Kubernetes (K8s)安装部署过程(一)之证书安装

一、安装前主题环境准备

  1、docker安装

  建议使用官网yum源安装,添加yum源之后,直接yum install docker即可

  2、关闭所有节点的selinux

  最好修改配置文件为disabled,而不是临时更改,避免以后重启引起不必要的麻烦

  3、安装私有仓库环境Harbor

  具体安装过程参考我的博客:https://blog.csdn.net/baidu_38432732/article/details/106430307

  4、基本架构

IP节点备注 
192.168.0.221masteretcd复用此节点 
192.168.0.222node1etcd复用此节点 
192.168.0.223node2etcd复用此节点 

 二、安装预览

安装过程参考https://jimmysong.io/kubernetes-handbook/practice/install-kubernetes-on-centos.html,自己进行实践安装  

1、创建 TLS 证书和秘钥
2、创建kubeconfig 文件
3、创建高可用etcd集群
4、部署master节点
5、安装flannel网络插件
6、部署node节点
7、安装kubedns插件
8、安装dashboard(后面教程已经更换为coredns)插件
9、安装heapster插件
10、安装EFK插件

三、部署步骤

  1、创建TLS证书和秘钥

  1)安装CFSSL工具

  复制全部粘贴的命令行执行,一步到位,操作节点master

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

export PATH=/usr/local/bin:$PATH

         2)创建CA

mkdir /root/ssl
cd /root/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
# 根据config.json文件的格式创建如下的ca-config.json文件
# 过期时间设置成了 87600h
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF
字段说明

ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:表示client可以用该 CA 对server提供的证书进行验证;
client auth:表示server可以用该CA对client提供的证书进行验证;

          3)创建CA证书签名请求

创建 CA 证书签名请求

创建 ca-csr.json 文件:
cat >ca-csr.json << EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}EOF

目前为止4个文件了。

  4)生成CA证书私钥

# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2020/08/14 01:02:21 [INFO] generating a new CA key and certificate from CSR
2020/08/14 01:02:21 [INFO] generate received request
2020/08/14 01:02:21 [INFO] received CSR
2020/08/14 01:02:21 [INFO] generating key: rsa-2048
2020/08/14 01:02:21 [INFO] encoded CSR
2020/08/14 01:02:21 [INFO] signed certificate with serial number 270042469811423271743782413859714243682212941146

# ls ca*
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

目前为止7个文件了,ca开头的5个文件

       5)创建kubernetes证书

  hosts字段填写上所有你要用到的节点ip,创建 kubernetes 证书签名请求文件 kubernetes-csr.json:

# cat kubernetes-csr.json
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "192.168.0.221",
      "192.168.0.222",
      "192.168.0.223",    "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

     6)生成kubernetes证书和私钥

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
2020/08/14 01:12:03 [INFO] generate received request
2020/08/14 01:12:03 [INFO] received CSR
2020/08/14 01:12:03 [INFO] generating key: rsa-2048
2020/08/14 01:12:03 [INFO] encoded CSR
2020/08/14 01:12:03 [INFO] signed certificate with serial number 612429958540327645676998182896534144132873819380
2020/08/14 01:12:03 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").


# ls kubernetes*
kubernetes.csr  kubernetes-csr.json  kubernetes-key.pem  kubernetes.pem

截止到目前11个文件了,kuber开头的4个

以上2步可以合并成一个步骤,少生成1个kubernetes-csr.json文件,直接在命令行中输入参数代理了文件输入。

echo '{"CN":"kubernetes","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes -hostname="127.0.0.1,192.168.0.221,192.168.0.222,192.168.0.223,kubernetes,kubernetes.default" - | cfssljson -bare kubernetes

       7)创建admin证书

  vim  admin-csr.json

{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}

    8)生成admin证书和私钥

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2020/08/14 01:15:45 [INFO] generate received request
2020/08/14 01:15:45 [INFO] received CSR
2020/08/14 01:15:45 [INFO] generating key: rsa-2048
2020/08/14 01:15:45 [INFO] encoded CSR
2020/08/14 01:15:45 [INFO] signed certificate with serial number 39738051440333382124800615701424857189471887255
2020/08/14 01:15:45 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

