- CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限
cat > /etc/ssl/kube-scheduler-csr.json <<EOF { "CN": "system:kube-scheduler", "hosts": [ "127.0.0.1", "192.168.10.161", "192.168.10.162", "192.168.10.163" # 此处为了方便后期修改节点属性,多添加一个认证IP ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-scheduler", "OU": "leonshadow" } ] } EOF
cfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
- 说明:
- hosts 列表包含所有kube-scheduler 节点 IP
- CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限
1.2.6 创建k8s node证书
cat > /etc/ssl/kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "leonshadow" } ] } EOF
cfssl gencert -ca=/etc/ssl/ca.pem \ -ca-key=/etc/ssl/ca-key.pem \ -config=/etc/ssl/ca-config.json \ -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
- 说明:
- CN:指定该证书的 User 为system:kube-proxy
- 预定义的 RoleBinding system:node-proxier 将User system:kube-proxy 与 Role system:node-proxier 绑定,该 Role 授予了调用kube-apiserver Proxy 相关 API 的权限
- 该证书只会被 kube-proxy 当做 client 证书使用,所以 hosts 字段为空
1.3 统一分发密钥
scp ca*.pem admin*.pem kubernetes*.pem flanneld*.pem kube-controller-manager*.pem kube-scheduler*.pem 192.168.10.161:/opt/kubernetes/ssl/ scp ca*.pem admin*.pem kubernetes*.pem flanneld*.pem kube-controller-manager*.pem kube-scheduler*.pem 192.168.10.162:/opt/kubernetes/ssl/ scp ca*.pem admin*.pem flanneld*.pem kube-proxy*.pem 192.168.10.163:/opt/kubernetes/ssl/ scp ca*.pem admin*.pem flanneld*.pem kube-proxy*.pem 192.168.10.164:/opt/kubernetes/ssl/ scp ca*.pem etcd*.pem 192.168.10.154:/etc/ssl/ scp ca*.pem etcd*.pem 192.168.10.155:/etc/ssl/ scp ca*.pem etcd*.pem 192.168.10.156:/etc/ssl/

我的微信
如果有技术上的问题可以扫一扫我的微信