創建openssl配置文件
其中ansible部分變量替換成master節點的IP和name,以及kubernetes svc的VIP。
[ req ]
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names_cluster
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ v3_req_peer ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names_cluster
[ alt_names_cluster ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = localhost
{% for host in groups['kube-master'] %}
DNS.{{ 5 + loop.index }} = {{ host }}
{% endfor %}
{% for host in groups['kube-master'] %}
IP.{{ loop.index }} = {% if k8s_interface is defined %}{{ hostvars[host]['ansible_'+k8s_interface].ipv4.address }}{% else %}{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{% endif %}
{% endfor %}
{% set idx = groups['kube-master'] | length | int * 1 + 1 %}
IP.{{ idx }} = {{ kube_apiserver_ip }}
IP.{{ idx + 1 }} = 127.0.0.1
生成證書
# 創建ca私鑰
openssl genrsa -out ca.key 2048
# 創建 kubernetes-ca 根證書
openssl req -x509 -new -nodes \
-days 3650 \
-key ca.key \
-config kube-openssl.cnf \
-subj "/CN=kubernetes" \
-extensions v3_ca \
-out ca.crt
# 創建 kube-apiserver 證書私鑰
openssl genrsa -out apiserver.key 2048
openssl req -new -key apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr
openssl x509 -req -CA ca.crt -CAkey ca.key -days 3650 -in apiserver.csr -CAcreateserial -extensions v3_req_server -extfile kube-openssl.cnf -out apiserver.crt
#創建 apiserver-kubelet-client 證書私鑰
openssl genrsa -out apiserver-kubelet-client.key 2048
openssl req -new -key apiserver-kubelet-client.key -subj "/CN=kube-apiserver-kubelet-client/O=system:masters" -out apiserver-kubelet-client.csr
openssl x509 -req \
-CA ca.crt \
-CAkey ca.key \
-days 3650 \
-in apiserver-kubelet-client.csr\
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out apiserver-kubelet-client.crt
# 創建 sa 證書私鑰
openssl genrsa -out sa.key 2048
# 根據 sa 私鑰創建公鑰
penssl rsa -in sa.key -pubout -out sa.pub
# 創建 kube-controller-manager 證書請求
openssl req -new -key sa.key \
-subj "/CN=system:kube-controller-manager" \
-out kube-controller-manager.csr
# 創建 kube-controller-manager 證書
openssl x509 -req -CA ca.crt -CAkey ca.key \
-days 3650 \
-in kube-controller-manager.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out kube-controller-manager.crt
# 創建 kube-scheduler 證書私鑰
openssl genrsa -out kube-scheduler.key 2048
# 創建 kube-scheduler 證書請求
openssl req -new -key kube-scheduler.key \
-subj "/CN=system:kube-scheduler" \
-out kube-scheduler.csr
# 創建 kube-scheduler 證書
openssl x509 -req -CA ca.crt -CAkey ca.key \
-days 3650 \
-in kube-scheduler.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out kube-scheduler.crt
# 創建 front-proxy-ca 證書私鑰
openssl genrsa -out front-proxy-ca.key 2048
# 創建 front-proxy-ca 根證書
openssl req -x509 -new -nodes \
-days 3650 \
-key front-proxy-ca.key \
-config kube-openssl.cnf \
-subj "/CN=front-proxy-ca" \
-extensions v3_ca \
-out front-proxy-ca.crt
# 創建 front-proxy-client 證書私鑰
openssl genrsa -out front-proxy-client.key 2048
# 創建 front-proxy-client 證書請求
openssl req -new -key front-proxy-client.key \
-subj "/CN=front-proxy-client" \
-out front-proxy-client.csr
# 創建 front-proxy-client 證書
openssl x509 -req \
-CA front-proxy-ca.crt \
-CAkey front-proxy-ca.key \
-days 3650 \
-in front-proxy-client.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out front-proxy-client.crt
# 創建 kubernetes cluster admin 證書私鑰
openssl genrsa -out admin.key 2048
# 創建 kubernetes cluster admin 證書請求
openssl req -new -key admin.key \
-subj "/CN=kubernetes-admin/O=system:masters" \
-out admin.csr
# 創建 kubernetes cluster admin 證書
openssl x509 -req \
-CA ca.crt \
-CAkey ca.key \
-days 3650 \
-in admin.csr \
-CAcreateserial \
-extensions v3_req_client \
-extfile kube-openssl.cnf \
-out admin.crt
創建配置文件
server的地址爲當前master的API Server的地址,kubelet.conf配置中需修改節點的名稱爲當前master的節點名稱
# 創建admin.conf文件
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-credentials kubernetes-admin \
--client-certificate=admin.crt \
--client-key=admin.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-context kubernetes-admin@kubernetes \
--cluster=kubernetes \
--user=kubernetes-admin \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config use-context \
kubernetes-admin@kubernetes \
--kubeconfig=/etc/kubernetes/admin.conf
# 創建controller-manager.conf文件
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.crt \
--client-key=sa.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config set-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=/etc/kubernetes/controller-manager.conf
kubectl config use-context system:kube-controller-manager@kubernetes \
--kubeconfig=/etc/kubernetes/controller-manager.conf
# 創建scheduler.conf文件
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.crt \
--client-key=kube-scheduler.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-context system:kube-scheduler@kubernetes \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config use-context system:kube-scheduler@kubernetes \
--kubeconfig=/etc/kubernetes/scheduler.conf
# 創建kubelet.conf
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.7.6.109:6443 \
--kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config set-credentials system:node:drzdztvpra19 \
--client-certificate=apiserver-kubelet-client.crt \
--client-key=apiserver-kubelet-client.key \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config set-context system:node:drzdztvpra19@kubernetes \
--cluster=kubernetes --user=system:node:drzdztvpra19 \
--kubeconfig=/etc/kubernetes/kubelet.conf
kubectl config use-context system:node:drzdztvpra19@kubernetes \
--kubeconfig=/etc/kubernetes/kubelet.conf
重啓生效
# 所有master節點執行
systemctl restart kubelet
systemctl restart docker