声明:
如果您有更好的技术与作者分享,或者商业合作;
请访问作者个人网站 http://www.esqabc.com/view/message.html 留言给作者。
如果该案例触犯您的专利,请在这里:http://www.esqabc.com/view/message.html 留言给作者说明原由
作者一经查实,马上删除。
1、搭建前说明
a、kubernetes - master节点运行组件如下:
- kube-apiserver
- kube-scheduler
- kube-controller-manager
如没有特殊说明,一般都在k8s-01服务器操作
前提提条件、服务器,请查看这个地址:https://blog.csdn.net/esqabc/article/details/102726771
2、部署master节点
a、下载kubernetes二进制包
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# wget http://down.i4t.com/k8s1.14/kubernetes-server-linux-amd64.tar.gz
[root@k8s-01 work]# tar -xzvf kubernetes-server-linux-amd64.tar.gz
[root@k8s-01 work]# cd kubernetes
[root@k8s-01 kubernetes]# tar -xzvf kubernetes-src.tar.gz
b、分发到所有master节点
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 ~]# source /opt/k8s/bin/environment.sh
for node_ip in ${
MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp kubernetes/server/bin/{
apiextensions-apiserver,cloud-controller-manager,kube-apiserver,kube-controller-manager,kube-proxy,kube-scheduler,kubeadm,kubectl,kubelet,mounter} root@${
node_ip}:/opt/k8s/bin/
ssh root@${
node_ip} "chmod +x /opt/k8s/bin/*"
done
c、创建Kubernetes 证书和私钥
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 work]# cat > kubernetes-csr.json <<EOF
添加下面内容:
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.26.16.249",
"172.26.16.250",
"172.26.16.251",
"172.26.16.252",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local."
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
EOF
注意:需要将集群的所有IP都添加进去
d、生成证书和私钥
[root@k8s-01 ~]# cd /opt/k8s/work
cfssl gencert -ca=/opt/k8s/work/ca.pem \
-ca-key=/opt/k8s/work/ca-key.pem \
-config=/opt/k8s/work/ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
[root@k8s-01 ~]# ls kubernetes*pem
e、分发到所有master节点
[root@k8s-01 ~]# cd /opt/k8s/work
for node_ip in ${
MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${
node_ip} "mkdir -p /etc/kubernetes/cert"
scp kubernetes*.pem root@${
node_ip}:/etc/kubernetes/cert/
done
f、创建加密配置文件
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 ~]# cat > encryption-config.yaml <<EOF
添加下面内容
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${
ENCRYPTION_KEY}
- identity: {
}
EOF
g、将加密配置文件拷贝到master节点的/etc/kubernetes目录下
[root@k8s-01 ~]# cd /opt/k8s/work
for node_ip in ${
MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp encryption-config.yaml root@${
node_ip}:/etc/kubernetes/
done
h、创建审计策略文件
[root@k8s-01 ~]# cd /opt/k8s/work
[root@k8s-01 ~]# cat > audit-policy.yaml <<EOF
添加下面内容:
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
# The following requests were manually identified as high-volume and low-risk, so drop them.
- level: None
resources:
- group: ""
resources:
- endpoints
- services
- services/status
users:
- 'system:kube-proxy'
verbs:
- watch
- level: None
resources:
- group: ""
resources:
- nodes
- nodes/status
userGroups:
- 'system:nodes'
verbs:
- get
- level: None
namespaces:
- kube-system
resources:
- group: ""
resources:
- endpoints
users:
- 'system:kube-controller-manager'
- 'system:kube-scheduler'
- 'system:serviceaccount:kube-system:endpoint-controller'
verbs:
- get
- update
- level: None
resources:
- group: ""
resources:
- namespaces
- namespaces/status
- namespaces/finalize
users:
- 'system:apiserver'
verbs:
- get
# Don't log HPA fetching metrics.
- level: None
resources:
- group: metrics.k8s.io
users:
- 'system:kube-controller-manager'
verbs:
- get
- list
# Don't log these read-only URLs.
- level: None
nonResourceURLs:
- '/healthz*'
- /version
- '/swagger*'
# Don't log events requests.
- level: None
resources:
- group: ""
resources:
- events
# node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
users:
- kubelet
- 'system:node-problem-detector'
- 'system:serviceaccount:kube-system:node-problem-detector'
verbs:
- update
- patch
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
userGroups:
- 'system:nodes'
verbs:
- update
- patch
# deletecollection calls can be large, don't log responses for expected namespace deletions
- level: Request
omitStages:
- RequestReceived
users:
- 'system:serviceaccount:kube-system:namespace-controller'
verbs:
- deletecollection
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
# so only log at the Metadata level.
- level: Metadata
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- secrets
- configmaps
- group: authentication.k8s.io
resources:
- tokenreviews
# Get repsonses can be large; skip them.
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
- group: admissionregistration.k8s.io
- group: apiextensions.k8s.io
- group: apiregistration.k8s.io
- group: apps
- group: authentication.k8s.io
- group: authorization.k8s.io
- group: autoscaling
- group: batch
- group: certificates.k8s.io
- group