kubernetes容器集群自签TLS证书
集群部署
1、环境规划
2、安装docker
3、自签TLS证书
4、部署Flannel网络
5、部署Etcd集群
6、创建Node节点kubeconfig文件
7、获取K8S二进制包
8、运行Master组件
9、运行Node组件
10、查询集群状态
11、启动一个测试实例
12、部署Web UI(Dashboard)
集群部署环境规划
| 软件 | 版本 |
|---|---|
| Linux操作系统 | CentOS7.2_x64 |
| kubernetes | 1.9 |
| docker | 18.09.7 |
| etcd | 3.0 |
注意:linux关闭selinux。
[root@master ~]# sed -i s#SELINUX=enforcing#SELINUX=disabled#g /etc/selinux/config`
[root@master ~]# getenforce
Enforcing
[root@master ~]# setenforce 0
[root@master ~]# getenforce
Permissive
| 角色 | IP | 组件 |
|---|---|---|
| master | 192.168.238.130 | kube-apiserver、kube-controller-manager、kube-scheduler、etcd |
| node01 | 192.168.238.129 | kubelet、kube-proxy、docker、flannel、etcd |
| node02 | 192.168.238.128 | kubelet、kube-proxy、docker、flannel、etcd |
集群部署安装docker
安装docker依赖包
[root@master ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
安装docker
[root@master ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@master ~]# ls /etc/yum.repos.d/docker-ce.repo
/etc/yum.repos.d/docker-ce.repo
[root@master ~]# yum install -y docker-ce
配置国内镜像
[root@master ~]# cat /etc/docker/daemon.json
{
"registry-mirrors":["https://registry.docker-cn.com"]
}
设置docker开机自启动
[root@master ~]# systemctl enable docker
启动docker
[root@master ~]# systemctl start docker
查看docker信息
[root@master ~]# docker info
集群部署自签TLS证书
| 组件 | 使用的证书 |
|---|---|
| etcd | ca.pem、server.pem、server-key.pem |
| kube-apiserver | ca.pem、server.pem、server-key.pem |
| kubelet | ca.pem、ca-key.pem |
| kube-proxy | ca.pem、kube-proxy.pem、kube-proxy-key.pem |
| kubectl | ca.pem、admin.pem、admin-key.pem |
安装证书生产工具cfssl
[root@master ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@master ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@master ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@master ~]# chmod +x cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 cfssl_linux-amd64
[root@master ~]# mv cfssljson_linux-amd64.1 /usr/local/bin/cfssljson
[root@master ~]# mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
[root@master ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@master ~]# ls /usr/local/bin/cfssl*
/usr/local/bin/cfssl /usr/local/bin/cfssl-certinfo /usr/local/bin/cfssljson
[root@master ssl]# cfssl --help
Usage:
Available commands:
serve
gencert
ocspdump
ocspserve
certinfo
ocspsign
info
sign
gencrl
selfsign
print-defaults
bundle
version
genkey
ocsprefresh
scan
revoke
Top-level flags:
-allow_verification_with_non_compliant_keys
Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.
