1.規劃
192.168.100.102------>Master[kube-apiserver、kube-controller-manager、kube-scheduler]
Node[kubelet、kube-proxy]
192.168.100.103------>Node1[kubelet、kube-proxy]
192.168.100.104------>Node2[kubelet、kube-proxy]
注:這裏的集羣我們使用 https 來部署。
2.配置互信
# vim /etc/hosts 192.168.100.102 Master 192.168.100.103 Node1 192.168.100.104 Node2 # ssh-keygen -t rsa -P '' # ssh-copy-id -i .ssh/id_rsa.pub [email protected] # ssh-copy-id -i .ssh/id_rsa.pub [email protected]
3.安裝Ansible
# yum -y install ansible # cat /etc/ansible/hosts | grep -v ^# | grep -v ^$ [node] 192.168.100.103 192.168.100.104 # ansible node -m copy -a 'src=/etc/hosts dest=/etc/'
4.關閉 SELinux 和 Firewall
# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # ansible node -m copy -a 'src=/etc/selinux/config dest=/etc/selinux/' # systemctl stop firewalld # systemctl disable firewalld # ansible node -a 'systemctl stop firewalld' # ansible node -a 'systemctl disable firewalld'
5.安裝 docker
# yum install -y yum-utils device-mapper-persistent-data lvm2 # yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # yum list docker-ce --showduplicates | sort -r # yum -y install docker-ce # docker --version Docker version 17.06.2-ce, build cec0b72 # systemctl start docker # systemctl status docker # systemctl enable docker # ansible node -m yum -a "state=present name=yum-utils" # ansible node -m yum -a "state=present name=device-mapper-persistent-data" # ansible node -m yum -a "state=present name=lvm2" # ansible node -m copy -a 'src=/etc/yum.repos.d/docker-ce.repo dest=/etc/yum.repos.d/' # ansible node -m yum -a "state=present name=docker-ce" # ansible node -a 'systemctl start docker' # ansible node -a 'systemctl status docker' # ansible node -a 'systemctl enable docker' # ansible node -a 'docker --version' 192.168.100.104 | SUCCESS | rc=0 >> Docker version 17.06.2-ce, build cec0b72 192.168.100.103 | SUCCESS | rc=0 >> Docker version 17.06.2-ce, build cec0b72
6.安裝開源PKI工具箱----CFSSL
# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 # wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 # wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 # chmod u+x cfssl* # mv cfssl_linux-amd64 /usr/local/bin/cfssl # mv cfssljson_linux-amd64 /usr/local/bin/cfssljson # mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo # cfssl version Version: 1.2.0 Revision: dev Runtime: go1.6
7.安裝 Etcd 鍵值存儲系統
# curl -L https://storage.googleapis.com/etcd/v3.2.9/etcd-v3.2.9-linux-amd64.tar.gz -o /root/etcd-v3.2.9-linux-amd64.tar.gz # tar -zxvf etcd-v3.2.9-linux-amd64.tar.gz # cp etcd-v3.2.9-linux-amd64/etcd* /usr/bin/ # etcd --version etcd Version: 3.2.9 Git SHA: f1d7dd8 Go Version: go1.8.4 Go OS/Arch: linux/amd64 # etcdctl --version etcdctl version: 3.2.9 API version: 2 # ansible node -m copy -a 'src=etcd-v3.2.9-linux-amd64/etcd dest=/usr/bin/ mode=755' # ansible node -m copy -a 'src=etcd-v3.2.9-linux-amd64/etcdctl dest=/usr/bin/ mode=755'
8.安裝 Kubernetes 容器集羣管理系統
# wget https://storage.googleapis.com/kubernetes-release/release/v1.8.2/kubernetes-server-linux-amd64.tar.gz # tar -zxvf kubernetes-server-linux-amd64.tar.gz # cd kubernetes/server/bin/ # cp kubectl kube-apiserver kube-controller-manager kube-scheduler kubelet kube-proxy /usr/bin/ # kube-apiserver --version Kubernetes v1.8.2 # ansible node -m copy -a 'src=kubelet dest=/usr/bin/ mode=755' # ansible node -m copy -a 'src=kube-proxy dest=/usr/bin/ mode=755'
9.安裝 flanneld[爲容器提供網絡服務]
