Kubernetes(k8s)1.14 离线版集群 - 创建CA证书、秘钥和部署kubectl工具
Kubernetes(k8s)1.14 离线版集群 - 创建CA证书、秘钥和部署kubectl工具
声明: 如果您有更好的技术与作者分享,或者商业合作; 请访问作者个人网站 http://www.esqabc.com/view/message.html 留言给作者。 如果该案例触犯您的专利,请在这里:http://www.esqabc.com/view/message.html 留言给作者说明原由 作者一经查实,马上删除
1、安装CA证书生成工具
前提提条件、服务器,请查看这个地址:https://blog.csdn.net/esqabc/article/details/102726771
a、创建证书文件夹
[root@k8s-01 ~]# mkdir -p /opt/k8s/cert && cd /opt/k8s
b、下载证书工具
[root@k8s-01 k8s]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@k8s-01 k8s]# mv cfssl_linux-amd64 /opt/k8s/bin/cfssl [root@k8s-01 k8s]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@k8s-01 k8s]# mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson [root@k8s-01 k8s]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@k8s-01 k8s]# mv cfssl-certinfo_linux-amd64 /opt/k8s/bin/cfssl-certinfo
c、工具生效
[root@k8s-01 k8s]# chmod +x /opt/k8s/bin/* [root@k8s-01 k8s]# export PATH=/opt/k8s/bin:$PATH
2、创建CA证书和秘钥
a、创建配置文件
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# cat > ca-config.json <<EOF 添加下面内容
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF说明一下:
- signing 表示该证书可用于签名其它证书,生成的ca.pem证书找中CA=TRUE
- server auth 表示client可以用该证书对server提供的证书进行验证
- client auth 表示server可以用该证书对client提供的证书进行验证
b、创建证书签名请求文件
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# cat > ca-csr.json <<EOF 添加下面内容
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF说明一下:
- CN CommonName,kube-apiserver从证书中提取该字段作为请求的用户名(User Name),浏览器使用该字段验证网站是否合法
- O Organization,kube-apiserver 从证书中提取该字段作为请求用户和所属组(Group)
- kube-apiserver将提取的User、Group作为RBAC授权的用户和标识
c、生成CA证书和私钥
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca [root@k8s-01 work]# ls ca*
d、分发证书
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /etc/kubernetes/cert"
scp ca*.pem ca-config.json root@${node_ip}:/etc/kubernetes/cert
done3、部署kubectl命令行工具
a、上传下载好的kubectl到:cd /opt/k8s/work,解压
[root@k8s-01 work]# tar -xzvf kubernetes-client-linux-amd64.tar.gz
b、分发所有使用kubectl节点
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp kubernetes/client/bin/kubectl root@${node_ip}:/opt/k8s/bin/
ssh root@${node_ip} "chmod +x /opt/k8s/bin/*"
done4、创建需要用到的证书
a、创建admin证书和私钥
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# cat > admin-csr.json <<EOF 添加下面内容
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "4Paradigm"
}
]
}
EOF说明一下:
- O 为system:masters,kube-apiserver收到该证书后将请求的Group设置为system:masters
- 预定的ClusterRoleBinding cluster-admin将Group system:masters与Role cluster-admin绑定,该Role授予API的权限
- 该证书只有被kubectl当做client证书使用,所以hosts字段为空
b、生成证书和私钥
[root@k8s-01 ~]# cd /opt/k8s/work
cfssl gencert -ca=/opt/k8s/work/ca.pem \
-ca-key=/opt/k8s/work/ca-key.pem \
-config=/opt/k8s/work/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin[root@k8s-01 ~]# ls admin*
c、创建kubeconfig文件
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# source /opt/k8s/bin/environment.sh 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/k8s/work/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kubectl.kubeconfig设置客户端认证参数
kubectl config set-credentials admin \
--client-certificate=/opt/k8s/work/admin.pem \
--client-key=/opt/k8s/work/admin-key.pem \
--embed-certs=true \
--kubeconfig=kubectl.kubeconfig设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=kubectl.kubeconfig设置默认上下文
kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig说明一下:
- certificate-authority 验证kube-apiserver证书的根证书
- client-certificate、–client-key 刚生成的admin证书和私钥,连接kube-apiserver时使用
- embed-certs=true 将ca.pem和admin.pem证书嵌入到生成的kubectl.kubeconfig文件中 (如果不加入,写入的是证书文件路径,后续拷贝kubeconfig到其它机器时,还需要单独拷贝证书)
d、分发kubeconfig文件
[root@k8s-01 ~]# cd /opt/k8s/work [root@k8s-01 work]# source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ~/.kube"
scp kubectl.kubeconfig root@${node_ip}:~/.kube/config
done也可以参考这篇文章:https://i4t.com/4253.html