简介
最近在倒腾k8s, 这里记录下k8s的部署记录,以方便后续操作使用
证书准备
| etcd | /etc/etd/ssl/ca.pem /etc/etd/ssl/server.pem /etc/etd/ssl/server-key.pem |
| kube-apiserver | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/server.pem /etc/kubernetes/ssl/server-key.pem |
| kube-proxy | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/kube-proxy.pem /etc/kubernetes/ssl/kube-proxy-key.pem |
| kubelet | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/ca-key.pem |
| kubectl | /etc/kubernetes/ssl/ca.pem /etc/kubernetes/ssl/admin.pem /etc/kubernetes/ssl/admin-key.pem |
证书准备过程如下:
1. etcd证书准备2. kubelet证书准备
/etc/kubernete/ca-config.json
{ "signing": { "default": { "expiry": "876000h" }, "profiles": { "kubernetes": { "expiry": "876000h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } }
/etc/kubernete/ca-config.json
{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HeFei", "ST": "HeFei", "O": "k8s", "OU": "System" } ]}
执行 cfssl gencert -initca ca-csr.json | cfssljson -bare ca – 生成根证书 ca.csr、ca.pem、ca-key.pem
3. kube-proxy证书准备
编辑 /etc/kubernetes/ssl/kube-proxy-csr.json
{ "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HeFei", "ST": "HeFei", "O": "k8s", "OU": "System" } ]}
执行命令 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
生成证书kube-proxy.csr、kube-proxy.pem、kube-proxy-key.pem
4. kube-apiserver证书准备
生成server证书, 编辑/etc/kubernete/server-config.json
{ "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.0.1", "192.168.0.2", "192.168.0.3", "kubernetes", "k8s-node01", "k8s-master01", "k8s-node02", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HeFei", "ST": "HeFei", "O": "k8s", "OU": "System" } ] }
执行命令 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 生成证书server.csrserver-key.pemserver.pem
5. kubectl admin证书准备
/etc/kubernetes/ssl/admin-csr.json
{ "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HeFei", "ST": "HeFei", "O": "System:masters", "OU": "System" } ]}
执行命令cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成证书admin.csr、admin-key.pem、admin.pem
6. 同步证书到各服务器
cd /etc/kubernetes/ssl/
scp * root@192.168.0.2:/etc/kubernetes/ssl/
scp * root@192.168.0.3:/etc/kubernetes/ssl/
部署k8s master生成token.csv文件
head -c 16 /dev/urandom |od -An -t x |tr -d ‘ ‘ > /etc/kubenerets/token.csv
编辑token.csv
7624eec3dd645fd059d53ddcbd794eba,kubelet-bootstrap,10001,”system:kubelet-bootstrap”
执行kubectl config配置
[root@master01 kubernetes]BOOTSTRAP_TOKEN=7624eec3dd645fd059d53ddcbd794eba
[root@master01 kubernetes]KUBE_APISERVER="https://192.168.0.1:6443"
设置集群参数
[root@master01 kubernetes]# kubectl config set-cluster kubernetes \> --certificate-authority=/etc/kubernetes/ssl/ca.pem \> --embed-certs=true \> --server=${KUBE_APISERVER} \> --kubeconfig=kube-proxy.kubeconfig
设置客户端认证参数
[root@master01 kubernetes]# kubectl config set-credentials kubelet-bootstrap \> --token=${BOOTSTRAP_TOKEN} \> --kubeconfig=bootstrap.kubeconfig
设置上下文参数
[root@master01 kubernetes]# kubectl config set-context default \> --cluster=kubernetes \> --user=kubelet-bootstrap \> --kubeconfig=bootstrap.kubeconfig
设置默认上下文
[root@master01 kubernetes]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
创建kube-proxy.kubeconfig文件
[root@swift01 kubernetes]# kubectl config set-cluster kubernetes \> --certificate-authority=/etc/kubernetes/ssl/ca.pem \> --embed-certs=true \> --server=${KUBE_APISERVER} \> --kubeconfig=kube-proxy.kubeconfig Cluster "kubernetes" set.[root@swift01 kubernetes]# [root@swift01 kubernetes]# [root@swift01 kubernetes]# kubectl config set-cluster kubernetes \> --certificate-authority=/etc/kubernetes/ssl/ca.pem\> --embed-certs=true \> --server=${KUBE_APISERVER} \> --kubeconfig=bootstrap.kubeconfigCluster "kubernetes" set.[root@swift01 kubernetes]# [root@swift01 kubernetes]# [root@swift01 kubernetes]# kubectl config set-context default \> --cluster=kubernetes \> --user=kube-proxy \> --kubeconfig=kube-proxy.kubeconfigContext "default" created.[root@swift01 kubernetes]# [root@swift01 kubernetes]# [root@swift01 kubernetes]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfigSwitched to context "default".
至此配置结束
部署apiserver