Kubernetes容器集群部署TLS证书(二)
一、集群部署--环境规划
| 软件 | 版本 |
| Linux操作系统 | Centos7.4_x64 |
| Kubernetes | 1.9 |
| Docker | 18.03-ce |
| Etcd | 3.0 |
| 角色 | IP | 组件 | 推荐配置 |
| master | 192.168.1.101 |
kube-apiserver |
CPU 2核+ |
| node01 | 192.168.1.102 |
kubelet |
|
| node02 | 192.168.1.103 |
kubelet |
关闭selinux
二、Docker安装
2.1 安装docker环境:
https://docs.docker.com/install/linux/docker-ce/centos/
2.2 配置国内境像仓库址:
[root@master ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://registry.docker-cn.com"], }
2.3 启动docker
systemctl start docker
systemctl enable docker
三、自签TLS证书
| 组件 | 使用的证书 |
| etcd | ca.pem,server.pem,server-key.pem |
| flannel | ca.pem,server.pem,server-key.pem |
| kube-apiserver | ca.pem,server.pem,server-key.pem |
| kubelet | ca.pem,ca-key.pem |
| kube-proxy | ca.pem,kube-proxy.pem,kube-proxy-key.pem |
| kubectl | ca.pem,admin.pem,admin-key.pem |
安装证书生成工具cfssl:
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
master操作:
创建ssl目录用于存放证书:
[root@master ~]# mkdir ssl
下载证书并添加到bin下:
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
创建证书
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
生成证书:
[root@master ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2018/08/07 14:34:32 [INFO] generating a new CA key and certificate from CSR
2018/08/07 14:34:32 [INFO] generate received request
2018/08/07 14:34:32 [INFO] received CSR
2018/08/07 14:34:32 [INFO] generating key: rsa-2048
2018/08/07 14:34:34 [INFO] encoded CSR
2018/08/07 14:34:35 [INFO] signed certificate with serial number 498159080348877261724420443841072681591426560777
创建server证书,用于api-http通信加密证书:
cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.1.101", "192.168.1.102", "192.168.1.103", "10.10.10.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
生成证书:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
查看server证书:
[root@master ssl]# ls server*
server.csr server-csr.json server-key.pem server.pem
生成admin证书,主要用于集群管理员访问集群
cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
生成证书:
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2018/08/07 14:42:46 [INFO] generate received request
2018/08/07 14:42:46 [INFO] received CSR
2018/08/07 14:42:46 [INFO] generating key: rsa-2048
2018/08/07 14:42:47 [INFO] encoded CSR
2018/08/07 14:42:48 [INFO] signed certificate with serial number 436030582996154972120537005450617009586756754919
2018/08/07 14:42:48 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
查看证书:
[root@master ssl]# ls admin*
admin.csr admin-csr.json admin-key.pem admin.pem
生成kube-proxy证书:
cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
创建证书:
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy 2018/08/07 14:45:43 [INFO] generate received request 2018/08/07 14:45:43 [INFO] received CSR 2018/08/07 14:45:43 [INFO] generating key: rsa-2048 2018/08/07 14:45:44 [INFO] encoded CSR 2018/08/07 14:45:44 [INFO] signed certificate with serial number 652036954114477423286147361925056926414073054049 2018/08/07 14:45:44 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
查看证书:
[root@master ssl]# ls kube*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
