我的书签
添加书签
移除书签准备证书
声明:本文使用的证书为自签名,不能用于商用环境
部署集群前,需要生成集群各组件之间通信所需的证书。本文使用开源 CFSSL 作为验证部署工具,以便用户了解证书的配置和集群组件之间证书的关联关系。用户可以根据实际情况选择合适的工具,例如 OpenSSL 。
编译安装 CFSSL
编译安装 CFSSL 的参考命令如下(需要互联网下载权限,需要配置代理的请先完成配置),
$ wget --no-check-certificate https://github.com/cloudflare/cfssl/archive/v1.5.0.tar.gz$ tar -zxf v1.5.0.tar.gz$ cd cfssl-1.5.0/$ make -j6$ cp bin/* /usr/local/bin/
生成根证书
编写 CA 配置文件,例如 ca-config.json:
$ cat ca-config.json | jq{"signing": {"default": {"expiry": "8760h"},"profiles": {"kubernetes": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "8760h"}}}}
编写 CA CSR 文件,例如 ca-csr.json:
$ cat ca-csr.json | jq{"CN": "Kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "openEuler","OU": "WWW","ST": "BinJiang"}]}
生成 CA 证书和密钥:
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
得到如下证书:
ca.csr ca-key.pem ca.pem
生成 admin 账户证书
admin 是 K8S 用于系统管理的一个账户,编写 admin 账户的 CSR 配置,例如 admin-csr.json:
cat admin-csr.json | jq{"CN": "admin","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "system:masters","OU": "Containerum","ST": "BinJiang"}]}
生成证书:
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
结果如下:
admin.csr admin-key.pem admin.pem
生成 service-account 账户证书
编写 service-account 账户的 CSR 配置文件,例如 service-account-csr.json:
cat service-account-csr.json | jq{"CN": "service-accounts","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "Kubernetes","OU": "openEuler k8s install","ST": "BinJiang"}]}
生成证书:
$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -profile=kubernetes service-account-csr.json | cfssljson -bare service-account
结果如下:
service-account.csr service-account-key.pem service-account.pem
生成 kube-controller-manager 组件证书
编写 kube-controller-manager 的 CSR 配置:
{"CN": "system:kube-controller-manager","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "system:kube-controller-manager","OU": "openEuler k8s kcm","ST": "BinJiang"}]}
生成证书:
$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
结果如下:
kube-controller-manager.csr kube-controller-manager-key.pem kube-controller-manager.pem
生成 kube-proxy 证书
编写 kube-proxy 的 CSR 配置:
{"CN": "system:kube-proxy","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "system:node-proxier","OU": "openEuler k8s kube proxy","ST": "BinJiang"}]}
生成证书:
$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
结果如下:
kube-proxy.csr kube-proxy-key.pem kube-proxy.pem
生成 kube-scheduler 证书
编写 kube-scheduler 的 CSR 配置:
{"CN": "system:kube-scheduler","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "system:kube-scheduler","OU": "openEuler k8s kube scheduler","ST": "BinJiang"}]}
生成证书:
$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
结果如下:
kube-scheduler.csr kube-scheduler-key.pem kube-scheduler.pem
生成 kubelet 证书
由于证书涉及到 kubelet 所在机器的 hostname 和 IP 地址信息,因此每个 node 节点配置不尽相同,所以编写脚本完成,生成脚本如下:
$ cat node_csr_gen.bash#!/bin/bashnodes=(k8snode1 k8snode2 k8snode3)IPs=("192.168.122.157" "192.168.122.158" "192.168.122.159")for i in "${!nodes[@]}"; docat > "${nodes[$i]}-csr.json" <<EOF{"CN": "system:node:${nodes[$i]}","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "system:nodes","OU": "openEuler k8s kubelet","ST": "BinJiang"}]}EOF# generate caecho "generate: ${nodes[$i]} ${IPs[$i]}"cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -hostname=${nodes[$i]},${IPs[$i]}-profile=kubernetes ${nodes[$i]}-csr.json | cfssljson -bare ${nodes[$i]}done
说明:如果节点存在多个 IP 或者其他别名,-hostname 可以增加其他的 IP 或者 hostname
结果如下:
k8snode1.csr k8snode1.pem k8snode2-key.pem k8snode3-csr.jsonk8snode1-csr.json k8snode2.csr k8snode2.pem k8snode3-key.pemk8snode1-key.pem k8snode2-csr.json k8snode3.csr k8snode3.pem
CSR 配置信息,以 k8snode1 为例如下:
$ cat k8snode1-csr.json{"CN": "system:node:k8snode1","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "system:nodes","OU": "openEuler k8s kubelet","ST": "BinJiang"}]}
注意:由于每个 node 所属的账户组为 system:node,因此 CSR 的 CN 字段都为 system:node 加上hostname。
生成 kube-apiserver 证书
编写 kube api server 的 CSR 配置文件:
$ cat kubernetes-csr.json | jq{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "Kubernetes","OU": "openEuler k8s kube api server","ST": "BinJiang"}]}
生成证书和密钥:
cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -hostname=10.32.0.1,192.168.122.154,192.168.122.155,192.168.122.156,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
结果如下:
kubernetes.csr kubernetes-key.pem kubernetes.pem
说明:10.32.0.1 是内部 services 使用的 IP 地址区间,可以设置为其他值,后面启动 apiserver 服务时,会设置该参数。
生成 etcd 证书(可选)
部署 etcd 有两种方式: - 在每个 api-server 对应的机器都启动一个 etcd 服务 - 独立部署一个 etcd 集群服务
如果是和 api-server 一起部署,那么直接使用上面生成的 kubernetes-key.pem 和 kubernetes.pem 证书即可。
如果是独立的etcd集群,那么需要创建证书如下:
编写 etcd 的 CSR 配置:
cat etcd-csr.json | jq{"CN": "ETCD","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "HangZhou","O": "ETCD","OU": "openEuler k8s etcd","ST": "BinJiang"}]}
生成证书:
$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -hostname=192.168.122.154,192.168.122.155,192.168.122.156,127.0.0.1 -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
说明:假设 etcd 集群的 IP地址是 192.168.122.154,192.168.122.155,192.168.122.156
结果如下:
etcd.csr etcd-key.pem etcd.pem
