1、创建证书
1.1 安装cfssl工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64chmod +x cfssl_linux-amd64 cfssljson_linux-amd64mv cfssl_linux-amd64 /usr/local/bin/cfsslmv cfssljson_linux-amd64 /usr/local/bin/cfssljson
1.2 生成ca证书
创建ca-config.json
{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } }}创建ca-csr.json
{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ]}生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
查看ca证书
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
1.3 生成kubernetes证书
创建kubernetes-csr.json
{ "CN": "kubernetes", "hosts": [ "127.0.0.1", "10.96.0.1", "master_ip1", "master_ip2", "master_ip3", "master_VIP", "localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ]}master_IP :就是准备跑master的机器
10.96.0.1 : 是集群ip,根据自己环境去修改
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
查看证书
kubernetes.csr kubernetes-csr.json kubernetes-key.pem kubernetes.pem
1.4生成admin证书
cat <<EOF > admin-csr.json{ "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "System" } ]}EOF生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
1.5 创建kube-controller-manager客户端证书和私钥
创建controller-manager-csr.json
{ "CN": "system:kube-controller-manager", "hosts": [ "master_ip1", "master_ip2", "master_ip3", "master_VIP" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-controller-manager", "OU": "System" } ]}生成证书和私钥:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes controller-manager-csr.json | cfssljson -bare controller-manager
1.6 创建kube-scheduler客户端证书和私钥
创建scheduler-csr.json
{ "CN": "system:kube-scheduler", "hosts": [ "master_ip1", "master_ip2", "master_ip3", "master_VIP" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-scheduler", "OU": "System" } ]}生成证书和私钥:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes scheduler-csr.json | cfssljson -bare scheduler
1.7 创建kube-proxy客户端证书和私钥
cat <<EOF > kube-proxy-csr.json{ "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ]}EOF生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
1.6 密钥分发
将证书分发到各个机器
总的证书概览:
etcd:使用 ca.pem、kubernetes-key.pem、kubernetes.pem;
kube-apiserver:使用 ca.pem、kubernetes-key.pem、kubernetes.pem;
kubelet:使用 ca.pem;
kube-proxy:使用 ca.pem、kube-proxy-key.pem、kube-proxy.pem;
kubectl:使用 ca.pem、admin-key.pem、admin.pem;
证书后缀说明
证书:.crt, .pem
私钥:.key
证书请求:.csr
本文出自 “银狐” 博客,请务必保留此出处http://foxhound.blog.51cto.com/1167932/1977769
kubernetes 1.8 高可用安装(一)
原文地址:http://foxhound.blog.51cto.com/1167932/1977769