K8S k8s(10)__Master加证书部署 发表于 2022-09-02 浏览量 602 没有评论 # K8S证书位置 mkdir -pv /usr/local/ssl/k8s cd /usr/local/ssl/k8s apiserver证书、kubeproxy证书 # K8S Ca证书 ``` cat << EOF | tee ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF ``` ``` cat << EOF | tee ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Hangzhou", "ST": "Hangzhou", "O": "k8s", "OU": "System" } ] } EOF ``` # K8S ApiServer证书配置 ``` cat << EOF | tee server-csr.json { "CN": "kubernetes", "hosts": [ "192.168.237.50", "127.0.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Hangzhou", "ST": "Hangzhou", "O": "k8s", "OU": "System" } ] } EOF ``` # K8S proxy证书 ``` cat << EOF | tee kube-proxy-csr.json { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Hangzhou", "ST": "Hangzhou", "O": "k8s", "OU": "System" } ] } EOF ``` # 生成证书 ``` cfssl gencert -initca ca-csr.json | cfssljson -bare ca - cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy ``` # 安全部署 http监听在127.0.0.1禁止访问 https可以监听在全网,这个配置证书,需要证书才能访问 # kubernetes配置文件 ``` cat /usr/local/kubernetes/conf/kubernetes KUBE_MASTER="--master=127.0.0.1:8080" KUBE_LOG_LEVEL="--v=2" KUBE_LOGTOSTDERR="--logtostderr=false" KUBE_LOG_DIR="--log-dir=/usr/local/kubernetes/logs/" ``` # Kube-apiserver参数配置 ``` cat /usr/local/kubernetes/conf/kube-apiserver KUBE_API_ADDRESS="--insecure-bind-address=127.0.0.1 --bind-address=0.0.0.0" KUBE_API_PORT="--insecure-port=8080 --secure-port=6443" KUBE_ETCD_SERVERS="--etcd-servers=https://172.19.152.37:2379,https://172.19.152.38:2379,https://172.19.152.39:2379" KUBE_ALLOW_PRIV="--allow-privileged=true" KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ResourceQuota" ``` # 生成token ``` head -c 16 /dev/urandom | od -An -t x | tr -d ' ' cat /usr/local/ssl/k8s/token.csv ab92cbc669d79d9fb856ba222c376443,kubelet-bootstrap,10001,"system:kubelet-bootstrap" ``` # Kube-apiserver启动 ``` cat /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=kube-apiserver After=network.target [Service] EnvironmentFile=-/usr/local/kubernetes/conf/kubernetes EnvironmentFile=-/usr/local/kubernetes/conf/kube-apiserver ExecStart=/usr/local/kubernetes/bin/kube-apiserver \ $KUBE_API_ADDRESS \ $KUBE_API_PORT \ $KUBE_ETCD_SERVERS \ --etcd-cafile=/usr/local/ssl/etcd/ca.pem --etcd-certfile=/usr/local/ssl/etcd/server.pem --etcd-keyfile=/usr/local/ssl/etcd/server-key.pem \ $KUBE_LOG_LEVEL \ $KUBE_LOGTOSTDERR \ $KUBE_LOG_DIR \ $KUBE_ALLOW_PRIV \ $KUBE_ADMISSION_CONTROL \ --tls-cert-file=/usr/local/ssl/k8s/server.pem --tls-private-key-file=/usr/local/ssl/k8s/server-key.pem --client-ca-file=/usr/local/ssl/k8s/ca.pem --service-account-key-file=/usr/local/ssl/k8s/ca-key.pem --authorization-mode=RBAC,Node --enable-bootstrap-token-auth --token-auth-file=/usr/local/ssl/k8s/token.csv [Install] WantedBy=multi-user.target ``` # scheduler配置文件 ``` cat /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=kube-scheduler After=network.target [Service] EnvironmentFile=-/usr/local/kubernetes/conf/kubernetes ExecStart=/usr/local/kubernetes/bin/kube-scheduler \ $KUBE_MASTER \ $KUBE_LOG_LEVEL \ $KUBE_LOGTOSTDERR \ $KUBE_LOG_DIR [Install] WantedBy=multi-user.target ``` # controller-manager配置 ``` cat /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=kube-controller-manager After=network.target [Service] EnvironmentFile=-/usr/local/kubernetes/conf/kubernetes ExecStart=/usr/local/kubernetes/bin/kube-controller-manager \ $KUBE_MASTER \ $KUBE_LOG_LEVEL \ $KUBE_LOGTOSTDERR \ $KUBE_LOG_DIR \ --cluster-name=kubernetes --cluster-signing-cert-file=/usr/local/ssl/k8s/ca.pem --cluster-signing-key-file=/usr/local/ssl/k8s/ca-key.pem --root-ca-file=/usr/local/ssl/k8s/ca.pem --service-account-private-key-file=/usr/local/ssl/k8s/ca-key.pem [Install] WantedBy=multi-user.target ```