k8s踩坑記錄——證書一年有效期

kubernetes集羣證書重籤

依照https://github.com/strongit/kubeadm-ha/ 安裝步驟，kubeadm init安裝後的集羣存在證書過期問題。現修復如下：
思路如下，
1、保留ca.crt ca.key front-proxy-ca.crt front-proxy-ca.key，根證書有效期十年
2、openssl重新簽註
3、kubeadm alpha phase 生成config

 [root@k8s-master01 pki]# cat csr.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = CN
ST = BeiJing
L = BeiJing
O = k8s
OU = System
CN = kubernetes

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = k8s-master01
DNS.7 = k8s-master02
DNS.8 = k8s-master03
IP.1 = IP
IP.2 = IP

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names

 openssl genrsa -out apiserver.key 2048 
 openssl req -new -key apiserver.key -out apiserver.csr -config csr.conf
 openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 10000 -extensions v3_ext -extfile csr.conf
 openssl x509  -noout -text -in ./apiserver.crt  |grep "Not"

 openssl genrsa -out apiserver-kubelet-client.key 2048
 openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -config csr.conf
 openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
 openssl x509  -noout -text -in ./apiserver-kubelet-client.crt  |grep "Not"

 openssl genrsa -out front-proxy-client.key 2048
 openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -config csr.conf
 openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 10000 -extensions v3_ext -extfile csr.conf
 openssl x509  -noout -text -in ./front-proxy-client.crt  |grep "Not"

kubeadm alpha phase certs all --config kubeadm-config.yaml

kubeadm alpha phase kubelet config write-to-disk --config kubeadm-config.yaml
kubeadm alpha phase kubelet write-env-file --config kubeadm-config.yaml
kubeadm alpha phase kubeconfig kubelet --config kubeadm-config.yaml

kubeadm alpha phase kubeconfig all --config kubeadm-config.yaml

kubeadm alpha phase controlplane all --config kubeadm-config.yaml

systemctl restart kubelet
kubeadm alpha phase mark-master --config kubeadm-config.yaml
cp /etc/kubernetes/admin.conf ~/.kube/config

重啓集羣后，執行kubelet logs pods XXXX -n kube-system報錯如下：Error from server (Forbidden): Forbidden (user=kubernetes, verb=get, resource=nodes, subresource=proxy) ( pods/log kube-scheduler-k8s-master01)
解決方案：kubectl create clusterrolebinding system:kubernetes --clusterrole=cluster-admin --user=system:kubernetes

ingress的tls設置

對ingress中的域名進行tls安全證書的設置步驟如下：

創建自簽名的祕鑰與ssl證書；
將證書保存到kubernetes集羣的1個Secret資源對象上；
設置Secret資源對象到ingress中。
根據網站域名是1個還是多個，前兩步的操作稍有不同，第3步操作相同，下面以多域名的操作爲例：

1. 生成ca證書
   [root@kubenode1 ~]# mkdir -p /etc/kubernetes/ingress
   [root@kubenode1 ~]# cd /etc/kubernetes/ingress/
   [root@kubenode1 ingress]# openssl genrsa -out ca.key 2048
   [root@kubenode1 ingress]# openssl req -x509 -new -nodes -key ca.key -days 3560 -out ca.crt -subj "/CN=ingress-ca"

2. 修改openssl.cnf文件
   #對於多域名，生成ssl證書需要使用額外的x509v3配置文件輔助；
   #在[alt_names]字段中設置多域名
   [root@kubenode1 ingress]# cp /etc/pki/tls/openssl.cnf .
   [root@kubenode1 ingress]# vim openssl.cnf

[ req ]
#第126行，取消註釋
req_extensions = v3_req # The extensions to add to a certificate request

[ v3_req ]
#Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#第224行之後，新增部分
subjectAltName = @alt_names
[alt_names]
DNS.1 = nginx01-svc-tls.me
DNS.2 = nginx02-svc-tls.me

3. 生成ingress ssl證書

#基於修改的openssl.cnf與ca證書生成ingress ssl證書
#生成祕鑰
[root@kubenode1 ingress]# openssl genrsa -out ingress.key 2048

#生成csr文件
[root@kubenode1 ingress]# openssl req -new -key ingress.key -out ingress.csr -subj "/CN=nginx-svc-tls" -config openssl.cnf

#生成證書
[root@kubenode1 ingress]# openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -days 3650 -extensions v3_req -extfile openssl.cnf

