kubernetes容器集群自签TLS证书
集群部署
1、环境规划
2、安装docker
3、自签TLS证书
4、部署Flannel网络
5、部署Etcd集群
6、创建Node节点kubeconfig文件
7、获取K8S二进制包
8、运行Master组件
9、运行Node组件
10、查询集群状态
11、启动一个测试实例
12、部署Web UI(Dashboard)
集群部署环境规划
| 软件 | 版本 |
|---|---|
| Linux操作系统 | CentOS7.2_x64 |
| kubernetes | 1.9 |
| docker | 18.09.7 |
| etcd | 3.0 |
注意:linux关闭selinux。
[root@master ~]# sed -i s#SELINUX=enforcing#SELINUX=disabled#g /etc/selinux/config`
[root@master ~]# getenforce
Enforcing
[root@master ~]# setenforce 0
[root@master ~]# getenforce
Permissive
| 角色 | IP | 组件 |
|---|---|---|
| master | 192.168.238.130 | kube-apiserver、kube-controller-manager、kube-scheduler、etcd |
| node01 | 192.168.238.129 | kubelet、kube-proxy、docker、flannel、etcd |
| node02 | 192.168.238.128 | kubelet、kube-proxy、docker、flannel、etcd |
集群部署安装docker
安装docker依赖包
[root@master ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
安装docker
[root@master ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@master ~]# ls /etc/yum.repos.d/docker-ce.repo
/etc/yum.repos.d/docker-ce.repo
[root@master ~]# yum install -y docker-ce
配置国内镜像
[root@master ~]# cat /etc/docker/daemon.json
{
"registry-mirrors":["https://registry.docker-cn.com"]
}
设置docker开机自启动
[root@master ~]# systemctl enable docker
启动docker
[root@master ~]# systemctl start docker
查看docker信息
[root@master ~]# docker info
集群部署自签TLS证书
| 组件 | 使用的证书 |
|---|---|
| etcd | ca.pem、server.pem、server-key.pem |
| kube-apiserver | ca.pem、server.pem、server-key.pem |
| kubelet | ca.pem、ca-key.pem |
| kube-proxy | ca.pem、kube-proxy.pem、kube-proxy-key.pem |
| kubectl | ca.pem、admin.pem、admin-key.pem |
安装证书生产工具cfssl
[root@master ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@master ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@master ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@master ~]# chmod +x cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 cfssl_linux-amd64
[root@master ~]# mv cfssljson_linux-amd64.1 /usr/local/bin/cfssljson
[root@master ~]# mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
[root@master ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@master ~]# ls /usr/local/bin/cfssl*
/usr/local/bin/cfssl /usr/local/bin/cfssl-certinfo /usr/local/bin/cfssljson
[root@master ssl]# cfssl --help
Usage:
Available commands:
serve
gencert
ocspdump
ocspserve
certinfo
ocspsign
info
sign
gencrl
selfsign
print-defaults
bundle
version
genkey
ocsprefresh
scan
revoke
Top-level flags:
-allow_verification_with_non_compliant_keys
Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.