# curl -L https://github.com/coreos/flannel/releases/download/v0.9.0/flannel-v0.9.0-linux-amd64.tar.gz -o flannel-v0.9.0-linux-amd64.tar.gz # mkdir flannel # tar -zxvf flannel-v0.9.0-linux-amd64.tar.gz -C flannel # cp flannel/flanneld /usr/bin # mkdir /usr/libexec/flannel/ && cp flannel/mk-docker-opts.sh /usr/libexec/flannel/ # ansible node -m copy -a 'src=flannel/flanneld dest=/usr/bin/ mode=755' # ansible node -m copy -a 'src=flannel/mk-docker-opts.sh dest=/usr/libexec/flannel/ mode=755' # flanneld --version v0.9.0
10.創建 SSL 證書
A. 創建 CA(Certificate Authority)
a. 創建配置文件(注:這裏證書籤名爲10年)
# mkdir ssl && cd ssl
# cat << EOF > ca_config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOFb. 創建 CA 證書籤名請求
# cat << EOF > ca_csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOFc. 生成 CA 證書和私鑰
# cfssl gencert -initca ca_csr.json | cfssljson -bare ca [INFO] generating a new CA key and certificate from CSR [INFO] generate received request [INFO] received CSR [INFO] generating key: rsa-2048 [INFO] encoded CSR [INFO] signed certificate with serial number 364190696737289470871577587903292790301152267546
B. 創建 Kubernetes 證書
a.創建 Kubernetes 證書籤名請求
# cat << EOF > kubernetes_csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"localhost",
"10.254.0.1",
"192.168.100.102",
"192.168.100.103",
"192.168.100.104",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOFb.生成 Kubernetes 證書和私鑰
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=kubernetes kubernetes_csr.json | cfssljson -bare kubernetes [INFO] generate received request [INFO] received CSR [INFO] generating key: rsa-2048 [INFO] encoded CSR [INFO] signed certificate with serial number 562624490776452851974857846236319432028751121504
注:出現的 WARNING 是因爲 hosts 字段未設置域名,這裏我們就是要給kubernetes的IP生成證書,所以可以忽略該警告。
c.查看所生成的證書
# ls kubernetes* kubernetes.csr kubernetes_csr.json kubernetes-key.pem kubernetes.pem
C. 創建 Admin 證書
a.創建 Admin 證書籤名請求
# cat << EOF > admin_csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF注:OU 指定該證書的 Group 爲 system:masters,kubelet 使用該證書訪問 kube-apiserver 時 ,由於證書被 CA 簽名,所以認證通過,同時由於證書用戶組爲經過預授權的 system:masters,所以被授予訪問所有 API 的權限。
b.生成 Admin 證書和私鑰
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=kubernetes admin_csr.json | cfssljson -bare admin [INFO] generate received request [INFO] received CSR [INFO] generating key: rsa-2048 [INFO] encoded CSR [INFO] signed certificate with serial number 98602736507310427106587925783522327459817057634
c.查看所生成的證書
# ls admin* admin.csr admin_csr.json admin-key.pem admin.pem
D. 創建 Kube-Proxy 證書
a.創建 kube-proxy 證書籤名請求
# cat << EOF > kube-proxy_csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOFb.生成 kube-proxy 客戶端證書和私鑰
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=kubernetes kube-proxy_csr.json | cfssljson -bare kube-proxy [INFO] generate received request [INFO] received CSR [INFO] generating key: rsa-2048 [INFO] encoded CSR [INFO] signed certificate with serial number 15961203695365328046366272691608837430729281180
c.查看所生成的證書
# ls kube-proxy* kube-proxy.csr kube-proxy_csr.json kube-proxy-key.pem kube-proxy.pem
E. 創建 etcd 證書
a. 創建 etcd 證書籤名請求
# cat << EOF > etcd_csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"localhost",
"192.168.100.102",
"192.168.100.103",
"192.168.100.104"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOFb.生成 etcd 客戶端證書和私鑰