# ls admin*
admin.csr  admin-csr.json  admin-key.pem  admin.pem

截止目前15个文件,admin开头的4个

  9)创建kuber-proxy证书

  vim kube-proxy-csr.json

{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

  10)生成相关证书和私钥

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy
2020/08/14 01:17:25 [INFO] generate received request
2020/08/14 01:17:25 [INFO] received CSR
2020/08/14 01:17:25 [INFO] generating key: rsa-2048
2020/08/14 01:17:25 [INFO] encoded CSR
2020/08/14 01:17:25 [INFO] signed certificate with serial number 164915231628933918948800980424004596645806038266
2020/08/14 01:17:25 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

# ls kube-proxy*
kube-proxy.csr  kube-proxy-csr.json  kube-proxy-key.pem  kube-proxy.pem

截止到目前19个文件,kube-proxy开头的4个

  11)校验证书,举例校验kubernetes.pem证书,2个方法都可以,看输出内容可json定义是否一致。

# openssl x509  -noout -text -in  kubernetes.pem
# cfssl-certinfo -cert kubernetes.pem
# openssl x509  -noout -text -in  kubernetes.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6b:46:4f:23:58:a1:09:c6:3f:81:22:2c:a9:4d:b5:a7:ec:8d:94:f4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = k8s, OU = System, CN = kubernetes
        Validity
            Not Before: Aug 13 17:07:00 2020 GMT
            Not After : Aug 11 17:07:00 2030 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = k8s, OU = System, CN = kubernetes
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ed:6d:7a:af:c1:40:94:a0:d5:b5:23:44:3f:f4:
                    83:95:f0:9f:f9:4e:4c:85:a0:34:97:06:c9:1b:5d:
                    b8:03:f4:14:f9:9d:3c:fa:7c:a1:76:9b:d5:50:b3:
                    74:22:d1:f7:c8:40:93:35:46:15:a2:a0:fa:9e:24:
                    d0:ec:b2:b6:3e:1d:44:2a:c5:28:37:33:79:16:90:
                    d0:e4:a6:a9:ed:dc:61:0d:b1:a8:03:c2:b4:57:2b:
                    9f:36:3a:99:51:67:30:2e:20:9d:de:9b:0a:00:58:
                    66:6c:05:73:1f:6a:cd:5d:03:87:05:23:3c:5d:42:
                    68:75:7a:3a:8c:e5:62:6e:ab:02:15:a6:b5:58:5d:
                    31:fb:76:50:72:db:aa:76:03:19:32:5e:59:46:d1:
                    7b:81:fa:56:3a:8f:eb:44:95:34:8e:3a:cf:45:ed:
                    62:bb:e3:b5:3a:81:37:af:ae:9f:40:06:ea:14:b5:
                    f5:56:22:0f:b3:be:3a:ff:c7:fe:90:df:15:f8:72:
                    2e:26:ae:d0:f2:f9:d1:5f:53:c5:68:6f:46:97:8d:
                    96:bd:d3:5e:2c:e3:d1:17:03:3f:61:f2:d1:71:1a:
                    17:e0:08:30:fe:07:52:04:c8:9d:6f:74:49:8a:c3:
                    29:e7:60:91:b5:40:ca:e2:ec:3a:e7:60:67:75:0e:
                    a0:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                64:8A:55:E8:B9:54:D7:7F:87:12:C1:86:51:16:AF:A8:53:39:CC:19
            X509v3 Authority Key Identifier: 
                keyid:4A:7A:4A:78:4E:04:20:7B:FB:FD:E5:28:2B:AC:01:A1:74:0D:37:34

