最是人间留不住,朱颜辞镜花辞树。这篇文章主要讲述Kubernetes 1.15&1.19 安装及组件关系(证书安装篇)相关的知识,希望能为你提供帮助。
文章图片
接着上一篇文档今天继续更新第二部分:证书部分也是K8S重点中的重点
上一篇文档路径:??https://blog.51cto.com/linhuchong/5201329??
开始正题,本次证书基本都是在master节点进行安装
1配置证书
1.1 下载自签名证书生成工具
#在分发机器Master-1上操作
[root@master-1 ~]# mkdir /soft & & cd /soft
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@master-1 ~]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
[root@master-1 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@master-1 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@master-1 ~]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
1.2 生成ETCD证书
【Kubernetes 1.15&1.19 安装及组件关系(证书安装篇)】#创建目录(Master-1)
[root@master-1 ~]# mkdir /root/etcd & & cd /root/etcd
1.2.1 CA 证书配置(Master-1)
[root@master-1 ~]# cat < < EOF | tee ca-config.json
"signing":
"default":
"expiry": "87600h"
,
"profiles":
"www":
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
EOF
1.2.2 创建CA证书请求文件(Master-1)
[root@master-1 ~]# cat < < EOF | tee ca-csr.json
"CN": "etcd CA",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
]
EOF
1.2.3 创建ETCD证书请求文件
#可以把所有的master IP 加入到csr文件中(Master-1)
[root@master-1 ~]# cat < < EOF | tee server-csr.json
"CN": "etcd",
"hosts": [
"master-1",
"master-2",
"master-3",
"192.168.91.18",
"192.168.91.19",
"192.168.91.20"
],
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
]
EOF
1.2.4 生成 ETCD CA 证书和ETCD公私钥(Master-1)
[root@master-1 ~]# cd /root/etcd/
#生成ca证书(Master-1)
[root@master-1 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –
[root@master-1 etcd]# ll
total 24
-rw-r--r-- 1 root root287 Apr5 11:23 ca-config.json#ca 的配置文件
-rw-r--r-- 1 root root956 Apr5 11:26 ca.csr#ca 证书生成文件
-rw-r--r-- 1 root root209 Apr5 11:23 ca-csr.json#ca 证书请求文件
-rw------- 1 root root 1679 Apr5 11:26 ca-key.pem#ca 证书key
-rw-r--r-- 1 root root 1265 Apr5 11:26 ca.pem#ca 证书
-rw-r--r-- 1 root root338 Apr5 11:26 server-csr.json
#生成etcd证书(Master-1)
[root@master-1 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@master-1 etcd]# ll
total 36
-rw-r--r-- 1 root root287 Apr5 11:23 ca-config.json
-rw-r--r-- 1 root root956 Apr5 11:26 ca.csr
-rw-r--r-- 1 root root209 Apr5 11:23 ca-csr.json
-rw------- 1 root root 1679 Apr5 11:26 ca-key.pem
-rw-r--r-- 1 root root 1265 Apr5 11:26 ca.pem
-rw-r--r-- 1 root root 1054 Apr5 11:31 server.csr
-rw-r--r-- 1 root root338 Apr5 11:26 server-csr.json
-rw------- 1 root root 1675 Apr5 11:31 server-key.pem #etcd客户端使用
-rw-r--r-- 1 root root 1379 Apr5 11:31 server.pem
1.3 创建 Kubernetes 相关证书
#此证书用于Kubernetes节点直接的通信, 与之前的ETCD证书不同. (Master-1)
[root@master-1 ~]# mkdir /root/kubernetes/ & & cd /root/kubernetes/
1.3.1 配置ca 文件(Master-1)
[root@master-1 ~]# cat < < EOF | tee ca-config.json
"signing":
"default":
"expiry": "87600h"
,
"profiles":
"kubernetes":
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
EOF
1.3.2 创建ca证书申请文件(Master-1)
[root@master-1 ~]#cat < < EOF | tee ca-csr.json
"CN": "kubernetes",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
]
EOF
1.3.3 生成API SERVER证书申请文件(Master-1)
#注意要修改VIP的地址(阿里云配置SLB地址如果没有SLB配置任意一个master节点最好是mater-1节点)
[root@master-1 ~]#cat < < EOF | tee server-csr.json
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"10.0.0.2",
"192.168.91.18",
"192.168.91.19",
"192.168.91.20",
"192.168.91.21",
"192.168.91.22",
"192.168.91.254",
"master-1",
"master-2",
"master-3",
"node-1",
"node-2",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
]
EOF
1.3.4 创建 Kubernetes Proxy 证书申请文件(Master-1)
[root@master-1 ~]#cat < < EOF | tee kube-proxy-csr.json
"CN": "system:kube-proxy",
"hosts": [],
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
]
EOF
1.3.5 生成 kubernetes CA 证书和公私钥
# 生成ca证书(Master-1)
[root@master-1 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –
