kubeadm證書生成示例

創建openssl配置文件

其中ansible部分變量替換成master節點的IP和name,以及kubernetes svc的VIP。

[ req ]
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names_cluster
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ v3_req_peer ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names_cluster
[ alt_names_cluster ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = localhost
{% for host in groups['kube-master'] %}
DNS.{{ 5 + loop.index }} = {{ host }}
{% endfor %}
{% for host in groups['kube-master'] %}
IP.{{ loop.index }} = {% if k8s_interface is defined %}{{ hostvars[host]['ansible_'+k8s_interface].ipv4.address }}{% else %}{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{% endif %} 
{% endfor %}
{% set idx =  groups['kube-master'] | length | int * 1 + 1 %}
IP.{{ idx }} = {{ kube_apiserver_ip }} 
IP.{{ idx + 1 }} = 127.0.0.1

生成證書

# 創建ca私鑰
openssl genrsa -out ca.key 2048
# 創建 kubernetes-ca 根證書
openssl req -x509 -new -nodes \
      -days 3650 \
      -key ca.key \
      -config kube-openssl.cnf \
      -subj "/CN=kubernetes" \
      -extensions v3_ca \
      -out ca.crt

# 創建 kube-apiserver 證書私鑰
openssl genrsa -out apiserver.key 2048

openssl req -new -key apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr

openssl x509 -req -CA ca.crt -CAkey ca.key -days 3650 -in apiserver.csr -CAcreateserial -extensions v3_req_server -extfile kube-openssl.cnf -out apiserver.crt

#創建 apiserver-kubelet-client 證書私鑰
openssl genrsa -out apiserver-kubelet-client.key 2048

openssl req -new -key apiserver-kubelet-client.key -subj "/CN=kube-apiserver-kubelet-client/O=system:masters" -out apiserver-kubelet-client.csr

openssl x509 -req \
    -CA ca.crt \
    -CAkey ca.key \
    -days 3650 \
    -in apiserver-kubelet-client.csr\
    -CAcreateserial \
    -extensions v3_req_client \
    -extfile kube-openssl.cnf \
    -out apiserver-kubelet-client.crt


# 創建 sa 證書私鑰
openssl genrsa -out sa.key 2048
# 根據 sa 私鑰創建公鑰
penssl rsa -in sa.key -pubout -out sa.pub

# 創建 kube-controller-manager 證書請求
openssl req -new -key sa.key \
      -subj "/CN=system:kube-controller-manager" \
      -out kube-controller-manager.csr

# 創建 kube-controller-manager 證書
openssl x509 -req -CA ca.crt -CAkey ca.key \
      -days 3650 \
      -in kube-controller-manager.csr \
      -CAcreateserial \
      -extensions v3_req_client \
      -extfile kube-openssl.cnf \
      -out kube-controller-manager.crt
# 創建 kube-scheduler 證書私鑰
openssl genrsa -out kube-scheduler.key 2048
# 創建 kube-scheduler 證書請求
openssl req -new -key kube-scheduler.key \
      -subj "/CN=system:kube-scheduler" \
      -out kube-scheduler.csr

# 創建 kube-scheduler 證書
openssl x509 -req -CA ca.crt -CAkey ca.key \
      -days 3650 \
      -in kube-scheduler.csr \
      -CAcreateserial \
      -extensions v3_req_client \
      -extfile kube-openssl.cnf \
      -out kube-scheduler.crt

# 創建 front-proxy-ca 證書私鑰
openssl genrsa -out front-proxy-ca.key 2048

# 創建 front-proxy-ca 根證書
openssl req -x509 -new -nodes \
      -days 3650 \
      -key front-proxy-ca.key \
      -config kube-openssl.cnf \
      -subj "/CN=front-proxy-ca" \
      -extensions v3_ca \
      -out front-proxy-ca.crt

# 創建 front-proxy-client 證書私鑰
openssl genrsa -out front-proxy-client.key 2048

# 創建 front-proxy-client 證書請求
openssl req -new -key front-proxy-client.key \
      -subj "/CN=front-proxy-client" \
      -out front-proxy-client.csr

# 創建 front-proxy-client 證書
openssl x509 -req \
    -CA front-proxy-ca.crt \
    -CAkey front-proxy-ca.key \
    -days 3650 \
    -in front-proxy-client.csr \
    -CAcreateserial \
    -extensions v3_req_client \
    -extfile kube-openssl.cnf \
    -out front-proxy-client.crt