-loglevel int
Log level (0 = DEBUG, 5 = FATAL) (default 1)
生成证书
创建保存证书目录
[root@master ~]# mkdir ssl
[root@master ~]# cd ssl
生成证书模板文件
[root@master ssl]# cfssl print-defaults config >config.json
[root@master ssl]# ls
config.json
[root@master ssl]# cat config.json
{
"signing": {
"default": {
"expiry": "168h"
},
"profiles": {
"www": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
[root@master ssl]# cfssl print-defaults csr >csr.json
[root@master ssl]# cat csr.json
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
[root@master ssl]# cat > ca-config.json <<EOF
> {
> "signing":{
> "default":{
> "expiry":"87600h"
> },
> "profiles":{
> "kubernetes":{
> "expiry":"87600h",
> "usages":[
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
[root@master ssl]# cat ca-config.json
{
"signing":{
"default":{
"expiry":"87600h"
},
"profiles":{
"kubernetes":{
"expiry":"87600h",
"usages":[
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@master ssl]# cat > ca-csr.json <<EOF
> {
> "CN":"kubernetes",
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "name":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"k8s",
> "OU":"System"
> }
> ]
>
> }
> EOF
[root@master ssl]# cat ca-csr.json
{
"CN":"kubernetes",
"key":{
"algo":"rsa",
"size":2048
},
"name":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"k8s",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2019/06/30 11:51:14 [INFO] generating a new CA key and certificate from CSR
2019/06/30 11:51:14 [INFO] generate received request
2019/06/30 11:51:14 [INFO] received CSR
2019/06/30 11:51:14 [INFO] generating key: rsa-2048
2019/06/30 11:51:14 [INFO] encoded CSR
2019/06/30 11:51:14 [INFO] signed certificate with serial number 357684144253379560050468419609693070989434498568
生成证书ca-key.pem、ca.pem
[root@master ssl]# ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
[root@master ssl]# cat > server-csr.json <<EOF
> {
> "CN":"kubernetes",
> "hosts":[
> "127.0.0.1",
> "192.168.238.130",
> "192.168.238.129",
> "192.168.238.128",
> "kubernetes.default",
> "kubernetes.default.svc",
> "kubernetes.default.svc.cluster",
> "kubernetes.default.svc.cluster.local"
> ],
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "names":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"k8s",
> "OU":"System"
> }
> ]
> }
> EOF
[root@master ssl]# cat server-csr.json
{
"CN":"kubernetes",
"hosts":[
"127.0.0.1",
"192.168.238.130",
"192.168.238.129",
"192.168.238.128",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"k8s",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2019/06/30 12:26:45 [INFO] generate received request
2019/06/30 12:26:45 [INFO] received CSR
2019/06/30 12:26:45 [INFO] generating key: rsa-2048
2019/06/30 12:26:45 [INFO] encoded CSR
2019/06/30 12:26:45 [INFO] signed certificate with serial number 349804933480633404809478762244384990113466024768
2019/06/30 12:26:45 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master ssl]# ls server*
server.csr server-csr.json server-key.pem server.pem
[root@master ssl]# cat > admin-csr.json <<EOF
> {
> "CN":"admin",
> "hosts":[],
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "names":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"system:masters",
> "OU":"System"
> }
> ]
>
> }
> EOF
[root@master ssl]# cat admin-csr.json
{
"CN":"admin",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"system:masters",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/06/30 12:34:53 [INFO] generate received request
2019/06/30 12:34:53 [INFO] received CSR
2019/06/30 12:34:53 [INFO] generating key: rsa-2048
2019/06/30 12:34:53 [INFO] encoded CSR
2019/06/30 12:34:53 [INFO] signed certificate with serial number 7605307211369238746660755012651019629332863527
2019/06/30 12:34:53 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master ssl]# ls admin*
admin.csr admin-csr.json admin-key.pem admin.pem
[root@master ssl]# cat > kube-proxy-csr.json <<EOF
> {
> "CN":"system:kube-proxy",
> "hosts":[],
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "names":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"k8s",
> "OU":"System"
> }
>
> ]
> }
> EOF
[root@master ssl]# cat kube-proxy-csr.json
{
"CN":"system:kube-proxy",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"k8s",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/06/30 12:42:07 [INFO] generate received request
2019/06/30 12:42:07 [INFO] received CSR
2019/06/30 12:42:07 [INFO] generating key: rsa-2048
2019/06/30 12:42:07 [INFO] encoded CSR
2019/06/30 12:42:07 [INFO] signed certificate with serial number 469894574335691035633190543464468828048263055138
2019/06/30 12:42:07 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master ssl]# ls kube-proxy*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
[root@master ssl]# ls *pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
kubernetes容器集群自签TLS证书的更多相关文章
- Kubernetes容器集群管理环境 - 完整部署(中篇)
接着Kubernetes容器集群管理环境 - 完整部署(上篇)继续往下部署: 八.部署master节点master节点的kube-apiserver.kube-scheduler 和 kube-con ...
- Kubernetes容器集群管理环境 - Prometheus监控篇
一.Prometheus介绍之前已经详细介绍了Kubernetes集群部署篇,今天这里重点说下Kubernetes监控方案-Prometheus+Grafana.Prometheus(普罗米修斯)是一 ...