-loglevel int
Log level (0 = DEBUG, 5 = FATAL) (default 1)
生成证书
创建保存证书目录
[root@master ~]# mkdir ssl
[root@master ~]# cd ssl
生成证书模板文件
[root@master ssl]# cfssl print-defaults config >config.json
[root@master ssl]# ls
config.json
[root@master ssl]# cat config.json
{
"signing": {
"default": {
"expiry": "168h"
},
"profiles": {
"www": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
[root@master ssl]# cfssl print-defaults csr >csr.json
[root@master ssl]# cat csr.json
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
[root@master ssl]# cat > ca-config.json <<EOF
> {
> "signing":{
> "default":{
> "expiry":"87600h"
> },
> "profiles":{
> "kubernetes":{
> "expiry":"87600h",
> "usages":[
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
[root@master ssl]# cat ca-config.json
{
"signing":{
"default":{
"expiry":"87600h"
},
"profiles":{
"kubernetes":{
"expiry":"87600h",
"usages":[
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@master ssl]# cat > ca-csr.json <<EOF
> {
> "CN":"kubernetes",
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "name":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"k8s",
> "OU":"System"
> }
> ]
>
> }
> EOF
[root@master ssl]# cat ca-csr.json
{
"CN":"kubernetes",
"key":{
"algo":"rsa",
"size":2048
},
"name":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"k8s",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2019/06/30 11:51:14 [INFO] generating a new CA key and certificate from CSR
2019/06/30 11:51:14 [INFO] generate received request
2019/06/30 11:51:14 [INFO] received CSR
2019/06/30 11:51:14 [INFO] generating key: rsa-2048
2019/06/30 11:51:14 [INFO] encoded CSR
2019/06/30 11:51:14 [INFO] signed certificate with serial number 357684144253379560050468419609693070989434498568
生成证书ca-key.pem、ca.pem
[root@master ssl]# ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
[root@master ssl]# cat > server-csr.json <<EOF
> {
> "CN":"kubernetes",
> "hosts":[
> "127.0.0.1",
> "192.168.238.130",
> "192.168.238.129",
> "192.168.238.128",
> "kubernetes.default",
> "kubernetes.default.svc",
> "kubernetes.default.svc.cluster",
> "kubernetes.default.svc.cluster.local"
> ],
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "names":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"k8s",
> "OU":"System"
> }
> ]
> }
> EOF
[root@master ssl]# cat server-csr.json
{
"CN":"kubernetes",
"hosts":[
"127.0.0.1",
"192.168.238.130",
"192.168.238.129",
"192.168.238.128",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"k8s",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2019/06/30 12:26:45 [INFO] generate received request
2019/06/30 12:26:45 [INFO] received CSR
2019/06/30 12:26:45 [INFO] generating key: rsa-2048
2019/06/30 12:26:45 [INFO] encoded CSR
2019/06/30 12:26:45 [INFO] signed certificate with serial number 349804933480633404809478762244384990113466024768
2019/06/30 12:26:45 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master ssl]# ls server*
server.csr server-csr.json server-key.pem server.pem
[root@master ssl]# cat > admin-csr.json <<EOF
> {
> "CN":"admin",
> "hosts":[],
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "names":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"system:masters",
> "OU":"System"
> }
> ]
>
> }
> EOF
[root@master ssl]# cat admin-csr.json
{
"CN":"admin",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"system:masters",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/06/30 12:34:53 [INFO] generate received request
2019/06/30 12:34:53 [INFO] received CSR
2019/06/30 12:34:53 [INFO] generating key: rsa-2048
2019/06/30 12:34:53 [INFO] encoded CSR
2019/06/30 12:34:53 [INFO] signed certificate with serial number 7605307211369238746660755012651019629332863527
2019/06/30 12:34:53 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master ssl]# ls admin*
admin.csr admin-csr.json admin-key.pem admin.pem
[root@master ssl]# cat > kube-proxy-csr.json <<EOF
> {
> "CN":"system:kube-proxy",
> "hosts":[],
> "key":{
> "algo":"rsa",
> "size":2048
> },
> "names":[
> {
> "C":"CN",
> "L":"Wuhan",
> "ST":"Wuhan",
> "O":"k8s",
> "OU":"System"
> }
>
> ]
> }
> EOF
[root@master ssl]# cat kube-proxy-csr.json
{
"CN":"system:kube-proxy",
"hosts":[],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"Wuhan",
"ST":"Wuhan",
"O":"k8s",
"OU":"System"
}
]
}
[root@master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/06/30 12:42:07 [INFO] generate received request
2019/06/30 12:42:07 [INFO] received CSR
2019/06/30 12:42:07 [INFO] generating key: rsa-2048
2019/06/30 12:42:07 [INFO] encoded CSR
2019/06/30 12:42:07 [INFO] signed certificate with serial number 469894574335691035633190543464468828048263055138
2019/06/30 12:42:07 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master ssl]# ls kube-proxy*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
[root@master ssl]# ls *pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
kubernetes容器集群自签TLS证书的更多相关文章
- Kubernetes容器集群管理环境 - 完整部署(中篇)
接着Kubernetes容器集群管理环境 - 完整部署(上篇)继续往下部署: 八.部署master节点master节点的kube-apiserver.kube-scheduler 和 kube-con ...