4. 生成Secret資源對象
   Secret對象的主要作用是保管私密數據，如：密碼，OAuth Tokens，ssh Keys等信息。將私密信息存放在Secret對象中，比直接放在Pod或者Docker image中更安全，更便於使用與分發。

Secret對象創建完成之後，可通過3種方式調用：

在創建Pod時，通過爲Pod指定Service Account來自動使用；
通過掛載Secret到Pod來使用；
Docker image下載時使用，通過指定Pod的spc.ImagePullSecrets來引用。
#編輯secret-ingress.yaml文件，將ingress.key與ingress.crt的內容複製到yaml文件中；
#注意1：Secret的”data”域的各子域的值必須爲BASE64編碼；
#注意2：複製key與crt的內容時去掉換行符，變成一行
[root@kubenode1 ingress]# cd /usr/local/src/yaml/ingress/
[root@kubenode1 ingress]# touch secret-ingress.yaml
[root@kubenode1 ingress]# vim secret-ingress.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-ingress
#1.8.x之後使用kubernetes.io/tls替換Opaque
type: kubernetes.io/tls
data:
tls.crt: MIIC/TCCAeWgAwIBAgIJALGRacBg2fWIMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMMCmluZ3Jlc3MtY2EwHhcNMTgwMjI4MDM0NDI1WhcNMjgwMjI2MDM0NDI1WjAYMRYwFAYDVQQDDA1uZ2lueC1zdmMtdGxzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZvMBYF104JPtMZFFUxCpGGODFG4rGffN1FFC98CGt99QAwVMfABGDMU8zfa21twxON1v3WK8HdJH5KRdLOIRQnhuMHsC174sb/+FuOa0GhStgmNX0f2jGETuImPQ82faXACnUkUYuvYG5odbY+tS+LQBtIormpxWRlNNTVzT3jFD6JECVZzpMyCJutkwxJC083PS1VE9ki+7mgpPWbb9BqT0Tn672x4cHI8LZ5snr1fpR8I0sqADXY+KpFQeh7UJsWZjfr00wDBsg76aF3TNK+pecXnBNYPZ6o7sOGXvagAxU58xjjz75TwMQ7NnqF584fshvQLnzeTGhDbXx4GHQIDAQABo00wSzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAxBgNVHREEKjAoghJuZ2lueDAxLXN2Yy10bHMubWWCEm5naW54MDItc3ZjLXRscy5tZTANBgkqhkiG9w0BAQsFAAOCAQEAaUQH21wct78wW1tAz1+3j9SGLLk7kd06PcnYH1pBGW3wlMFiusMOUdVfm2aPwkX7VFOfeo6LYtILisQ9+wJraQcGd31H5M/ILSH2bhd739CcySqm3aEYHplQCfepsRRcINp82N3GLjcT6sCeuvoC4l+rUDIKMEPt7Skwj1HjCj/NSpHguzmtmRG4PCvv/3nCrcntGLKxsKBD85llpRlT9/Q+9eMmQz7YRUjUEr/3cSmBfRjcBQhB7yXZyDLRbObAc1BMgxBRX/oexNIHCMNdRFSP6wAtlyajytOhcixBMu3RQ1g0lrFaT9vQWPXs6HV8xC6VvfhdSQN8B1T65klNNg==
tls.key: MIIEpAIBAAKCAQEAuZvMBYF104JPtMZFFUxCpGGODFG4rGffN1FFC98CGt99QAwVMfABGDMU8zfa21twxON1v3WK8HdJH5KRdLOIRQnhuMHsC174sb/+FuOa0GhStgmNX0f2jGETuImPQ82faXACnUkUYuvYG5odbY+tS+LQBtIormpxWRlNNTVzT3jFD6JECVZzpMyCJutkwxJC083PS1VE9ki+7mgpPWbb9BqT0Tn672x4cHI8LZ5snr1fpR8I0sqADXY+KpFQeh7UJsWZjfr00wDBsg76aF3TNK+pecXnBNYPZ6o7sOGXvagAxU58xjjz75TwMQ7NnqF584fshvQLnzeTGhDbXx4GHQIDAQABAoIBAFMGCI3R6eWRXZvsMEyljw2+gW6rQ2MDF4rD9JGp0GQ64ei7PuPWinbLqqxcqK4ESf4YDLx2lI6ZnQDda+j6wZK4J9qgC7jOY4oG6l5MsxxT/eNlhHJBW1xRtCOQjJ/0o0DjlJfMb60L99/o4Q73/Ll8HDdg3EegX1FOiwWpAgpipA+WyosAtrfR8DjOAVMavlhkCejmgupWU7syuVmVQ0Dz/z9zPESI1b6pHO0Js4Keb8vnUHPLNcq1HCdCMK+wrdUaW2YmuAr9uoF7Wqvp7MCog//cQX93mijJzW8GFPrSt2y4NHN6AnUw6PE3aoMgF1my7O1xLwOjCQz+eW8voyECgYEA8luy6iEDYkfq+tkxA9kl3CgXVk5WgiE/4mVaEjOIT2llgM+8K3TAn8EGATk5s79phn/MRfqi8YQ13Z9dzhp3R/ARynD+/TVRzMHe5830ysBScHaW4vxvPXEn2uBtB8TC8goxmoIu9My5H746ceyY2xBEn8HA0XZ7pQTrCRimcmUCgYEAxA5a3g/Ni/uwTUAsQJNUPyvjcYxq+E3S2VNsYZiOiogKqXeE0QtasNMh1L7Wv9aan5Xca7eKbHP4fZFxLif/YrwwcmktIX3u5vkGyq2VCAw5V8iGD3vdbDJvAc2+YVBoeWf4w4eDST2Ir6xrM3WCtXR35EM0Jhw+8PAdytIKrVkCgYAqEK5yIr7CnTb0ySPPxi3jE3ZRfZFYTssW0X6bsCQVnHaIsAW6CS6xy7/uEG+qeiuns6DR+Jm1j7wFtnaComdXrhx4ZbpsWofTIUc+NqopUs48ROkVhrkMEgrX26Iw+f7YIdrQNY5O4QW0s8DTKzywsRcoH2oHMShu0Pa2gnfJXQKBgQClzLn9t4GNk0EKY23JAo8piTUkbqp76Fyam5k5g+lvsBLMNB4nJyIADd07bFRyEcvbj8HDeolepEiN8HS1ou+wERQrfVTEURq7S/f5aQhysNvBp/vvlkGv4YrNDLCm3Xgsy8etm6lkQ9yXLAnQj90FFUTazhaI8DQuT/Hx9uU+qQKBgQCBEpc98YikgYmZk/6kyzUP3l+MIj5i3UK/7ZG3QOpTAeTbzBQQX0s31b2Lf9M+SN2+2XJb/0OUr3RKKkuf5KgedMll7hNaEaFu9z5qPepFUlKWZz2MkIRSljecbSJ8ZfGz2wCUhQoW8KLQY9ftEaz+27eEJ0FxHhuhe5+yQMpkKA==

