聲明:
如果您有更好的技術與作者分享,或者商業合作;
請訪問作者個人網站 http://www.esqabc.com/view/message.html 留言給作者。
如果該案例觸犯您的專利,請在這裏:http://www.esqabc.com/view/message.html 留言給作者說明原由
作者一經查實,馬上刪除
1、安裝CA證書生成工具
前提提條件、服務器,請查看這個地址:https://blog.csdn.net/esqabc/article/details/102726771
a、創建證書文件夾
[root@k8s-01 ~]# mkdir -p /opt/k8s/cert && cd /opt/k8s
b、下載證書工具
[root@k8s-01 k8s]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@k8s-01 k8s]# mv cfssl_linux-amd64 /opt/k8s/bin/cfssl
[root@k8s-01 k8s]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@k8s-01 k8s]# mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson
[root@k8s-01 k8s]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@k8s-01 k8s]# mv cfssl-certinfo_linux-amd64 /opt/k8s/bin/cfssl-certinfo
c、工具生效
[root@k8s-01 k8s]# chmod +x /opt/k8s/bin/*
[root@k8s-01 k8s]# export PATH=/opt/k8s/bin:$PATH
2、創建CA證書和祕鑰
a、創建配置文件
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# cat > ca-config.json <<EOF
添加下面內容
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
說明一下:
- signing 表示該證書可用於簽名其它證書,生成的ca.pem證書找中CA=TRUE
- server auth 表示client可以用該證書對server提供的證書進行驗證
- client auth 表示server可以用該證書對client提供的證書進行驗證
b、創建證書籤名請求文件
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# cat > ca-csr.json <<EOF
添加下面內容
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF
說明一下:
- CN CommonName,kube-apiserver從證書中提取該字段作爲請求的用戶名(User
Name),瀏覽器使用該字段驗證網站是否合法 - O Organization,kube-apiserver 從證書中提取該字段作爲請求用戶和所屬組(Group)
- kube-apiserver將提取的User、Group作爲RBAC授權的用戶和標識
c、生成CA證書和私鑰
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@k8s-01 work]# ls ca*
d、分發證書
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /etc/kubernetes/cert"
scp ca*.pem ca-config.json root@${node_ip}:/etc/kubernetes/cert
done
3、部署kubectl命令行工具
a、上傳下載好的kubectl到:cd /opt/k8s/work,解壓
[root@k8s-01 work]# tar -xzvf kubernetes-client-linux-amd64.tar.gz
b、分發所有使用kubectl節點
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp kubernetes/client/bin/kubectl root@${node_ip}:/opt/k8s/bin/
ssh root@${node_ip} "chmod +x /opt/k8s/bin/*"
done
4、創建需要用到的證書
a、創建admin證書和私鑰
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# cat > admin-csr.json <<EOF
添加下面內容
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "4Paradigm"
}
]
}
EOF
說明一下:
- O 爲system:masters,kube-apiserver收到該證書後將請求的Group設置爲system:masters
- 預定的ClusterRoleBinding cluster-admin將Group system:masters與Role
cluster-admin綁定,該Role授予API的權限 - 該證書只有被kubectl當做client證書使用,所以hosts字段爲空
b、生成證書和私鑰
[root@k8s-01 ~]# cd /opt/k8s/work
cfssl gencert -ca=/opt/k8s/work/ca.pem \
-ca-key=/opt/k8s/work/ca-key.pem \
-config=/opt/k8s/work/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
[root@k8s-01 ~]# ls admin*
c、創建kubeconfig文件
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# source /opt/k8s/bin/environment.sh
設置集羣參數
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/k8s/work/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kubectl.kubeconfig
設置客戶端認證參數
kubectl config set-credentials admin \
--client-certificate=/opt/k8s/work/admin.pem \
--client-key=/opt/k8s/work/admin-key.pem \
--embed-certs=true \
--kubeconfig=kubectl.kubeconfig
設置上下文參數
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=kubectl.kubeconfig
設置默認上下文
kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
說明一下:
- certificate-authority 驗證kube-apiserver證書的根證書
- client-certificate、–client-key 剛生成的admin證書和私鑰,連接kube-apiserver時使用
- embed-certs=true 將ca.pem和admin.pem證書嵌入到生成的kubectl.kubeconfig文件中
(如果不加入,寫入的是證書文件路徑,後續拷貝kubeconfig到其它機器時,還需要單獨拷貝證書)
d、分發kubeconfig文件
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ~/.kube"
scp kubectl.kubeconfig root@${node_ip}:~/.kube/config
done
也可以參考這篇文章:https://i4t.com/4253.html