- Kubernetes容器集群管理环境 - 完整部署(下篇)
在前一篇文章中详细介绍了Kubernetes容器集群管理环境 - 完整部署(中篇),这里继续记录下Kubernetes集群插件等部署过程: 十一.Kubernetes集群插件 插件是Kubernete ...
- 搭建Kubernetes容器集群管理系统
1.Kubernetes 概述 Kubernetes 是 Google 开源的容器集群管理系统,基于 Docker 构建一个容器的调度服务,提供资源调度.均衡容灾.服务注册.劢态扩缩容等功能套件. 基 ...
- Kubernetes容器集群管理环境 - 完整部署(上篇)
Kubernetes(通常称为"K8S")是Google开源的容器集群管理系统.其设计目标是在主机集群之间提供一个能够自动化部署.可拓展.应用容器可运营的平台.Kubernetes ...
- Kubernetes——容器集群
kuberneteskubernetes(k8s)是google的容器集群管理系统,在docker的基础之上,为容器化的应用提供部署运行.资源调度.服务发现和动态伸缩等一系列完整的功能,提高了大规模容 ...
- 使用docker方式安装etcd集群,带TLS证书
网上文档也多,安装的时候,还是踩了几个坑. 现在作一个安装记录吧. 1,先作自签名的证书ca-csr.json(为了和k8s共用根证书,可能将信息调为k8s). { "CN": & ...
- Kubernetes容器集群管理环境 - Node节点的移除与加入
一.如何从Kubernetes集群中移除Node比如从集群中移除k8s-node03这个Node节点,做法如下: 1)先在master节点查看Node情况 [root@k8s-master01 ~]# ...
- kubernetes容器集群管理创建node节点kubeconfig文件
1.创建TLS Bootstrapping Token 2.创建kubelet kubeconfig 3.创建kube-proxy kubeconfig 安装和设置kubectl [root@mast ...
随机推荐
- centos7 利用mailx发送邮件
当需要服务器定时发送邮件到自己邮箱时,一个邮件服务就很重要了,以下主要是mailx的实现,主要是利用 1.安装mailx 1 yum install mailx -y 2.使用到的配置文件只有一个 ...
- JavaScript中正则使用
字符串是编程时涉及到的最多的一种数据结构,对字符串进行操作的需求几乎无处不在.比如判断一个字符串是否是合法的Email地址,虽然可以编程提取@前后的子串,再分别判断是否是单词和域名,但这样做不但麻烦, ...
- shell变量的声明和使用
- Linux Shell 脚本学习第一天: 使用grep 命令,lsusb, ps -ef, 实现树莓派(Debian OS)时检测到依赖的USB设备启动后,启动终端自动执行shell脚本
1.应用背景: 无人监测的设备,常需要设置应用程序开机启动,程序启动前需要保证调用的设备先启动,运行环境先启动. 2.test.sh部分源码 #!/bin/sh #查看桌面是否启动 while tru ...
- 五 shell 变量与字符串操作
特点:1 shell变量没有数据类型的区分 2 Shell 把任何存储在变量中的值,皆视为以字符组成的“字符串”. 3 设定的变量值只在当前shell环境中有作用 4 不能以数字开头 ...
- [POJ1821]Fence(单调队列优化dp)
[poj1821]Fence 有 N 块木板从左至右排成一行,有 M 个工匠对这些木板进行粉刷,每块木板至多被粉刷一次.第 i 个工匠要么不粉刷,要么粉刷包含木板 Si 的,长度不超过Li 的连续一段 ...
- Altium Designer 19使用
铺铜之后运行DRC检查弹出警告: Design contains shelved or modified (but not repoured)polygons. The result of DRC w ...
- python py文件转换成exe
1.首先学会了最简单的方法 1)pip install pyinstaller 安装pyinstall 2)pyinstaller aaaa.py 转换,会在当前目录下建两个文件夹,其中一个文件夹 ...
- 常用jstl
求list中某一值的和 <c:set var="total" value="${0}" /> <c:forEach var="tLi ...
- jquery自带的排序方法(js也是)
jquery.sort() js.sort() <!DOCTYPE html> <html> <head> <meta charset=&qu ...