- Kubernetes容器集群管理环境 - Prometheus监控篇
一.Prometheus介绍之前已经详细介绍了Kubernetes集群部署篇,今天这里重点说下Kubernetes监控方案-Prometheus+Grafana.Prometheus(普罗米修斯)是一 ...
- Kubernetes容器集群管理环境 - 完整部署(下篇)
在前一篇文章中详细介绍了Kubernetes容器集群管理环境 - 完整部署(中篇),这里继续记录下Kubernetes集群插件等部署过程: 十一.Kubernetes集群插件 插件是Kubernete ...
- 搭建Kubernetes容器集群管理系统
1.Kubernetes 概述 Kubernetes 是 Google 开源的容器集群管理系统,基于 Docker 构建一个容器的调度服务,提供资源调度.均衡容灾.服务注册.劢态扩缩容等功能套件. 基 ...
- Kubernetes容器集群管理环境 - 完整部署(上篇)
Kubernetes(通常称为"K8S")是Google开源的容器集群管理系统.其设计目标是在主机集群之间提供一个能够自动化部署.可拓展.应用容器可运营的平台.Kubernetes ...
- Kubernetes——容器集群
kuberneteskubernetes(k8s)是google的容器集群管理系统,在docker的基础之上,为容器化的应用提供部署运行.资源调度.服务发现和动态伸缩等一系列完整的功能,提高了大规模容 ...
- 使用docker方式安装etcd集群,带TLS证书
网上文档也多,安装的时候,还是踩了几个坑. 现在作一个安装记录吧. 1,先作自签名的证书ca-csr.json(为了和k8s共用根证书,可能将信息调为k8s). { "CN": & ...
- Kubernetes容器集群管理环境 - Node节点的移除与加入
一.如何从Kubernetes集群中移除Node比如从集群中移除k8s-node03这个Node节点,做法如下: 1)先在master节点查看Node情况 [root@k8s-master01 ~]# ...
- kubernetes容器集群管理创建node节点kubeconfig文件
1.创建TLS Bootstrapping Token 2.创建kubelet kubeconfig 3.创建kube-proxy kubeconfig 安装和设置kubectl [root@mast ...
随机推荐
- MySQL语句优化方法(简单版)
基础回顾: sql语句是怎么样运行的? 一般来说,客户端发送sql语句到数据库服务器——数据库服务器进行运算并返回结果——客户端显示sql语句运行结果. 在本地运行时以workbench为例,客户端为 ...
- MySQL--10 日志简介
目录 一.MySQL日志简介 二.错误日志 三.一般查询日志 四.二进制日志 五.慢查询日志 一.MySQL日志简介 二.错误日志 作用: 记录mysql数据库的一般状态信息及报错信息,是我们对于数据 ...
- EBCDIC-1025 Russia
- docker运行redis
查询镜像: zhoumatoMBP:~ zhou$ docker search redis NAME DESCRIPTION STARS OFFICIAL AUTOMATED redis Redis ...
- mongodb 索引基础
一 .索引基础: MongoDB的索引几乎与传统的关系型数据库一模一样,这其中也包括一些基本的优化技巧.下面是创建索引的命令: > db.test.ensureIndex({&quo ...
- vue.js 导出JSON
cnpm install file-saver --save <template> <div class="hello"> <button @clic ...
- vue 生命周期函数详解
beforeCreate( 创建前 ) 在实例初始化之后,数据观测和事件配置之前被调用,此时组件的选项对象还未创建,el 和 data 并未初始化,因此无法访问methods, data, compu ...
- Alex and Number
Alex and Number 时间限制: 1 Sec 内存限制: 128 MB提交: 69 解决: 12[提交][状态] 题目描述 Alex love Number theory. Today ...
- sts bug SpringJUnit4ClassRunner
SpringJUnit4ClassRunner找不到,不会自动修复, 只能复制引用过去 import org.springframework.test.context.junit4.SpringJUn ...
- obj文件中的关键字
obj文件使用的关键字 关键字 含义 v 表示本行指定一个顶点,此关键字后跟着3个单精度浮点数,分别表示该顶点的X.Y.Z坐标值 vt 表示本行指定一个纹理坐标,此关键字后跟着两个单精度浮点数,分别表 ...