一、集群部署-自签TLS证书
如果不需要加密或者可以官方授权跳过
1.1、下载安装证书工具
[root@10.21.214.221 k8s]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@10.21.214.221 k8s]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@10.21.214.221 k8s]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@10.21.214.221 ssl]# chmod +x cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64 [root@10.21.214.221 ssl]# mv cfssl_linux-amd64 /usr/local/bin/cfssl [root@10.21.214.221 ssl]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson [root@10.21.214.221 ssl]# mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
1.2、配置证书
生成模板
[root@10.21.214.221 ssl]# cfssl print-defaults config > config.json
[root@10.21.214.221 ssl]# cat config.json
{
"signing": {
"default": {
"expiry": "168h"
},
"profiles": {
"www": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
还有其他:
cfssl print-defaults csr > csr.json
----最后的配置文件----
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
[root@10.21.214.221 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2021/03/16 11:36:32 [INFO] generating a new CA key and certificate from CSR
2021/03/16 11:36:32 [INFO] generate received request
2021/03/16 11:36:32 [INFO] received CSR
2021/03/16 11:36:32 [INFO] generating key: rsa-2048
2021/03/16 11:36:33 [INFO] encoded CSR
2021/03/16 11:36:33 [INFO] signed certificate with serial number 301433857907773217345135087080053284990504896374
[root@10.21.214.221 ssl]# ls *.pem
ca-key.pem ca.pem
[root@10.21.214.221 ssl]# cat > server-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"10.21.214.221",
"10.21.214.222",
"10.21.214.223",
"kubernetes,default",
"kubernetes,default.svc",
"kubernetes,default.svc.cluster",
"kubernetes,default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
[root@10.21.214.221 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2021/03/16 11:53:06 [INFO] generate received request
2021/03/16 11:53:06 [INFO] received CSR
2021/03/16 11:53:06 [INFO] generating key: rsa-2048
2021/03/16 11:53:07 [INFO] encoded CSR
2021/03/16 11:53:07 [INFO] signed certificate with serial number 599275410242837538787517552477543824480371693634
2021/03/16 11:53:07 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@10.21.214.221 ssl]# ls server*
server.csr server-csr.json server-key.pem server.pem
[root@10.21.214.221 ssl]# cat > admin-csr.json << EOF
> {
> "CN": "admin",
> "hosts": [],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
[root@10.21.214.221 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2021/03/16 12:06:52 [INFO] generate received request
2021/03/16 12:06:52 [INFO] received CSR
2021/03/16 12:06:52 [INFO] generating key: rsa-2048
2021/03/16 12:06:52 [INFO] encoded CSR
2021/03/16 12:06:52 [INFO] signed certificate with serial number 461167282503270603738318847609163072447275940030
2021/03/16 12:06:52 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@10.21.214.221 ssl]# cat > kube-proxy-csr.json << EOF
> {
> "CN": "system:kube-proxy",
> "hosts": [],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
[root@10.21.214.221 ssl]#
[root@10.21.214.221 ssl]#
[root@10.21.214.221 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2021/03/16 12:09:31 [INFO] generate received request
2021/03/16 12:09:31 [INFO] received CSR
2021/03/16 12:09:31 [INFO] generating key: rsa-2048
2021/03/16 12:09:31 [INFO] encoded CSR
2021/03/16 12:09:31 [INFO] signed certificate with serial number 115085029732711433734601571021110964190336344379
2021/03/16 12:09:31 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@10.21.214.221 ssl]# ls kube-proxy*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
所有的证书:
[root@10.21.214.221 ssl]# ls *pem
admin-key.pem admin.pem ca-key.pem ca.pem kube-proxy-key.pem kube-proxy.pem server-key.pem server.pem
##删除除了证书之外的文件
[root@10.21.214.221 ssl]#ls | grep -v pem | xargs -i rm {}
1.3、下载etcd,并添加systemctl启动
curl -L https://github.com/etcd-io/etcd/releases/download/v3.2.12/etcd-v3.2.12-linux-amd64.tar.gz
tar -xf etcd-v3.2.12-linux-amd64.tar.gz
[root@10.21.214.221 k8s]# mkdir {bin,cfg}
[root@10.21.214.221 k8s]# ls
bin cfg etcd-v3.2.12-linux-amd64 etcd-v3.2.12-linux-amd64.tar.gz ssl
[root@10.21.214.221 k8s]# mv etcd-v3.2.12-linux-amd64/etcd bin/