#生成Secret資源對象
[root@kubenode1 ingress]# kubectl create -f secret-ingress.yaml

#以上編輯yaml文件，使用”kubectl create”命令生成Secret對象在步驟上更清晰；
#但可以利用”kubectl create secret tls”命令直接創建Secret對象
[root@kubenode1 ingress]# kubectl create secret tls secret-ingress --key /etc/kubernetes/ingress/ingress.key --cert /etc/kubernetes/ingress/ingress.crt

5. 創建後端服務
   #編輯後端服務nginx01-svc-tls.yaml
   [root@kubenode1 ingress]# touch nginx01-svc-tls.yaml
   [root@kubenode1 ingress]# vim nginx01-svc-tls.yaml
   apiVersion: extensions/v1beta1
   kind: Deployment
   metadata:
   name: nginx01-tls
   spec:
   replicas: 1
   template:
   metadata:
   labels:
   name: nginx01-tls
   spec:
   containers:
   • name: nginx01-tls
     image: nginx:latest
     ports:

     • containerPort: 80

       apiVersion: v1
       kind: Service
       metadata:
       name: nginx01-svc-tls
       spec:
       ports:
       #Service服務監聽的端口號

     • port: 443
       #後端提供真實服務的Pod提供的端口號
       targetPort: 80
       name: https
       selector:
       name: nginx01-tls

#編輯後端服務nginx02-svc-tls.yaml
[root@kubenode1 ingress]# cp nginx01-svc-tls.yaml nginx02-svc-tls.yaml
[root@kubenode1 ingress]# sed -i 's|nginx01|nginx02|g' nginx02-svc-tls.yaml

