1. 基于CA签名的双向数字证书认证方式
1.1 master节点证书设置
#! /bin/bash
# 准备工作目录
cwd=$(cd `dirname $0`;pwd)
workdir="${cwd}/files"
[ -d $workdir ] || mkdir $workdir
rm -rf $workdir/*
cd $workdir
# master ip
master_ip=$(ip a show ens33 | grep -oE "192\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | grep -v 255)
# 创建CA证书及私钥相关文件
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=$(hostname)" -days 5000 -out ca.crt
openssl genrsa -out server.key 2048
# 准备master_ssl.cnf文件
cat > master_ssl.cnf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = $(hostname)
IP.1 = 169.169.0.1
IP.2 = ${master_ip}
EOF
# 基于master_ssl.cnf创建server.csr和server.crt文件
openssl req -new -key server.key -subj "/CN=$(hostname)" -config master_ssl.cnf -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt
# 复制证书到/etc/kubernetes/run下
[ -d /etc/kubernetes/run ] || mkdir /etc/kubernetes/run
\cp -f ca.crt ca.key ca.srl server.crt server.csr server.key /etc/kubernetes/run/
# 配置kube-apiserver证书
# 添加--client-ca-file --tls-private-key-file --tls-cert-file
# --insecure-port=0 关闭非安全接口
# --secure-port 配置安全接口
cat > /etc/kubernetes/apiserver << EOF
KUBE_API_ARGS="--etcd-servers=http://127.0.0.1:2379 --client-ca-file=/etc/kubernetes/run/ca.crt --tls-private-key-file=/etc/kubernetes/run/server.key --tls-cert-file=/etc/kubernetes/run/server.crt --insecure-port=0 --secure-port=6443 --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF
systemctl restart kube-apiserver
# 配置kube-controller-manager的客户端证书、 私钥
openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj "/CN=$(hostname)" -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -out cs_client.crt
\cp -f cs_client.key cs_client.csr cs_client.crt /etc/kubernetes/run
# 生成kubeconfig配置文件,kube-controller-manager和kube-scheduler共用
cat > /etc/kubernetes/kubeconfig << EOF
apiVersion: v1
kind: Config
users:
- name: controllermanager
user:
client-certificate: /etc/kubernetes/run/cs_client.crt
client-key: /etc/kubernetes/run/cs_client.key
clusters:
- name: local
cluster:
certificate-authority: /etc/kubernetes/run/ca.crt
server: https://${master_ip}:6443
contexts:
- context:
cluster: local
user: controllermanager
name: my-context
current-context: my-context
EOF
# 配置kube-controller-manager使用证书
cat > /etc/kubernetes/controller-manager << EOF
KUBE_CONTROLLER_MANAGER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --service-account-private-key-file=/etc/kubernetes/run/server.key --root-ca-file=/etc/kubernetes/run/ca.crt --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF
systemctl restart kube-controller-manager
# 配置kube-scheduler使用安全证书
cat > /etc/kubernetes/scheduler << EOF
KUBE_SCHEDULER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF
systemctl restart kube-scheduler
1.2 Node节点证书设置
#! /bin/bash
cwd=$(cd `dirname $0`;pwd)
workdir=${cwd}/files
[ -d $workdir ] || mkdir $workdir
cd $workdir
openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=$(hostname)" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
# 复制证书到/etc/kubernetes/run下
[ -d /etc/kubernetes/run ] || mkdir /etc/kubernetes/run
\cp -f kubelet_client.key kubelet_client.csr kubelet_client.crt ca.crt /etc/kubernetes/run/
cat > /etc/kubernetes/kubeconfig << EOF
apiVersion: v1
kind: Config
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/run/kubelet_client.crt
client-key: /etc/kubernetes/run/kubelet_client.key
clusters:
- name: local
cluster:
certificate-authority: /etc/kubernetes/run/ca.crt
server: https://192.168.30.60:6443
contexts:
- context:
cluster: local
user: kubelet
name: my-context
current-context: my-context
EOF
cat > /etc/kubernetes/kubelet << EOF
KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=192.168.30.61 --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF
cat > /etc/kubernetes/proxy << EOF
KUBE_PROXY_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
EOF
systemctl restart kubelet kube-proxy
1.3 kubectl 证书设置
kubectl --server=https://192.168.30.60:6443 --certificate-authority=/etc/kubernetes/run/ca.crt --client-certificate=/etc/kubernetes/run/cs_client.crt --client-key=/etc/kubernetes/run/cs_client.key get nodes
cat /etc/kubernetes/kubeconfig > $HOME/.kube/config
2. 基于HTTP Base认证
#! /bin/bash
cat > /etc/kubernetes/basic_auth_file << EOF
admin,admin,1
system,system,1
EOF
cat > /etc/kubernetes/apiserver << EOF
KUBE_API_ARGS="--etcd-servers=http://127.0.0.1:2379 --secure-port=6443 --basic-auth-file=/etc/kubernetes/basic_auth_file --insecure-bind-address=0.0.0.0 --insecure-port=8080 --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF
systemctl restart kube-apiserver
# 配置kubectl
# kubectl --server=https://192.168.30.60:6443 --username=admin --password=admin --insecure-skip-tls-verify=true get nodes
kubectl config set-cluster master --server=https://192.168.30.60:6443 --insecure-skip-tls-verify=true
kubectl config set-credentials master-auth --username=admin --password=admin
3. 基于Token认证
#! /bin/bash
cat > /etc/kubernetes/token_auth_file << EOF
admin,admin,1
system,system,1
EOF
cat > /etc/kubernetes/apiserver << EOF
KUBE_API_ARGS="--etcd-servers=http://127.0.0.1:2379 --secure-port=6443 --token-auth-file=/etc/kubernetes/token_auth_file --insecure-bind-address=0.0.0.0 --insecure-port=8080 --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF
systemctl restart kube-apiserver
# 配置kubectl
# curl -k --header "Authorization:Bearer admin" https://192.168.30.60:6443/version
kubectl config set-cluster master --server=https://192.168.30.60:6443 --insecure-skip-tls-verify=true
kubectl confet-credentials master-auth --token=adming set-credentials master-auth --username=admin --password=admin