[root@10.21.214.221 k8s]# mv etcd-v3.2.12-linux-amd64/etcdctl bin/
[root@10.21.214.221 k8s]# ./bin/etcd --version
etcd Version: 3.2.12
Git SHA: b19dae0
Go Version: go1.8.5
Go OS/Arch: linux/amd64
##添加systemctl启动,如果需要,则不需要做下面的步奏
[root@10.21.214.221 k8s]# vim cfg/etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://10.21.214.221:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.21.214.221:2379"
#[clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.21.214.221:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.21.214.221:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://10.21.214.221:2380,etcd02=https://10.21.214.222:2380,etcd03=https://10.21.214.223:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
[root@10.21.214.221 k8s]# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=-/data/kubernetes/cfg/etcd
ExecStart=/data/kubernetes/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS} \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=${ETCD_INITIAL_CLUSTER_STATE} \
--cert-file=/data/kubernetes/ssl/server.pem \
--key-file=/data/kubernetes/ssl/server-key.pem \
--peer-cert-file=/data/kubernetes/ssl/server.pem \
--peer-key-file=/data/kubernetes/ssl/server-key.pem \
--trusted-ca-file=/data/kubernetes/ssl/ca.pem \
--peer-trusted-ca-file=/data/kubernetes/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[root@10.21.214.221 kubernetes]# systemctl start etcd
1.4、复制etcd配置到两台node节点
master
[root@10.21.214.221 kubernetes]# ssh-keygen [root@10.21.214.221 kubernetes]# ssh-copy-id root@10.21.213.222 -p1022 [root@10.21.214.221 kubernetes]# ssh-copy-id root@10.21.213.223 -p1022
node01,node02执行
[root@10.21.214.222 ~]# mkdir -p /data/kubernetes/{bin,cfg,ssl}
master执行
[root@10.21.214.221 kubernetes]# scp -r -P1022 bin/ root@10.21.214.222:/data/kubernetes/ etcd 100% 17MB 62.9MB/s 00:00 etcdctl 100% 15MB 116.9MB/s 00:00 [root@10.21.214.221 kubernetes]# scp -r -P1022 . root@10.21.214.223:/data/kubernetes/ [root@10.21.214.221 kubernetes]# scp -r -P1022 /usr/lib/systemd/system/etcd.service root@10.21.214.222:/usr/lib/systemd/system/ etcd.service 100% 976 1.2MB/s 00:00 [root@10.21.214.221 kubernetes]# scp -r -P1022 /usr/lib/systemd/system/etcd.service root@10.21.214.223:/usr/lib/systemd/system/
node01,node02修改配置文件,然后启动
node01 [root@10.21.214.222 kubernetes]# vim cfg/etcd #[Member] ETCD_NAME="etcd02" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://10.21.214.222:2380" ETCD_LISTEN_CLIENT_URLS="https://10.21.214.222:2379" #[clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.21.214.222:2380" ETCD_ADVERTISE_CLIENT_URLS="https://10.21.214.222:2379" ETCD_INITIAL_CLUSTER="etcd01=https://10.21.214.221:2380,etcd02=https://10.21.214.222:2380,etcd03=https://10.21.214.223:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" [root@10.21.214.222 kubernetes]# systemctl start etcd ----- node02 [root@10.21.214.223 kubernetes]# vim cfg/etcd #[Member] ETCD_NAME="etcd03" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://10.21.214.223:2380" ETCD_LISTEN_CLIENT_URLS="https://10.21.214.223:2379" #[clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.21.214.223:2380" ETCD_ADVERTISE_CLIENT_URLS="https://10.21.214.223:2379" ETCD_INITIAL_CLUSTER="etcd01=https://10.21.214.221:2380,etcd02=https://10.21.214.222:2380,etcd03=https://10.21.214.223:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" [root@10.21.214.223 kubernetes]# systemctl start etcd
1.5、检查集群有没有问题
如果想添加etcd的快捷方式,执行下面命令
[root@10.21.214.221 kubernetes]# echo 'PATH=$PATH:/data/kubernetes/bin' >> /etc/profile [root@10.21.214.221 kubernetes]# source /etc/profile
执行命令检查健康
[root@10.21.214.221 kubernetes]# cd ssl/ [root@10.21.214.221 ssl]# et etcd etcdctl ether-wake ethtool [root@10.21.214.221 ssl]# etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \ --endpoints="https://10.21.214.221:2379,https://10.21.214.222:2379,https://10.21.214.223:2379" \ cluster-health member 44bde3d6451bac47 is healthy: got healthy result from https://10.21.214.221:2379 member 6ae548213a7994ac is healthy: got healthy result from https://10.21.214.223:2379 member f4c8b14eec6eba9b is healthy: got healthy result from https://10.21.214.222:2379
