k8s(4):k8s安装(三)配置证书
1. 下载自签名证书生成工具
#在分发机器Master-1上操作 [root@master-1 ~]# mkdir /soft && cd /soft [root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@master-1 ~]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 [root@master-1 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl [root@master-1 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson [root@master-1 ~]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2. 生成ETCD证书
#创建目录(Master-1) [root@master-1 ~]# mkdir /root/etcd && cd /root/etcd
2.1 CA 证书配置(Master-1)
[root@master-1 ~]# cat << EOF | tee ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
2.2 创建CA证书请求文件(Master-1)
[root@master-1 ~]# cat << EOF | tee ca-csr.json { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF
2.3 创建ETCD证书请求文件
#可以把所有的master IP 加入到csr文件中(Master-1) [root@master-1 ~]# cat << EOF | tee server-csr.json { "CN": "etcd", "hosts": [ "master-1", "master-2", "master-3", "172.31.7.41", "172.31.7.42", "172.31.7.43" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF
2.4 生成 ETCD CA 证书和ETCD公私钥(Master-1)
[root@master-1 ~]# cd /root/etcd/ #生成ca证书(Master-1) [root@master-1 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca – [root@master-1 etcd]# ll total 24 -rw-r--r-- 1 root root 287 Apr 5 11:23 ca-config.json #ca 的配置文件 -rw-r--r-- 1 root root 956 Apr 5 11:26 ca.csr #ca 证书生成文件 -rw-r--r-- 1 root root 209 Apr 5 11:23 ca-csr.json #ca 证书请求文件 -rw------- 1 root root 1679 Apr 5 11:26 ca-key.pem #ca 证书key -rw-r--r-- 1 root root 1265 Apr 5 11:26 ca.pem #ca 证书 -rw-r--r-- 1 root root 338 Apr 5 11:26 server-csr.json #生成etcd证书(Master-1) [root@master-1 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server [root@master-1 etcd]# ll total 36 -rw-r--r-- 1 root root 287 Apr 5 11:23 ca-config.json -rw-r--r-- 1 root root 956 Apr 5 11:26 ca.csr -rw-r--r-- 1 root root 209 Apr 5 11:23 ca-csr.json -rw------- 1 root root 1679 Apr 5 11:26 ca-key.pem -rw-r--r-- 1 root root 1265 Apr 5 11:26 ca.pem -rw-r--r-- 1 root root 1054 Apr 5 11:31 server.csr -rw-r--r-- 1 root root 338 Apr 5 11:26 server-csr.json -rw------- 1 root root 1675 Apr 5 11:31 server-key.pem #etcd客户端使用 -rw-r--r-- 1 root root 1379 Apr 5 11:31 server.pem
3. 创建 Kubernetes 相关证书
#此证书用于Kubernetes节点直接的通信, 与之前的ETCD证书不同. (Master-1) [root@master-1 ~]# mkdir /root/kubernetes/ && cd /root/kubernetes/
3.1 配置ca 文件(Master-1)
[root@master-1 ~]# cat << EOF | tee ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
3.2 创建ca证书申请文件(Master-1)
[root@master-1 ~]# cat << EOF | tee ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
3.3 生成API SERVER证书申请文件(Master-1)
#注意要修改VIP的地址 [root@master-1 ~]# cat << EOF | tee server-csr.json { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "10.0.0.2", "172.31.36.36", "172.31.37.37", "172.31.7.41", "172.31.7.42", "172.31.7.43", "172.31.7.44", "172.31.7.45", "172.31.7.49", "master-1", "master-2", "master-3", "node-1", "node-2", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
3.4 创建 Kubernetes Proxy 证书申请文件(Master-1)
[root@master-1 ~]# cat << EOF | tee kube-proxy-csr.json { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
3.5 生成 kubernetes CA 证书和公私钥
# 生成ca证书(Master-1) [root@master-1 kubernetes]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca – # 生成 api-server 证书(Master-1) [root@master-1 kubernetes]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server # 生成 kube-proxy 证书(Master-1) [root@master-1 kubernetes]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \ -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy [root@master-1 kubernetes]# ll total 52 -rw-r--r-- 1 root root 294 May 8 18:07 ca-config.json -rw-r--r-- 1 root root 1001 May 8 18:08 ca.csr -rw-r--r-- 1 root root 264 May 8 18:07 ca-csr.json -rw------- 1 root root 1675 May 8 18:08 ca-key.pem -rw-r--r-- 1 root root 1359 May 8 18:08 ca.pem -rw-r--r-- 1 root root 1009 May 8 18:09 kube-proxy.csr -rw-r--r-- 1 root root 230 May 8 18:07 kube-proxy-csr.json -rw------- 1 root root 1679 May 8 18:09 kube-proxy-key.pem -rw-r--r-- 1 root root 1403 May 8 18:09 kube-proxy.pem -rw-r--r-- 1 root root 1375 May 8 18:08 server.csr -rw-r--r-- 1 root root 762 May 8 18:07 server-csr.json -rw------- 1 root root 1675 May 8 18:08 server-key.pem -rw-r--r-- 1 root root 1740 May 8 18:08 server.pem
posted on 2021-05-08 17:58 torotoise512 阅读(616) 评论(0) 收藏 举报
浙公网安备 33010602011771号