要知道我们相互访问需要的是什么,需要的是安全性,那么我们就使用https来控制相互间的访问吧,那么我们就需要使用证书,我们这里采用自建证书来实现。
安装证书生成服务
只需要在一个节点上安装即可,我这里选择的是node1节点。
[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson[root@node1 ~]# chmod +x /usr/local/bin/cfssl[root@node1 ~]# chmod +x /usr/local/bin/cfssljson[root@node1 ~]# cfssl versionVersion: 1.2.0Revision: devRuntime: go1.6[root@node1 ~]#
根证书
根证书是共享的,只需要创建一个,其他证书统一由这个根证书来签名,只需要在一个节点操作即可,我这里在node1节点上操作。
PS:最好单独创建一个单独存放证书的目录,不然会乱掉。
[root@node1 ~]# mkdir pki[root@node1 ~]# cd pki/[root@node1 pki]## 可以看到下面的过期时间,我们设置的很长,几乎不用考虑过期这一说[root@node1 pki]# cat > ca-config.json <<EOF{"signing": {"default": {"expiry": "876000h"},"profiles": {"kubernetes": {"usages": ["signing", "key encipherment", "server auth", "client auth"],"expiry": "876000h"}}}}EOF[root@node1 pki]#[root@node1 pki]# cat > ca-csr.json <<EOF{"CN": "Kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "Kubernetes","OU": "CA","ST": "Oregon"}]}EOF[root@node1 pki]#
生成证书和私钥:
[root@node1 pki]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca[root@node1 pki]# lsca-config.json ca.csr ca-csr.json ca-key.pem ca.pem[root@node1 pki]#
admin客户端证书
[root@node1 pki]# cat > admin-csr.json <<EOF{"CN": "admin","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:masters","OU": "seven"}]}EOF[root@node1 pki]#
生成admin客户端和私钥
[root@node1 pki]# cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \admin-csr.json | cfssljson -bare admin[root@node1 pki]# lsadmin.csr admin-csr.json admin-key.pem admin.pem ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem[root@node1 pki]#
kubelet客户端证书
要给每个工作节点生成证书,所以这步中你要写你自己的node名字和IP地址哈。
# 设置你的worker节点列表[root@node1 pki]# for ((i=0;i<${#WORKERS[@]};i++)); docat > ${WORKERS[$i]}-csr.json <<EOF{"CN": "system:node:${WORKERS[$i]}","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Beijing","O": "system:nodes","OU": "seven","ST": "Beijing"}]}EOFcfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-hostname=${WORKERS[$i]},${WORKER_IPS[$i]} \-profile=kubernetes \${WORKERS[$i]}-csr.json | cfssljson -bare ${WORKERS[$i]}done[root@node1 pki]#
查看证书:
[root@node1 pki]# lsadmin.csr admin-key.pem ca-config.json ca-csr.json ca.pem node2-csr.json node2.pem node3-csr.json node3.pemadmin-csr.json admin.pem ca.csr ca-key.pem node2.csr node2-key.pem node3.csr node3-key.pem[root@node1 pki]#
kube-controller-manager证书
[root@node1 pki]# cat > kube-controller-manager-csr.json <<EOF{"CN": "system:kube-controller-manager","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:kube-controller-manager","OU": "seven"}]}EOF[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager[root@node1 pki]#
查看:
[root@node1 pki]# lsadmin.csr admin.pem ca-csr.json kube-controller-manager.csr kube-controller-manager.pem node2-key.pem node3-csr.jsonadmin-csr.json ca-config.json ca-key.pem kube-controller-manager-csr.json node2.csr node2.pem node3-key.pemadmin-key.pem ca.csr ca.pem kube-controller-manager-key.pem node2-csr.json node3.csr node3.pem[root@node1 pki]#
kube-proxy客户端证书
[root@node1 pki]# cat > kube-proxy-csr.json <<EOF{"CN": "system:kube-proxy","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "seven"}]}EOF[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kube-proxy-csr.json | cfssljson -bare kube-proxy
查看:
[root@node1 pki]# lsadmin.csr admin.pem ca-csr.json kube-controller-manager.csr kube-controller-manager.pem kube-proxy-key.pem node2-csr.json node3.csr node3.pemadmin-csr.json ca-config.json ca-key.pem kube-controller-manager-csr.json kube-proxy.csr kube-proxy.pem node2-key.pem node3-csr.jsonadmin-key.pem ca.csr ca.pem kube-controller-manager-key.pem kube-proxy-csr.json node2.csr node2.pem node3-key.pem[root@node1 pki]#
kube-scheduler证书
[root@node1 pki]# cat > kube-scheduler-csr.json <<EOF{"CN": "system:kube-scheduler","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:kube-scheduler","OU": "seven"}]}EOF[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kube-scheduler-csr.json | cfssljson -bare kube-scheduler[root@node1 pki]#
查看:
[root@node1 pki]# lsadmin.csr ca-config.json ca.pem kube-controller-manager.pem kube-proxy.pem kube-scheduler.pem node2.pem node3.pemadmin-csr.json ca.csr kube-controller-manager.csr kube-proxy.csr kube-scheduler.csr node2.csr node3.csradmin-key.pem ca-csr.json kube-controller-manager-csr.json kube-proxy-csr.json kube-scheduler-csr.json node2-csr.json node3-csr.jsonadmin.pem ca-key.pem kube-controller-manager-key.pem kube-proxy-key.pem kube-scheduler-key.pem node2-key.pem node3-key.pem[root@node1 pki]#
kube-apiserver证书
剩余内容请转至VX公众号 “运维家” ,回复 “120” 查看。
网友评论