            X509v3 Subject Alternative Name: 
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.0.221, IP Address:192.168.0.222, IP Address:192.168.0.223
    Signature Algorithm: sha256WithRSAEncryption
         50:8c:6f:25:88:5b:10:92:9d:db:b1:27:cb:d6:5c:4a:1d:70:
         9d:30:05:bc:a5:00:f8:c8:91:bf:b4:fa:66:2f:c7:13:25:79:
         ad:1e:39:12:df:7a:a6:96:43:5a:2d:3a:2a:5b:38:cd:39:26:
         04:cd:f3:ee:f0:ba:70:25:52:99:1c:1a:25:e6:41:83:47:11:
         00:4b:6c:af:74:b7:ab:e4:af:47:f5:c4:9c:76:e7:d9:19:a9:
         b0:82:9c:2b:c6:75:92:a7:6b:5a:f7:4d:02:9b:80:74:46:9c:
         06:1a:f2:12:39:c0:0e:85:d2:69:0d:b7:72:7a:ad:aa:4f:69:
         56:67:d2:83:b5:5a:ef:8c:e8:e9:1e:a1:93:f3:e9:30:5d:98:
         c6:04:47:ee:c4:fb:8a:0a:0f:ad:7d:16:4f:10:ea:55:45:97:
         b7:61:4c:ba:0d:38:0e:0a:cf:5c:4c:ec:34:db:c4:67:44:1f:
         59:30:a5:82:3f:6e:30:98:aa:2f:fd:1f:a4:7c:46:76:b9:8b:
         ad:7f:a1:e4:68:dd:48:a9:94:b8:0b:7e:c1:16:a3:52:d3:77:
         8a:0e:4b:30:51:e0:4a:38:f3:07:e5:5d:40:84:33:1d:4b:7a:
         63:ed:c0:61:ef:23:03:ad:74:3b:c9:d1:8d:c7:d2:a4:c8:e4:
         69:95:6d:c6
# cfssl-certinfo -cert kubernetes.pem
{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "issuer": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "serial_number": "612429958540327645676998182896534144132873819380",
  "sans": [
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local",
    "127.0.0.1",
    "192.168.0.221",
    "192.168.0.222",
    "192.168.0.223"
  ],
  "not_before": "2020-08-13T17:07:00Z",
  "not_after": "2030-08-11T17:07:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "4A:7A:4A:78:4E:4:20:7B:FB:FD:E5:28:2B:AC:1:A1:74:D:37:34",
  "subject_key_id": "64:8A:55:E8:B9:54:D7:7F:87:12:C1:86:51:16:AF:A8:53:39:CC:19",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIEfzCCA2egAwIBAgIUa0ZPI1ihCcY/gSIsqU21p+yNlPQwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTIwMDgxMzE3MDcwMFoXDTMwMDgxMTE3MDcwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7W16r8FAlKDVtSNEP/SD\nlfCf+U5MhaA0lwbJG124A/QU+Z08+nyhdpvVULN0ItH3yECTNUYVoqD6niTQ7LK2\nPh1EKsUoNzN5FpDQ5Kap7dxhDbGoA8K0VyufNjqZUWcwLiCd3psKAFhmbAVzH2rN\nXQOHBSM8XUJodXo6jOVibqsCFaa1WF0x+3ZQctuqdgMZMl5ZRtF7gfpWOo/rRJU0\njjrPRe1iu+O1OoE3r66fQAbqFLX1ViIPs746/8f+kN8V+HIuJq7Q8vnRX1PFaG9G\nl42WvdNeLOPRFwM/YfLRcRoX4Agw/gdSBMidb3RJisMp52CRtUDK4uw652BndQ6g\n8wIDAQABo4IBJTCCASEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRkilXouVTXf4cS\nwYZRFq+oUznMGTAfBgNVHSMEGDAWgBRKekp4TgQge/v95SgrrAGhdA03NDCBoQYD\nVR0RBIGZMIGWggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVy\nbmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rl\ncoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTA\nqADdhwTAqADehwTAqADfMA0GCSqGSIb3DQEBCwUAA4IBAQBQjG8liFsQkp3bsSfL\n1lxKHXCdMAW8pQD4yJG/tPpmL8cTJXmtHjkS33qmlkNaLToqWzjNOSYEzfPu8Lpw\nJVKZHBol5kGDRxEAS2yvdLer5K9H9cScdufZGamwgpwrxnWSp2ta900Cm4B0RpwG\nGvISOcAOhdJpDbdyeq2qT2lWZ9KDtVrvjOjpHqGT8+kwXZjGBEfuxPuKCg+tfRZP\nEOpVRZe3YUy6DTgOCs9cTOw028RnRB9ZMKWCP24wmKov/R+kfEZ2uYutf6HkaN1I\nqZS4C37BFqNS03eKDkswUeBKOPMH5V1AhDMdS3pj7cBh7yMDrXQ7ydGNx9KkyORp\nlW3G\n-----END CERTIFICATE-----\n"
}

