Kubernetes 1.8.3 集群部署 二进制安装 TLS

最近在折腾Kubernetes同步跟新下配置过程

环境介绍
# centos 7.3 mini
# 10.0.3.221 master 节点
# 10.0.3.222 node 节点
# 10.0.3.223 node 节点
# etcd 集群复用上面节点

一:安装准备

k8s-m1 10.0.3.221

yum install -y docker
vi /etc/selinux/config
    SELINUX=disabled
setenforce 0

[k8s-n1 10.0.3.222, k8s-n3 10.0.3.223]

yum install -y docker
vi /etc/selinux/config
    SELINUX=disabled
setenforce 0
mkdir -p /etc/kubernetes/ssl
vi /etc/fstab
    # 将swap系统注释掉
/sbin/swapoff /dev/mapper/cl-swap

二:创建TLS证书和秘钥
#k8s-m1 10.0.3.221

安装 CFSSL

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl    
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

export PATH=/usr/local/bin:$PATH

创建 CA (Certificate Authority)

mkdir /root/ssl
cd /root/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF

创建 CA 证书签名请求

cat > ca-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

创建 kubernetes 证书

cat > kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "10.0.3.221",
    "10.0.3.222",
    "10.0.3.223",
    "10.0.3.224",
    "10.254.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
      "algo": "rsa",
      "size": 2048
  },
  "names": [
      {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "k8s",
          "OU": "System"
      }
  ]
}
EOF
# 生成 kubernetes 证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

# 下方警告是正常的它是 cfssl 1.2.0 版本中的一个bug,它已经在master分支中被修复了;
# [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
# websites. For more information see the Baseline Requirements for the Issuance and Management
# of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
# specifically, section 10.2.3 ("Information Requirements").

# 检查文件
# [root@k8s-m1 ssl]# ls kubernetes*
# kubernetes.csr  kubernetes-csr.json  kubernetes-key.pem  kubernetes.pem

创建 admin 证书签名请求文件 admin-csr.json:

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

生成 admin 证书和私钥:

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
# 检查文件
# [root@k8s-m1 ssl]# ls admin*
# admin.csr  admin-csr.json  admin-key.pem  admin.pem

创建 kube-proxy 证书签名请求文件 kube-proxy-csr.json:

cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

分发证书

mkdir -p /etc/kubernetes/ssl
cp *.pem /etc/kubernetes/ssl
# 将生成的证书和秘钥文件(后缀名为.pem)拷贝到所有机器的 /etc/kubernetes/ssl 目录下备用;
    scp /etc/kubernetes/ssl/*.pem root@10.0.3.222:/etc/kubernetes/ssl/
    scp /etc/kubernetes/ssl/*.pem root@10.0.3.223:/etc/kubernetes/ssl/

三:安装kubectl命令行工具

k8s-m1 10.0.3.221

# 下载 kubectl
cd /tmp
wget https://dl.k8s.io/v1.9.3/kubernetes-client-linux-amd64.tar.gz
tar -xzvf kubernetes-client-linux-amd64.tar.gz
cp kubernetes/client/bin/kube* /usr/bin/
chmod a+x /usr/bin/kube*

创建 kubectl kubeconfig 文件

export KUBE_APISERVER="https://10.0.3.221:6443"
# 设置集群参数
    kubectl config set-cluster kubernetes \
    --certificate-authority=/etc/kubernetes/ssl/ca.pem \
    --embed-certs=true \
    --server=${KUBE_APISERVER}
# 设置客户端认证参数
    kubectl config set-credentials admin \
    --client-certificate=/etc/kubernetes/ssl/admin.pem \
    --embed-certs=true \
    --client-key=/etc/kubernetes/ssl/admin-key.pem
# 设置上下文参数
    kubectl config set-context kubernetes \
    --cluster=kubernetes \
    --user=admin
# 设置默认上下文
    kubectl config use-context kubernetes

创建 TLS Bootstrapping Token

export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

创建 kubelet bootstrapping kubeconfig 文件

cd /etc/kubernetes
export KUBE_APISERVER="https://10.0.3.221:6443"
# 设置集群参数
    kubectl config set-cluster kubernetes \
      --certificate-authority=/etc/kubernetes/ssl/ca.pem \
      --embed-certs=true \
      --server=${KUBE_APISERVER} \
      --kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
    kubectl config set-credentials kubelet-bootstrap \
      --token=${BOOTSTRAP_TOKEN} \
      --kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
    kubectl config set-context default \
      --cluster=kubernetes \
      --user=kubelet-bootstrap \
      --kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
    kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

创建 kube-proxy kubeconfig 文件

export KUBE_APISERVER="https://10.0.3.221:6443"
# 设置集群参数
    kubectl config set-cluster kubernetes \
      --certificate-authority=/etc/kubernetes/ssl/ca.pem \
      --embed-certs=true \
      --server=${KUBE_APISERVER} \
      --kubeconfig=kube-proxy.kubeconfig
# 设置客户端认证参数
    kubectl config set-credentials kube-proxy \
      --client-certificate=/etc/kubernetes/ssl/kube-proxy.pem \
      --client-key=/etc/kubernetes/ssl/kube-proxy-key.pem \
      --embed-certs=true \
      --kubeconfig=kube-proxy.kubeconfig
# 设置上下文参数
    kubectl config set-context default \
      --cluster=kubernetes \
      --user=kube-proxy \
      --kubeconfig=kube-proxy.kubeconfig
# 设置默认上下文
    kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

将两个 kubeconfig 文件分发到所有 Node 机器的 /etc/kubernetes/ 目录

scp /etc/kubernetes/bootstrap.kubeconfig root@10.0.3.222:/etc/kubernetes/bootstrap.kubeconfig
scp /etc/kubernetes/kube-proxy.kubeconfig root@10.0.3.222:/etc/kubernetes/kube-proxy.kubeconfig
scp /etc/kubernetes/bootstrap.kubeconfig root@10.0.3.223:/etc/kubernetes/bootstrap.kubeconfig
scp /etc/kubernetes/kube-proxy.kubeconfig root@10.0.3.223:/etc/kubernetes/kube-proxy.kubeconfig

来自HOSTLOC ccnif

发表新评论