k8s 三节点签发所需证书
准备三台主机:
192.168.1.71
192.168.1.72
192.168.1.73
Step1:
在第一台 192.168.1.71 签发证书 也可以在其它机器进行签发证书
创建一个保存证书的目录 最好在 /etc/ 下
mkdir -pv /etc/ssl/k8s
cd /etc/ssl/k8s
创建ca.key
openssl genrsa -out ca.key 3072
编辑ca证书签发key给k8s准备的配置文件
vi ca.cnf
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] keyUsage = critical, cRLSign, keyCertSign, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:2
使用ca配置文件签发 ca 根证书 ca.pem
openssl req -x509 -new -nodes -key ca.key -days 1095 -out ca.pem -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config ca.cnf -extensions v3_req
签发 API 证书
vim api-server.cnf
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth #subjectKeyIdentifier = hash #authorityKeyIdentifier = keyid:always,issuer subjectAltName = @alt_names [alt_names] IP.1 = 10.0.0.1 IP.5 = 192.168.1.70 IP.2 = 192.168.1.71 IP.3 = 192.168.1.72 IP.4 = 192.168.1.73 DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster DNS.5 = kubernetes.default.svc.cluster.local
配置文件简单讲解
10.0.0.1 是集群使用的ip这个ip地址段可以容纳40多万ip
192.168.1.70 是后期集群高可用阶段使用的虚拟vip 配合keepalive进行使用
开始生成api.key
3072指的是长度
openssl genrsa -out apiserver.key 3072
生成api请求证书apiserver.csr
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config api-server.cnf
签发证书之前 修改 api-server.cnf 配置文件 去掉注释的2行
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer subjectAltName = @alt_names [alt_names] IP.1 = 10.0.0.1 IP.5 = 192.168.1.70 IP.2 = 192.168.1.71 IP.3 = 192.168.1.72 IP.4 = 192.168.1.73 DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster DNS.5 = kubernetes.default.svc.cluster.local
开始签发证书 最后 -days 1095 是证书有效期限 如果是企业使用最好 数字设置的大点 避免以后出问题
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 1095 -extfile api-server.cnf -extensions v3_req
查看 apiserver.pem 证书信息
openssl x509 -noout -text -in apiserver.pem
Certificate: Data: Version: 3 (0x2) Serial Number: c3:09:20:fd:72:67:da:7a Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s Validity Not Before: May 18 05:51:47 2019 GMT Not After : May 17 05:51:47 2022 GMT Subject: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:cc:65:a0:e6:97:64:51:f7:42:c1:c8:bc:43:89: 63:6e:9d:1d:23:9b:a9:0a:e3:e6:a5:0e:7a:1d:a9: 3c:dc:5d:0f:c8:99:f5:1b:39:ad:39:f2:f7:d3:c9: 66:47:33:01:5d:db:53:5a:23:e2:49:75:d7:4a:61: bb:8b:c3:a3:b2:00:9a:01:6f:98:26:4e:cb:16:b3: 38:f7:3b:be:e5:b5:9e:e9:0c:e5:c7:d8:bb:8b:a4: 3d:f8:99:e0:34:93:0c:48:d7:c7:c2:72:63:42:2f: ff:94:c8:d0:47:c2:3a:56:fd:ae:79:b7:cb:8e:72: c6:8b:6a:33:be:34:82:bd:6e:1e:b9:23:1b:01:c8: c5:db:11:3e:5f:c6:66:a2:f6:6a:c0:67:0b:b9:8a: 36:2a:ce:07:54:08:a9:50:1e:bc:52:cc:9b:af:ee: 1d:f4:b8:15:77:a1:4d:75:e4:9d:14:35:8a:58:ed: 77:d6:e3:2f:c8:e2:14:9c:9e:75:ea:82:b9:e4:4f: 3a:7b:88:d2:93:39:37:b9:c5:74:cd:74:5f:47:0c: 4d:fc:a8:c0:af:f5:4c:c9:c5:7f:bb:4e:57:58:36: 12:bc:54:54:db:bd:af:3f:8f:e6:8b:ca:34:50:26: 6f:d2:8c:b6:ee:cf:2d:d2:62:ae:32:26:8d:da:8a: d0:a3:7c:40:60:97:0c:b4:de:4c:77:9d:28:3e:73: 1f:91:23:76:5b:3b:d9:74:85:fd:69:d4:b3:fd:1d: 5a:8b:38:35:51:07:5a:09:c8:53:67:89:f8:e6:d1: 99:63:7d:d9:7f:a9:ca:49:ab:a6:80:14:68:cb:8d: 4c:b5:42:5e:24:f3:2f:54:04:3f:be:a8:9d:65:84: 46:ed:6a:85:7d:6a:b6:62:4a:69:05:0d:da:2f:92: 85:bd:de:18:b4:48:4b:fc:3f:26:49:92:17:47:91: dd:b5:7a:4d:e3:9e:c5:1f:39:58:bd:52:c3:05:65: 0b:4e:f0:2b:2d:b6:af:65:1a:13 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: D8:15:2E:2C:D1:28:59:EC:0C:97:6E:85:5F:3D:8B:90:7F:FD:40:1F X509v3 Authority Key Identifier: keyid:B8:73:3B:D4:66:50:67:B9:3C:E1:3C:31:AD:91:CD:4D:94:6E:CA:A5 X509v3 Subject Alternative Name: IP Address:10.0.0.1, IP Address:192.168.1.70, IP Address:192.168.1.71, IP Address:192.168.1.72, IP Address:192.168.1.73, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local Signature Algorithm: sha256WithRSAEncryption b1:db:2f:81:48:01:83:16:2b:78:0e:ad:25:cd:46:e8:bd:f7: ba:5c:7b:a8:74:a9:d3:9c:1b:0b:48:06:68:84:b6:57:99:2f: c5:33:5f:5e:15:79:de:74:87:15:bc:54:be:a9:cf:a9:5a:cc: b6:3e:61:34:c1:f1:2a:94:c3:89:a1:06:67:4c:d3:84:fa:89: 1c:df:8d:d5:38:d8:5b:d7:0b:7e:da:aa:fb:7c:64:e2:68:21: 15:b8:7f:35:7a:58:48:7d:f6:89:4b:f8:84:44:96:45:9d:e8: 7f:e0:cf:a2:21:ab:29:94:1e:aa:0e:5d:ea:44:69:5c:ff:4a: 5f:f2:f1:bf:0b:1c:f0:95:c6:9b:1a:20:d5:fb:33:42:0a:fc: 17:c5:ba:76:fe:bd:12:ac:9a:8c:c7:2b:0e:ae:b1:f1:30:43: ea:8d:8b:c8:b3:45:98:f6:d8:3d:71:b3:cd:7e:f7:f6:92:1c: 1a:c8:69:5e:67:ad:c5:a6:13:1a:e4:cb:50:ca:a6:96:56:4e: ed:50:4f:6a:0f:de:c8:3b:b6:e5:15:e2:b6:53:48:ab:9a:c6: 68:18:2d:ac:1c:90:a9:f2:4d:c0:44:6c:ed:48:9e:d7:72:1c: e3:49:f5:3d:33:67:6c:24:ed:6c:6e:07:0d:59:dc:59:ec:fa: 76:ae:ff:40:ad:ea:b2:d4:aa:42:19:16:67:06:07:05:59:c0: 1e:e5:5a:b8:03:c5:1c:5c:18:6d:40:41:50:9e:69:fd:90:f4: ab:5e:91:2a:6b:a0:64:c9:39:9d:f8:f2:04:1f:f4:35:fb:58: 08:17:f7:17:4c:41:30:95:98:a7:e3:59:7c:a4:60:56:a0:01: e9:d3:6f:93:76:6f:09:38:35:37:4d:15:02:f8:e6:9b:0f:1d: f7:1b:7b:bc:4a:e8:ed:44:1a:ba:84:e1:13:da:cb:06:6d:b9: 96:43:f3:a2:d8:25:20:01:51:83:99:bd:f7:5f:b1:5d:52:9f: 32:5c:b0:4a:40:1c
从上面可以看出这个证书对哪些ip是有效的
签发 kubelet 证书
配置签发 kubelet 证书文件 一台一台进行添加
vi client.cnf
从下面可以看出证书只对 192.168.1.71 有效
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.71
首先设置一个变量 方便点 证书主要以 ip 地址后 2 段记名称
fn=1-71
生成 kubelet-$fn.key
openssl genrsa -out kubelet-$fn.key 3072
生成证书请求
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf
签发证书
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req
使用同样的方法给 以下 2 台主机进行签发证书
192.168.1.72
192.168.1.73
修改 client.cnf 配置文件 ip 地址
vi client.cnf
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.72
修改 fn 变量标签
fn=1-72
同样执行以下命令
openssl genrsa -out kubelet-$fn.key 3072
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req
使用同样的方法修改 client.cnf 配置文件 fn 变量 签发 192.168.1.73 证书
vi client.cnf
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.73
fn=1-73
重新执行上面的3条命令 签发证书
查看当前目录 因证书太多 容易整乱 创建相对应目录保存证书文件
pwd
/etc/ssl/k8s
mkdir apiserver
mkdir kubelet
mv api-server.cnf apiserver.* apiserver
mv kubelet-1-7* kubelet
签发kube-proxy证书 基本和上面的操作类似 但是名称变了
重新设置变量 fn
fn=1-71
修改 client.cnf 配置文件
vi client.cnf
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.71
生成kube-proxy-$fn.key
openssl genrsa -out kube-proxy-$fn.key 3072
生成证书请求
openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf
签发证书
openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req
同样 修改 client.cnf 配置文件 ip fn 变量 给 72 73 主机签发kube-proxy证书
之后创建 kube-proxy 目录保存刚才创建的 kube-proxy 证书
mkdir kube-proxy
mv kube-proxy-1-7* kube-proxy
签发etcd证书文件
首先签发 192.168.1.71 然后用同样的方法 修改配置文件签发第二台和第三台证书
编辑 client.cnf 文件
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.71
设置 fn 变量
fn=1-71
生成etcd-$fn.key
openssl genrsa -out etcd-$fn.key 3072
生成证书请求
openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf
签发证书
openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1095 -extfile client.cnf -extensions v3_req
切记使用同样的方法签发其他2台主机的etcd证书
创建etcd目录保存证书文件
mkdir etcd
mv etcd-1-7* etcd
签发 flanneld 证书
重新设置变量fn
fn=1-71
修改 client.cnf 配置文件
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.71
生成flanneld-$fn.key
openssl genrsa -out flanneld-$fn.key 3072
生成证书flanneld-$fn.csr请求
openssl req -new -key flanneld-$fn.key -out flanneld-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf
签发证书 flanneld-$fn.pem
openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in flanneld-$fn.csr -out flanneld-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req
使用同样的方法 修改 client.cnf 配置文件ip fn变量签发其它2台主机的flanneld证书
最后创建目录保存 flanneld 证书
mkdir flanneld
mv flanneld-1-7* flanneld
到此k8s基本所需的证书都已经签发结束了 请看下节 etcd 安装