Z.S.K.'s Records

Kubernetes学习(手动创建Kubernetes集群所需证书)

多数情况下,在搭建kubernetes集群时都会选择使用工具,常用的比如官方的kubeadm, kubespray, minikube等,简单到一条命令就能完成一个kubernetes集群的搭建, 但同时,我们也忽略了k8s里面的一些原理性的东西, 刚好最近在准备CKA考试,准备手工尝试一下证书的使用.

大部分命令都是在学习这个 kubernetes-the-hard-way项目用到的,大家可以完整地走一遍,收益颇丰.

  1. 安装cfssl证书签发工具

    1
    2
    3
    curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
    curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
    chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
  2. 创建根证书 ca, 后续所有使用到的证书都由根证书签发:

    apt-get install cfssl

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    cat > ca-config.json <<EOF
    {
    "signing": {
    "default": {
    "expiry": "8760h"
    },
    "profiles": {
    "kubernetes": {
    "usages": ["signing", "key encipherment", "server auth", "client auth"],
    "expiry": "8760h"
    }
    }
    }
    }
    EOF

    cat > ca-csr.json <<EOF
    {
    "CN": "Kubernetes",
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "Kubernetes",
    "OU": "CA",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    #“CN”:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
    #“O”:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca
    #生成以下文件
    ca.csr
    ca-key.pem
    ca.pem
  3. 创建kubernetes集群admin用户 的证书, 该证书使用上面的根证书签发

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    cat > admin-csr.json <<EOF
    {
    "CN": "admin",
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "system:masters",
    "OU": "Kubernetes The Hard Way",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \
    -profile=kubernetes admin-csr.json | cfssljson -bare admin

    #生成
    admin.csr
    admin-key.pem
    admin.pem
  1. 创建kubelet证书(只有在手工引导node节点时才需要, 在使用bootstrap token引导时不需要这一步骤)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    cat > kubelet-csr.json <<EOF
    {
    "CN": "system:node:${instance}",
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "system:nodes",
    "OU": "Kubernetes The Hard Way",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    #instance为节点的主机名

    cfssl gencert \
    -ca=ca.pem \
    -ca-key=ca-key.pem \
    -config=ca-config.json \
    -hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \
    -profile=kubernetes \
    ${instance}-csr.json | cfssljson -bare ${instance}

    #instance为节点的主机名
    #EXTERNAL_IP为公网ip, 可以不设置
    #INTERNAL_IP为私网ip
    #生成
    {instance}.csr
    {instance}-key.pem
    instance.pem
  1. 创建kube-controllermanager

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    cat > kube-controller-manager-csr.json <<EOF
    {
    "CN": "system:kube-controller-manager",
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "system:kube-controller-manager",
    "OU": "Kubernetes The Hard Way",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    cfssl gencert \
    -ca=ca.pem \
    -ca-key=ca-key.pem \
    -config=ca-config.json \
    -profile=kubernetes \
    kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

    #生成
    kube-controller-manager.csr
    kube-controller-manager-key.pem
    kube-controller-manager.pem
  2. 创建kube-proxy证书

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    cat > kube-proxy-csr.json <<EOF
    {
    "CN": "system:kube-proxy",
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "system:node-proxier",
    "OU": "Kubernetes The Hard Way",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    cfssl gencert \
    -ca=ca.pem \
    -ca-key=ca-key.pem \
    -config=ca-config.json \
    -profile=kubernetes \
    kube-proxy-csr.json | cfssljson -bare kube-proxy

    #生成
    kube-proxy.csr
    kube-proxy-key.pem
    kube-proxy.pem
  3. 创建kube-scheduler证书

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    cat > kube-scheduler-csr.json <<EOF
    {
    "CN": "system:kube-scheduler",
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "system:kube-scheduler",
    "OU": "Kubernetes The Hard Way",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    cfssl gencert \
    -ca=ca.pem \
    -ca-key=ca-key.pem \
    -config=ca-config.json \
    -profile=kubernetes \
    kube-scheduler-csr.json | cfssljson -bare kube-scheduler

    #生成
    kube-scheduler-key.csr
    kube-scheduler-key.pem
    kube-scheduler.pem
  4. 创建kube-api证书

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    cat > kubernetes-csr.json <<EOF
    {
    "CN": "kubernetes",
    "hosts": [
    "127.0.0.1",
    "10.170.0.2",
    "10.170.0.3",
    "10.170.0.4",
    "10.96.0.1",
    "senserealty.sensetime.com",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
    ],
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "Kubernetes",
    "OU": "Kubernetes The Hard Way",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    #host中需要指定3个master节点ip,3个etcd节点的ip(一般情况下master 跟etcd部署在一起) service-cluster-ip-range的第一个ip(在apiserver启动时指定), 最好再加一个业务域名

    cfssl gencert \
    -ca=ca.pem \
    -ca-key=ca-key.pem \
    -config=ca-config.json \
    -profile=kubernetes \
    kubernetes-csr.json | cfssljson -bare kubernetes

    #生成
    kubernetes.csr
    kubernetes-key.pem
    kubernetes.pem
  5. 创建serviceaccount证书

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    cat > service-account-csr.json <<EOF
    {
    "CN": "service-accounts",
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "US",
    "L": "Portland",
    "O": "Kubernetes",
    "OU": "Kubernetes The Hard Way",
    "ST": "Oregon"
    }
    ]
    }
    EOF

    cfssl gencert \
    -ca=ca.pem \
    -ca-key=ca-key.pem \
    -config=ca-config.json \
    -profile=kubernetes \
    service-account-csr.json | cfssljson -bare service-account

    #生成
    service-account-key.csr
    service-account-key.pem
    service-account.pem
  6. 证书分发

    1
    2
    #将 ca.pem 分发到worker instance
    #将 ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem service-account-key.pem service-account.pem 分发到controller instance

到此,一个集群所需要的证书就全部创建好了.

参考文章:

转载请注明出处https://izsk.me

Z.S.K. wechat
Scan Me To Read on Phone
I know you won't do this,but what if you did?