创建openssl配置文件
其中ansible部分变量替换成master节点的IP和name,以及kubernetes svc的VIP。
[ req ]
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names_cluster
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ v3_req_peer ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names_cluster
[ alt_names_cluster ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = localhost
{% for host in groups['kube-master'] %}
DNS.{{ 5 + loop.index }} = {{ host }}
{% endfor %}
{% for host in groups['kube-master'] %}
IP.{{ loop.index }} = {% if k8s_interface is defined %}{{ hostvars[host]['ansible_'+k8s_interface].ipv4.address }}{% else %}{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{% endif %}
{% endfor %}
{% set idx = groups['kube-master'] | length | int * 1 + 1 %}
IP.{{ idx }} = {{ kube_apiserver_ip }}
IP.{{ idx + 1 }} = 127.0.0.1
生成证书
# 创建ca私钥
openssl genrsa -out ca.key 2048
# 创建 kubernetes-ca 根证书
openssl req -x509 -new -nodes \
-days 3650 \
-key ca.key \
-config kube-openssl.cnf \
-subj "/CN=kubernetes" \
-extensions v3_ca \
-out ca.crt
# 创建 kube-apiserver 证书私钥
openssl genrsa -out apiserver.key 2048
openssl req -new -key apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr
openssl x509 -req -CA ca.crt -CAkey ca.key -days 3650 -in apiserver.csr -CAcreateserial -extensions v3_req_server -extfile kube-openssl.cnf -out apiserver.crt
#创建 apiserver-kubelet-client 证书私钥
openssl genrsa -out apiserver-kubelet-client.key 2048
openssl req -new -key apiserver-kubelet-client.key -subj "/CN=kube-apiserver-kubelet-client/O=system:masters" -out apiserver-kubelet-client.csr
openssl x509 -req \
-CA ca.crt \
-CAkey ca.key \
-days 3650 \
-in apiserver-kubelet-client.csr\
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out apiserver-kubelet-client.crt
# 创建 sa 证书私钥
openssl genrsa -out sa.key 2048
# 根据 sa 私钥创建公钥
penssl rsa -in sa.key -pubout -out sa.pub
# 创建 kube-controller-manager 证书请求
openssl req -new -key sa.key \
-subj "/CN=system:kube-controller-manager" \
-out kube-controller-manager.csr
# 创建 kube-controller-manager 证书
openssl x509 -req -CA ca.crt -CAkey ca.key \
-days 3650 \
-in kube-controller-manager.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out kube-controller-manager.crt
# 创建 kube-scheduler 证书私钥
openssl genrsa -out kube-scheduler.key 2048
# 创建 kube-scheduler 证书请求
openssl req -new -key kube-scheduler.key \
-subj "/CN=system:kube-scheduler" \
-out kube-scheduler.csr
# 创建 kube-scheduler 证书
openssl x509 -req -CA ca.crt -CAkey ca.key \
-days 3650 \
-in kube-scheduler.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out kube-scheduler.crt
# 创建 front-proxy-ca 证书私钥
openssl genrsa -out front-proxy-ca.key 2048
# 创建 front-proxy-ca 根证书
openssl req -x509 -new -nodes \
-days 3650 \
-key front-proxy-ca.key \
-config kube-openssl.cnf \
-subj "/CN=front-proxy-ca" \
-extensions v3_ca \
-out front-proxy-ca.crt
# 创建 front-proxy-client 证书私钥
openssl genrsa -out front-proxy-client.key 2048
# 创建 front-proxy-client 证书请求
openssl req -new -key front-proxy-client.key \
-subj "/CN=front-proxy-client" \
-out front-proxy-client.csr
# 创建 front-proxy-client 证书
openssl x509 -req \
-CA front-proxy-ca.crt \
-CAkey front-proxy-ca.key \
-days 3650 \
-in front-proxy-client.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out front-proxy-client.crt
# 创建 kubernetes cluster admin 证书私钥
openssl genrsa -out admin.key 2048
# 创建 kubernetes cluster admin 证书请求
openssl req -new -key admin.key \
-subj "/CN=kubernetes-admin/O=system:masters" \
-out admin.csr
# 创建 kubernetes cluster admin 证书
openssl x509 -req \
-CA ca.crt \
-CAkey ca.key \
-days 3650 \
-in admin.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out admin.crt
创建配置文件
server的地址为当前master的API Server的地址,kubelet.conf配置中需修改节点的名称为当前master的节点名称
# 创建admin.conf文件
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-credentials kubernetes-admin \
--client-certificate=admin.crt \
--client-key=admin.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-context kubernetes-admin@kubernetes \
--cluster=kubernetes \
--user=kubernetes-admin \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config use-context \
kubernetes-admin@kubernetes \
--kubeconfig=/etc/kubernetes/admin.conf
# 创建controller-manager.conf文件
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.crt \
--client-key=sa.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config set-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config use-context system:kube-controller-manager@kubernetes \
--kubeconfig=/etc/kubernetes/controller-manager.conf
# 创建scheduler.conf文件
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.crt \
--client-key=kube-scheduler.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-context system:kube-scheduler@kubernetes \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config use-context system:kube-scheduler@kubernetes \
--kubeconfig=/etc/kubernetes/scheduler.conf
# 创建kubelet.conf
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config set-credentials system:node:drzdztvpra19 \
--client-certificate=apiserver-kubelet-client.crt \
--client-key=apiserver-kubelet-client.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config set-context system:node:drzdztvpra19@kubernetes \
--cluster=kubernetes --user=system:node:drzdztvpra19 \
--kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config use-context system:node:drzdztvpra19@kubernetes \
--kubeconfig=/etc/kubernetes/kubelet.conf
重启生效
# 所有master节点执行
systemctl restart kubelet
systemctl restart docker