简介
最近在倒腾k8s, 这里记录下k8s的部署记录,以方便后续操作使用
证书准备
etcd | /etc/etd/ssl/ca.pem /etc/etd/ssl/server.pem /etc/etd/ssl/server-key.pem |
kube-apiserver | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/server.pem /etc/kubernetes/ssl/server-key.pem |
kube-proxy | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/kube-proxy.pem /etc/kubernetes/ssl/kube-proxy-key.pem |
kubelet | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/ca-key.pem |
kubectl | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/admin.pem /etc/kubernetes/ssl/admin-key.pem |
证书准备过程如下:
1. etcd证书准备
2. kubelet证书准备
/etc/kubernete/ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
/etc/kubernete/ca-config.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HeFei",
"ST": "HeFei",
"O": "k8s",
"OU": "System"
}
]
}
执行 cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 生成根证书 ca.csr、ca.pem、ca-key.pem
3. kube-proxy证书准备
编辑 /etc/kubernetes/ssl/kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HeFei",
"ST": "HeFei",
"O": "k8s",
"OU": "System"
}
]
}
执行命令 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
生成证书kube-proxy.csr、kube-proxy.pem、kube-proxy-key.pem
4. kube-apiserver证书准备
生成server证书, 编辑/etc/kubernete/server-config.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"192.168.0.2",
"192.168.0.3",
"kubernetes",
"k8s-node01",
"k8s-master01",
"k8s-node02",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HeFei",
"ST": "HeFei",
"O": "k8s",
"OU": "System"
}
]
}
执行命令 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 生成证书 server.csr server-key.pem server.pem
5. kubectl admin证书准备
/etc/kubernetes/ssl/admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HeFei",
"ST": "HeFei",
"O": "System:masters",
"OU": "System"
}
]
}
执行命令cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成证书 admin.csr、admin-key.pem、admin.pem
6. 同步证书到各服务器
cd /etc/kubernetes/ssl/
scp * root@192.168.0.2:/etc/kubernetes/ssl/
scp * root@192.168.0.3:/etc/kubernetes/ssl/
部署k8s master
生成token.csv文件
head -c 16 /dev/urandom |od -An -t x |tr -d ' ' > /etc/kubenerets/token.csv
编辑token.csv
7624eec3dd645fd059d53ddcbd794eba,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
执行kubectl config配置
[root@master01 kubernetes]BOOTSTRAP_TOKEN=7624eec3dd645fd059d53ddcbd794eba
[root@master01 kubernetes]KUBE_APISERVER="https://192.168.0.1:6443"
设置集群参数
[root@master01 kubernetes]# kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/kubernetes/ssl/ca.pem \
> --embed-certs=true \
> --server=${KUBE_APISERVER} \
> --kubeconfig=kube-proxy.kubeconfig
设置客户端认证参数
[root@master01 kubernetes]# kubectl config set-credentials kubelet-bootstrap \
> --token=${BOOTSTRAP_TOKEN} \
> --kubeconfig=bootstrap.kubeconfig
设置上下文参数
[root@master01 kubernetes]# kubectl config set-context default \
> --cluster=kubernetes \
> --user=kubelet-bootstrap \
> --kubeconfig=bootstrap.kubeconfig
设置默认上下文
[root@master01 kubernetes]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
创建kube-proxy.kubeconfig文件
[root@swift01 kubernetes]# kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/kubernetes/ssl/ca.pem \
> --embed-certs=true \
> --server=${KUBE_APISERVER} \
> --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
[root@swift01 kubernetes]#
[root@swift01 kubernetes]#
[root@swift01 kubernetes]# kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/kubernetes/ssl/ca.pem\
> --embed-certs=true \
> --server=${KUBE_APISERVER} \
> --kubeconfig=bootstrap.kubeconfig
Cluster "kubernetes" set.
[root@swift01 kubernetes]#
[root@swift01 kubernetes]#
[root@swift01 kubernetes]# kubectl config set-context default \
> --cluster=kubernetes \
> --user=kube-proxy \
> --kubeconfig=kube-proxy.kubeconfig
Context "default" created.
[root@swift01 kubernetes]#
[root@swift01 kubernetes]#
[root@swift01 kubernetes]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".
至此配置结束