# 生成 api-server 证书(Master-1)
[root@master-1 ~]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
# 生成 kube-proxy 证书(Master-1)
[root@master-1 ~]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \\
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2 部署ETCD
#下载etcd二进制安装文件(所有master)
[root@master-1 ~]# mkdir -p /soft & & cd /soft
[root@master-1 ~]# wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
[root@master-1 ~]# tar -xvf etcd-v3.3.10-linux-amd64.tar.gz
[root@master-1 ~]# cd etcd-v3.3.10-linux-amd64/
[root@master-1 ~]# cp etcd etcdctl /usr/local/bin/
2.1 编辑etcd配置文件(所有master)
#注意修改每个节点的ETCD_NAME
#注意修改每个节点的监听地址
[root@master-1 ~]# mkdir -p /etc/etcd/cfg,ssl
[root@master-1 ~]# cat> /etc/etcd/cfg/etcd.conf< < EOFL
#[Member]
ETCD_NAME="master-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.91.18:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.91.18:2379,http://192.168.91.18:2390"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.91.18:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.91.18:2379"
ETCD_INITIAL_CLUSTER="master-1=https://192.168.91.18:2380,master-2=https://192.168.91.19:2380,master-3=https://192.168.91.20:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOFL
2.2创建ETCD的系统启动服务(所有master)
[root@master-1 ~]#cat > /usr/lib/systemd/system/etcd.service< < EOFL
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/cfg/etcd.conf
ExecStart=/usr/local/bin/etcd \\
--name=\\$ETCD_NAME \\
--data-dir=\\$ETCD_DATA_DIR \\
--listen-peer-urls=\\$ETCD_LISTEN_PEER_URLS \\
--listen-client-urls=\\$ETCD_LISTEN_CLIENT_URLS,http://127.0.0.1:2379 \\
--advertise-client-urls=\\$ETCD_ADVERTISE_CLIENT_URLS \\
--initial-advertise-peer-urls=\\$ETCD_INITIAL_ADVERTISE_PEER_URLS \\
--initial-cluster=\\$ETCD_INITIAL_CLUSTER \\
--initial-cluster-token=\\$ETCD_INITIAL_CLUSTER_TOKEN \\
--initial-cluster-state=new \\
--cert-file=/etc/etcd/ssl/server.pem \\
--key-file=/etc/etcd/ssl/server-key.pem \\
--peer-cert-file=/etc/etcd/ssl/server.pem \\
--peer-key-file=/etc/etcd/ssl/server-key.pem \\
--trusted-ca-file=/etc/etcd/ssl/ca.pem \\
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOFL
2.3 复制etcd证书到指定目录
[root@master-1 ~]# mkdir -p /etc/etcd/ssl/
[root@master-1 ~]# \\cp /root/etcd/*pem /etc/etcd/ssl/ -rf
#复制etcd证书到每个节点
[root@master-1 ~]# for i in master-2 master-3 node-1 node-2; do ssh $i mkdir -p /etc/etcd/cfg,ssl; done
[root@master-1 ~]# for i in master-2 master-3 node-1 node-2; do scp /etc/etcd/ssl/* $i:/etc/etcd/ssl/; done
[root@master-1 ~]# for i in master-2 master-3 node-1 node-2; do echo $i "------> "; ssh $i ls /etc/etcd/ssl; done
2.4 启动etcd (所有节点)
[root@master-1 ~]# chkconfig etcd on
[root@master-1 ~]# service etcd start
[root@master-1 ~]# service etcd status
2.5 检查etcd 集群是否运行正常
[root@master-1 ~]#etcdctl --ca-file=/etc/etcd/ssl/ca.pem --cert-file=/etc/etcd/ssl/server.pem \\
--key-file=/etc/etcd/ssl/server-key.pem --endpoints="https://192.168.91.18:2379"cluster-health
member bcef4c3b581e1d2e is healthy: got healthy result from https://192.168.91.18:2379
member d99a26304cec5ace is healthy: got healthy result from https://192.168.91.19:2379
member fc4e801f28271758 is healthy: got healthy result from https://192.168.91.20:2379
cluster is healthy
到此证书安装以及etcd已安装完毕。回顾一下证书需要安装什么首先是etcd的ca证书安装安装创建etcd证书 然后呢第二步创建kubernetes的ca证书生成api server证书后创建 Kubernetes Proxy证书去生成kubernetes证书。然后部署etcd服务配置到所有节点上,同步etcd证书到所有节点,启动服务后查看所有master服务的etcd集群的服务状态。
本篇到此结束,接下来我们会安装docker后配置k8s网络。这是重点的重点。
推荐阅读
- RocketMQ提升性能的几种方式(锁,压缩算法)
- MySQL事务并发带来的问题以及其解决方案分析
- Samaba文件共享服务
- zabbix-邮件报警及nginx自治愈
- 这个 Spring Boot 项目真的强,强大的代码生成器让前端和后台代码一键生成!
- Windows安全认证是如何进行的([NTLM篇])
- 如何利用Python随机从list中挑选一个元素
- Centos 把yum源软件包迁移到内网安装的方法
- matlab/simulink可变阻尼座椅悬架振动自适应控制设计与分析