# 創建 kubernetes cluster admin 證書私鑰
openssl genrsa -out admin.key 2048

# 創建 kubernetes cluster admin 證書請求
openssl req -new -key admin.key \
      -subj "/CN=kubernetes-admin/O=system:masters" \
      -out admin.csr

# 創建 kubernetes cluster admin 證書
openssl x509 -req \
    -CA ca.crt \
    -CAkey ca.key \
    -days 3650 \
    -in admin.csr \
    -CAcreateserial \
    -extensions v3_req_client \
    -extfile kube-openssl.cnf \
    -out admin.crt

創建配置文件

server的地址爲當前master的API Server的地址，kubelet.conf配置中需修改節點的名稱爲當前master的節點名稱

# 創建admin.conf文件
kubectl config set-cluster kubernetes \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://10.7.6.109:6443 \
    --kubeconfig=/etc/kubernetes/admin.conf

kubectl config set-credentials kubernetes-admin \
    --client-certificate=admin.crt \
    --client-key=admin.key \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/admin.conf

kubectl config set-context kubernetes-admin@kubernetes \
    --cluster=kubernetes \
    --user=kubernetes-admin \
    --kubeconfig=/etc/kubernetes/admin.conf

kubectl config use-context \
    kubernetes-admin@kubernetes \
    --kubeconfig=/etc/kubernetes/admin.conf

# 創建controller-manager.conf文件
kubectl config set-cluster kubernetes \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://10.7.6.109:6443 \
    --kubeconfig=/etc/kubernetes/controller-manager.conf

kubectl config set-credentials system:kube-controller-manager \
    --client-certificate=kube-controller-manager.crt \
    --client-key=sa.key \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/controller-manager.conf

kubectl config set-context system:kube-controller-manager@kubernetes \
    --cluster=kubernetes \
    --user=system:kube-controller-manager \
    --kubeconfig=/etc/kubernetes/controller-manager.conf

kubectl config use-context system:kube-controller-manager@kubernetes \
    --kubeconfig=/etc/kubernetes/controller-manager.conf

# 創建scheduler.conf文件
kubectl config set-cluster kubernetes \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://10.7.6.109:6443 \
    --kubeconfig=/etc/kubernetes/scheduler.conf

kubectl config set-credentials system:kube-scheduler \
    --client-certificate=kube-scheduler.crt \
    --client-key=kube-scheduler.key \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/scheduler.conf

kubectl config set-context system:kube-scheduler@kubernetes \
    --cluster=kubernetes \
    --user=system:kube-scheduler \
    --kubeconfig=/etc/kubernetes/scheduler.conf

kubectl config use-context system:kube-scheduler@kubernetes \
    --kubeconfig=/etc/kubernetes/scheduler.conf

# 創建kubelet.conf
kubectl config set-cluster kubernetes \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://10.7.6.109:6443 \
    --kubeconfig=/etc/kubernetes/kubelet.conf

kubectl config set-credentials system:node:drzdztvpra19 \
    --client-certificate=apiserver-kubelet-client.crt \
    --client-key=apiserver-kubelet-client.key \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/kubelet.conf

kubectl config set-context system:node:drzdztvpra19@kubernetes \
    --cluster=kubernetes --user=system:node:drzdztvpra19 \
    --kubeconfig=/etc/kubernetes/kubelet.conf

kubectl config use-context system:node:drzdztvpra19@kubernetes \
    --kubeconfig=/etc/kubernetes/kubelet.conf

重啓生效

# 所有master節點執行
systemctl restart kubelet
systemctl restart docker

kubeadm證書生成示例

創建openssl配置文件

生成證書

創建配置文件

重啓生效

[轉帖]使用NMT和pmap解決JVM資源泄漏問題原創

Python實現大麥網搶票的四大關鍵技術點解析

Python 安裝庫指令大全

salesforce零基礎學習（一百三十八）零碎知識點小總結（十）

一款開源的.NET程序集反編譯、編輯和調試神器

關於接口協議，你必須要知道這些！

基於 Milvus + LlamaIndex 實現高級 RAG

【2024-05-21】以茶會友

一篇文章快速指導微服務拆分

kubeadm證書生成示例

oracle數據庫性能優化案例分析及最佳實踐

軟件開發管理規範

分佈式任務調度系統xxl-job版本升級經驗分享

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結