文章目录
1. 下载PKI证书管理工具
wget -O cfssl https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64
chmod +x cfssl
mv cfssl /usr/local/bin/
wget -O cfssljson https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64
chmod +x cfssljson
mv cfssljson /usr/local/bin/
2. 创建CA根证书
- 创建 ca-config.json 文件
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
- 创建 ca-csr.json 文件
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "kubernetes",
"OU": "system"
}
],
"ca": {
"expiry": "87600h"
}
}
- 生成根证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
生成如下三个文件
* ca.csr
* ca-key.pem
* ca.pem
3. 给 kube-apiserver 生成证书
- 创建 kube-apiserver-csr.json 文件
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.0.200",
"192.168.0.233",
"192.168.0.145",
"192.168.0.110",
"10.0.0.1",
"10.255.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "kubernetes",
"OU": "system"
}
]
}
这个步骤中 hosts 列表中的内容非常关键,不在此范围内的节点访问此证书将会被拒绝。所以,请将 kubernetes集群中的节点IP加入进来,或对应的域名加入进来,hosts 列表中的值支持泛域名。
- 为 kube-apiserver 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
生成的文件如下:
* kube-apiserver.csr
* kube-apiserver-key.pem
* kube-apiserver.pem
4. 给 kube-controller-manager 生成证书
- 创建 kube-controller-manager-csr.json 文件
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.0.200",
"192.168.0.233",
"192.168.0.110",
"192.168.0.145"
],
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:kube-controller-manager",
"OU": "system"
}
]
}
- 为 kube-controller-manager 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
生成的文件如下:
* kube-controller-manager.csr
* kube-controller-manager-key.pem
* kube-controller-manager.pem
5. 给 kube-scheduler 生成证书
- 创建 kube-scheduler-csr.json文件
{
"CN": "system:kube-scheduler",
"hosts": [
"127.0.0.1",
"192.168.0.110",
"192.168.0.200",
"192.168.0.233",
"192.168.0.145"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:kube-scheduler",
"OU": "system"
}
]
}
- 为 kube-scheduler 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
生成的文件如下:
* kube-scheduler.csr
* kube-scheduler-key.pem
* kube-scheduler.pem
6. 给 kube-proxy 生成证书- 创建 kube-proxy-csr.json 文件
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "kubernetes",
"OU": "system"
}
]
}
- 为 kube-proxy 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
生成的文件如下:
* kube-proxy-key.pem
* kube-proxy.pem
* kube-proxy.csr
7. 给 etcd 生成证书
- 创建 etcd-csr.json 文件
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.0.200",
"192.168.0.233",
"192.168.0.145",
"192.168.0.110"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "kubernetes",
"OU": "system"
}]
}
- 为 etcd 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
生成的文件如下:
* etcd-key.pem
* etcd.pem
* etcd.csr
8. 生成管理证书
- 创建 admin-csr.json 文件
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:masters",
"OU": "system"
}
]
}
- 生成管理端证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成的文件如下:
* admin.csr
* admin.pem
* admin-key.pem
9. 证书分发到每个节点
整个kubernetes 集群都是用当前步骤生成的证书。首先将证书保存到 /etc/kubernetes/ssl 目录中
mkdir -pv /etc/kubernetes/ssl
cp ./*.pem /etc/kubernetes/ssl
将当前节点上生成的证书复制到其他节点,执行如下操作将证书拷贝到其他节点。
ssh root@其他节点IP地址或内网域名 "mkdir -pv /etc/kubernetes/ssl"
scp /etc/kubernetes/ssl/* root@其他节点IP地址或内网域名:/etc/kubernetes/ssl