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=kubernetes etcd_csr.json | cfssljson -bare etcd [INFO] generate received request [INFO] received CSR [INFO] generating key: rsa-2048 [INFO] encoded CSR [INFO] signed certificate with serial number 168388022915225919243296361863710051151902347190
c.查看所生成的證書
# ls etcd* etcd.csr etcd_csr.json etcd-key.pem etcd.pem
F.查看、驗證並分發證書
a.查看所生成的證書
# ls *.pem admin-key.pem admin.pem ca-key.pem ca.pem etcd-key.pem etcd.pem kube-proxy-key.pem kube-proxy.pem kubernetes-key.pem kubernetes.pem
b.校驗證書
# openssl x509 -noout -text -in kubernetes.pem # cfssl-certinfo -cert kubernetes.pem
c.驗證證書是否該CA簽發
# openssl verify -CAfile ca.pem kubernetes.pem kubernetes: OK
d.分發證書至所有 Node
# mkdir -p /etc/kubernetes/ssl # cp *.pem /etc/kubernetes/ssl # ansible node -m file -a 'path=/etc/kubernetes/ssl state=directory' # ansible node -m copy -a 'src=/etc/kubernetes/ssl dest=/etc/kubernetes/'
e.配置使系統信任自簽名證書
# yum -y install ca-certificates # update-ca-trust force-enable # cp ca.pem /etc/pki/ca-trust/source/anchors/ # update-ca-trust extract # ansible node -m yum -a "state=present name=ca-certificates" # ansible node -a "update-ca-trust force-enable" # ansible node -m copy -a 'src=ca.pem dest=/etc/pki/ca-trust/source/anchors/' # ansible node -a "update-ca-trust extract"
11.創建 kubeconfig 文件
A. 創建 TLS Bootstrapping Token
Token auth file:Token可以是任意的包涵128 bit的字符串,可使用安全的隨機數發生器生成。
kubelet 首次啓動時向 kube-apiserver 發送 TLS Bootstrapping 請求,kube-apiserver 驗證 kubelet 請求中的 token 是否與它配置的 token 一致,如果一致則自動爲 kubelet生成證書和祕鑰。
# cd /etc/kubernetes/
# export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
# cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOFB. 將token.csv分發至所有 Node 的 /etc/kubernetes/ 目錄
# ansible node -m copy -a 'src=token.csv dest=/etc/kubernetes/'
C. 創建 kubectl kubeconfig 文件
# pwd
/root
# export KUBE_APISERVER="https://192.168.100.102:6443"
## 設置集羣參數
# kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER}
Cluster "kubernetes" set.
## 設置客戶端認證參數
# kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/ssl/admin.pem \
--embed-certs=true \
--client-key=/etc/kubernetes/ssl/admin-key.pem
User "admin" set.
## 設置關聯參數
# kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin
Context "kubernetes" created.
## 設置默認關聯
# kubectl config use-context kubernetes
Switched to context "kubernetes".該kubeconfig 文件在如下位置:
# ls /root/.kube/config /root/.kube/config
D.創建 kubelet kubeconfig 文件
# cd /etc/kubernetes
### 設置集羣參數
# kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
Cluster "kubernetes" set.
### 設置客戶端認證參數
# kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig
User "kubelet-bootstrap" set.
### 設置關聯參數
# kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
Context "default" created.
### 設置默認關聯
# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
Switched to context "default".E.創建 kube-proxy kubeconfig 文件
## 設置集羣參數
# kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
## 設置客戶端認證參數
# kubectl config set-credentials kube-proxy \
--client-certificate=/etc/kubernetes/ssl/kube-proxy.pem \
--client-key=/etc/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.
## 設置上下文參數
# kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
Context "default" created.
## 設置默認上下文
# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".F.分發至所有 node 節點
# ansible node -m copy -a 'src=bootstrap.kubeconfig dest=/etc/kubernetes/' # ansible node -m copy -a 'src=kube-proxy.kubeconfig dest=/etc/kubernetes/'
注:對看這篇文章的朋友表示抱歉,寫得有點長,我又分篇了。