#生成後端服務
[root@kubenode1 ingress]# kubectl create -f nginx01-svc-tls.yaml
[root@kubenode1 ingress]# kubectl create -f nginx02-svc-tls.yaml

#修改提供後端服務的nginx容器的html文件；
#通過”kubectl exec -ti <pod-name> -c <container-name> /bin/bash”進入容器修改；pod-name可通過命令”kubectl get pods -o wide”獲取；container-name即yaml文件中定義的名字
[root@kubenode1 ingress]# kubectl get pods -o wide

#nginx官方容器的index.html文件在/usr/share/nginx/html/目錄下
[root@kubenode1 ingress]# kubectl exec -ti nginx01-tls-59fbf6696c-qfq4k -c nginx01-tls /bin/bash
root@nginx01-tls-59fbf6696c-qfq4k:/# echo "<h1>Welcome to test site nginx01-svc-tls</h1>" > /usr/share/nginx/html/index.html
root@nginx01-tls-59fbf6696c-qfq4k:/# cat /usr/share/nginx/html/index.html
root@nginx01-tls-59fbf6696c-qfq4k:/# exit
[root@kubenode1 ingress]# kubectl exec -ti nginx02-tls-5559fd9bc7-dfbrp -c nginx02-tls /bin/bash
root@nginx02-tls-5559fd9bc7-dfbrp:/# echo "<h1>Welcome to test site nginx02-svc-tls</h1>" > /usr/share/nginx/html/index.html
root@nginx02-tls-5559fd9bc7-dfbrp:/# cat /usr/share/nginx/html/index.html
root@nginx02-tls-5559fd9bc7-dfbrp:/# exit

6. 創建ingress對象
   複製代碼
   #編輯ingress對象yaml文件；
   #在”spec”域下新增“tls”子域，”hosts”字段加入多域名，“secretName”字段調用對應的Secret資源；
   #1個ingress對象只能使用1個Secret對象（“secretName”字段value唯一），即只能使用1個證書，該正式需要支持”hosts”字段下所有域名；
   #“secretName”字段一定要置於域名列表最後的位置；
   #”hosts”字段的域名需要匹配”rules”字段域名；
   #ingress默認情況下，當不配置證書或者證書配置錯誤時，會默認給出一個tls證書；如“secretName”字段配置了2個值，則所有域名採用默認證書；如”hosts”字段少配置一個域名，缺失的域名會採用默認證書；
   #更新ingress證書可能需要等待一段時間才能生效
   [root@kubenode1 ingress]# touch nginx-svc-tls-ingress.yaml
   [root@kubenode1 ingress]# vim nginx-svc-tls-ingress.yaml
   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
   name: ingress-tls
   spec:
   tls:
   • hosts:
   • nginx01-svc-tls.me
   • nginx02-svc-tls.me
     secretName: secret-ingress
     rules:
   • host: nginx01-svc-tls.me
     http:
     paths:
     • backend:
       serviceName: nginx01-svc-tls
       #後端服務監聽端口，區別於提供真實服務的容器監聽端口
       servicePort: 443
   • host: nginx02-svc-tls.me
     http:
     paths:
     • backend:
       serviceName: nginx02-svc-tls
       servicePort: 443

#生成ingress對象
[root@kubenode1 ingress]# kubectl create -f nginx-svc-tls-ingress.yaml
[root@kubenode1 ingress]# kubectl get ingress

7. 驗證
   #採用--resolve參數模擬dns解析，目標地址爲域名；
   #http訪問時被重定向，採用https訪問正常
   [root@kubenode1 ingress]# curl --resolve nginx01-svc-tls.me:80:172.30.200.21 http://nginx01-svc-tls.me
   [root@kubenode1 ingress]# curl --resolve nginx01-svc-tls.me:443:172.30.200.21 -k https://nginx01-svc-tls.me

#或者採用-H參數設置http頭中需要訪問的域名，目標地址爲ip地址
[root@kubenode1 ingress]# curl -H 'Host:nginx01-svc-tls.me' -k https://172.30.200.23
[root@kubenode1 ingress]# curl -H 'Host:nginx02-svc-tls.me' -k https://172.30.200.23

在本地瀏覽器訪問host主機（注意提前綁定域名）：http://nginx01-svc-tls.me

採用http訪問，重定向自動跳轉爲https訪問