  12)分发证书

  将生成的证书cp到指定目录备用,除了master,2个node节点也需要拷贝到这个这些文件,为了方便copy文件,建议2个node节点针对master做免密码登录

# mkdir -p /etc/kubernetes/ssl
# cp *.pem /etc/kubernetes/ssl
# ls /etc/kubernetes/ssl/
admin-key.pem  admin.pem  ca-key.pem  ca.pem  kube-proxy-key.pem  kube-proxy.pem  kubernetes-key.pem  kubernetes.pem
[root@k8s_Master ssl]# scp *.pem 192.168.0.222:/etc/kubernetes/ssl
The authenticity of host '192.168.0.222 (192.168.0.222)' can't be established.
ECDSA key fingerprint is SHA256:gu9WNvUSMp+CjKu9Cm8vC6dQ6e6WWjjzRISSvsQ5dow.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.222' (ECDSA) to the list of known hosts.
root@192.168.0.222's password: 
admin-key.pem                                                                                                                                                                                                                               100% 1675     1.1MB/s   00:00    
admin.pem                                                                                                                                                                                                                                   100% 1399     1.6MB/s   00:00    
ca-key.pem                                                                                                                                                                                                                                  100% 1675     2.4MB/s   00:00    
ca.pem                                                                                                                                                                                                                                      100% 1359     2.3MB/s   00:00    
kube-proxy-key.pem                                                                                                                                                                                                                          100% 1679     2.0MB/s   00:00    
kube-proxy.pem                                                                                                                                                                                                                              100% 1403     2.0MB/s   00:00    
kubernetes-key.pem                                                                                                                                                                                                                          100% 1679     2.7MB/s   00:00    
kubernetes.pem                                                                                                                                                                                                                              100% 1619     1.5MB/s   00:00    
[root@k8s_Master ssl]# scp *.pem 192.168.0.223:/etc/kubernetes/ssl
The authenticity of host '192.168.0.223 (192.168.0.223)' can't be established.
ECDSA key fingerprint is SHA256:gu9WNvUSMp+CjKu9Cm8vC6dQ6e6WWjjzRISSvsQ5dow.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.223' (ECDSA) to the list of known hosts.
root@192.168.0.223's password: 
admin-key.pem                                                                                                                                                                                                                               100% 1675     1.0MB/s   00:00    
admin.pem                                                                                                                                                                                                                                   100% 1399     1.9MB/s   00:00    
ca-key.pem                                                                                                                                                                                                                                  100% 1675     2.6MB/s   00:00    
ca.pem                                                                                                                                                                                                                                      100% 1359     2.2MB/s   00:00    
kube-proxy-key.pem                                                                                                                                                                                                                          100% 1679     2.7MB/s   00:00    
kube-proxy.pem                                                                                                                                                                                                                              100% 1403     1.9MB/s   00:00    
kubernetes-key.pem                                                                                                                                                                                                                          100% 1679     2.7MB/s   00:00    
kubernetes.pem                                                                                                                                                                                                                              100% 1619     2.4MB/s   00:00

从上面的顺序可以看出pem文件的创建都是以一个json文件为输入进行创建的,json文件最后对我们并不重要,只需要把pem文件分别scp拷贝的所有node的/etc/kubernetes/ssl文件夹即可。

已标记关键词 清除标记
相关推荐
©️2020 CSDN 皮肤主题: 1024 设计师:白松林 返回首页