kubernetes 二进制安装方法 CA认证
来源:原创
时间:2019-05-31
作者:脚本小站
分类:云原生
一些设置
设置本地DNS:
192.168.1.127 k8s-master etcd 192.168.1.128 k8s-node01 192.168.1.129 k8s-node02
永久关闭node节点的swap。
swapoff -a vim /etc/fstab
安装flannel
可以先把 etcd+docker+flannel 安装好,把网调通后再安装 k8s。
详见:https://www.scriptjc.com/article/1002
创建CA证书
#创建CA私钥: openssl genrsa -out ca.key 2048 #创建自签CA证书: openssl req -x509 -new -nodes -key ca.key -subj "/CN=k8s-master" -days 5000 -out ca.crt
etcd证书
创建etcd证书和私钥:
etcd_server 服务端使用的证书:
openssl genrsa -out etcd_server.key 2048 openssl req -new -key etcd_server.key -subj "/CN=etcd" -out etcd_server.csr openssl x509 -req -in etcd_server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd_server.crt -days 5000
etcd_client 连接etcd使用的证书:
openssl genrsa -out etcd_client.key 2048 openssl req -new -key etcd_client.key -subj "/CN=etcd" -out etcd_client.csr openssl x509 -req -in etcd_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd_client.crt -days 5000
apiserver
创建server证书:
#服务证书私钥: openssl genrsa -out server.key 2048 #服务证书签署请求: openssl req -new -key server.key -subj "/CN=k8s-master" -config master_ssl.cnf -out server.csr #CA签署服务证书: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt
master_ssl.cnf:
cat > master_ssl.cnf <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local DNS.5 = k8s-master IP.1 = 169.169.0.1 IP.2 = 192.168.1.127 EOF
kube-apiserver.service:
cat > /usr/lib/systemd/system/kube-apiserver.service <<EOF [Unit] Description=Kubernetes API Server After=etcd.service Wants=etcd.service [Service] #EnvironmentFile=/etc/kubernetes/apiserver ExecStart=/usr/bin/kube-apiserver \\ --etcd-servers=https://etcd:2379 \\ --etcd-cafile=/etc/kubernetes/cert/ca.crt \\ --etcd-certfile=/etc/kubernetes/cert/etcd_client.crt \\ --etcd-keyfile=/etc/kubernetes/cert/etcd_client.key \\ --insecure-bind-address=0.0.0.0 \\ --insecure-port=0 \\ --secure-port=6443 \\ --service-cluster-ip-range=169.169.0.0/16 \\ --service-node-port-range=1-65535 \\ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --client-ca-file=/etc/kubernetes/cert/ca.crt \\ --tls-private-key-file=/etc/kubernetes/cert/server.key \\ --tls-cert-file=/etc/kubernetes/cert/server.crt \\ --logtostderr=false \\ --log-dir=/var/log/kubernetes \\ --v=0 Restart=on-failure Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
controller-manager
cs_client证书:
openssl genrsa -out cs_client.key 2048 openssl req -new -key cs_client.key -subj "/CN=k8s-master" -out cs_client.csr openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000
kubeconfig-ca.yml:
cat > /etc/kubernetes/kubeconfig-ca.yml <<EOF apiVersion: v1 kind: Config users: - name: client user: client-certificate: /etc/kubernetes/cert/cs_client.crt client-key: /etc/kubernetes/cert/cs_client.key clusters: - name: default cluster: certificate-authority: /etc/kubernetes/cert/ca.crt server: https://192.168.1.127:6443 contexts: - context: cluster: default user: client name: default current-context: default EOF
kube-controller-manager.service:
cat > /usr/lib/systemd/system/kube-controller-manager.service <<EOF [Unit] Description=Kubernetes Controller Manager After=kube-apiserver.service Requires=kube-apiserver.service [Service] #EnvironmentFile=/etc/kubernetes/apiserver ExecStart=/usr/bin/kube-controller-manager \\ --kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\ --service-account-private-key-file=/etc/kubernetes/cert/server.key \\ --root-ca-file=/etc/kubernetes/cert/ca.crt \\ --logtostderr=false \\ --log-dir=/var/log/kubernetes \\ --v=0 Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
scheduler
kube-scheduler.service:
cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF [Unit] Description=Kubernetes scheduler After=kube-apiserver.service Requires=kube-apiserver.service [Service] ExecStart=/usr/bin/kube-scheduler \\ --kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\ --logtostderr=false \\ --log-dir=/var/log/kubernetes \\ --v=0 Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
在各个node节点上:
kubelet
kubelet_client证书:
openssl genrsa -out kubelet_client.key 2048 openssl req -new -key kubelet_client.key -subj "/CN=k8s-node01" -out kubelet_client.csr openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
kubeconfig-ca.yml:
cat > /etc/kubernetes/kubeconfig-ca.yml <<EOF apiVersion: v1 kind: Config users: - name: kubelet user: client-certificate: /etc/kubernetes/cert/kubelet_client.crt client-key: /etc/kubernetes/cert/kubelet_client.key clusters: - name: local cluster: certificate-authority: /etc/kubernetes/cert/ca.crt server: https://192.168.1.127:6443 contexts: - context: cluster: local user: kubelet name: my-context current-context: my-context EOF
kubelet.service:
cat > /usr/lib/systemd/system/kubelet.service <<EOF [Unit] Description=Kubernetes kubelet Server After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/usr/bin/kubelet \\ --kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\ --hostname-override=k8s-node01 \\ --runtime-cgroups=/systemd/system.slice \\ --kubelet-cgroups=/systemd/system.slice \\ --logtostderr=false \\ --log-dir=/var/log/kubernetes \\ --v=0 ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT Restart=on-failure [Install] WantedBy=multi-user.target EOF
kube-proxy
kube-proxy.service:
cat > /usr/lib/systemd/system/kube-proxy.service <<EOF [Unit] Description=Kubernetes Kube-Proxy Server After=network.target Requires=network.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/usr/bin/kube-proxy \\ --kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\ --logtostderr=false \\ --log-dir=/var/log/kubernetes \\ --v=2 Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
访问k8s集群:
kubectl
kubectl:
kubectl --server=https://192.168.1.127:6443 \ --certificate-authority=/etc/kubernetes/cert/ca.crt \ --client-certificate=/etc/kubernetes/cert/cs_client.crt \ --client-key=/etc/kubernetes/cert/cs_client.key get nodes
或者:
cat > ~/.bashrc <<EOF alias kubectl='kubectl --server=https://192.168.1.127:6443 --certificate-authority=/etc/kubernetes/cert/ca.crt --client-certificate=/etc/kubernetes/cert/cs_client.crt --client-key=/etc/kubernetes/cert/cs_client.key' EOF source ~/.bashrc
Pod基础镜像:
在每个node的kubelet启动参数后加上如下参数,k8s集群中是以Pod为基本单元,需要 k8s.gcr.io/pause:3.1 镜像来实现Pod。其中 docker-registry 为私有镜像仓库地址。
--pod-infra-container-image=docker-registry:5000/pause:3.1