kubernetes1.8.4安装指南 -- 5. 证书生成
下载cfssl工具
cd /usr/local/src/
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o cfssl-certinfo
chmod +x cfssl*
加入PATH
cd /usr/local/src/
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o cfssl-certinfo
chmod +x cfssl*
加入PATH
mkdir -p /etc/kubernetes/pki
cd /etc/kubernetes/pki
ca-config.json
{"signing":{"default":{"expiry":"87600h"},"profiles":{"kubernetes":{"usages":["signing","key encipherment","server auth","client auth"],"expiry":"87600h"}}}}
ca-csr.json
{"CN":"kubernetes","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"Kubernetes","OU":"Kubernetes-manual"}]}
生成CA私钥和证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
apiserver-csr.json
{"CN":"kube-apiserver","hosts":["127.0.0.1","10.96.0.1","10.0.0.210","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","node210"],"key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"Kubernetes","OU":"Kubernetes-manual"}]}
生成kube-apiserver私钥和证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver
生成Front proxy CA私钥和证书
front-proxy-ca-csr.json
{"CN":"kubernetes","key":{"algo":"rsa","size":2048}}
cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare front-proxy-ca
生成Front proxy client 私钥和证书
front-proxy-client-csr.json
{"CN":"front-proxy-client","key":{"algo":"rsa","size":2048}}
cfssl gencert -ca=front-proxy-ca.pem -ca-key=front-proxy-ca-key.pem -config=ca-config.json -profile=kubernetes front-proxy-client-csr.json | cfssljson -bare front-proxy-client
使用Bootstrap Token
$ head -c 16 /dev/urandom | od -An -t x | tr -d ' '
生成/etc/kubernetes/token.csv文件,第一项内容为上面命令的输出结果。
a9ccc6ef5dd93b83f02080f5c022f42c,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
生成kubeconfig文件bootstrap.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../bootstrap.conf
kubectl config set-credentials kubelet-bootstrap --token=a9ccc6ef5dd93b83f02080f5c022f42c --kubeconfig=../bootstrap.conf
kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=../bootstrap.conf
kubectl config use-context default --kubeconfig=../bootstrap.conf
生成admin的私钥和证书
admin-csr.json
{"CN":"admin","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:masters","OU":"Kubernetes-manual"}]}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成kubeconfig文件admin.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../admin.conf
kubectl config set-credentials kubernetes-admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=../admin.conf
kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=../admin.conf
kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=../admin.conf
生成controller-manager的私钥和证书
manager-csr.json
{"CN":"system:kube-controller-manager","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:kube-controller-manager","OU":"Kubernetes-manual"}]}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes manager-csr.json | cfssljson -bare controller-manager
生成kubeconfig文件controller-manager.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../controller-manager.conf
kubectl config set-credentials system:kube-controller-manager --client-certificate=controller-manager.pem --client-key=controller-manager-key.pem --embed-certs=true --kubeconfig=../controller-manager.conf
kubectl config set-context system:kube-controller-manager@kubernetes --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=../controller-manager.conf
kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=../controller-manager.conf
生成sheduler的私钥和证书
scheduler-csr.json
{"CN":"system:kube-scheduler","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:kube-scheduler","OU":"Kubernetes-manual"}]}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes scheduler-csr.json | cfssljson -bare scheduler
生成kubeconfig文件scheduler.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../scheduler.conf
kubectl config set-credentials system:kube-scheduler --client-certificate=scheduler.pem --client-key=scheduler-key.pem --embed-certs=true --kubeconfig=../scheduler.conf
kubectl config set-context system:kube-scheduler@kubernetes --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=../scheduler.conf
kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=../scheduler.conf
kubernetes master节点kubelet证书生成
kubelet-csr.json
{"CN":"system:node:node210","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","L":"Shanghai","ST":"Shanghai","O":"system:nodes","OU":"Kubernetes-manual"}]}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=
node210,10.0.0.210 -profile=kubernetes kubelet-csr.json | cfssljson -bare kubelet
生成kubeconfig文件kubelet.conf
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../kubelet.conf
kubectl config set-credentials system:node:node210 --client-certificate=kubelet.pem --client-key=kubelet-key.pem --embed-certs=true --kubeconfig=../kubelet.conf
kubectl config set-context system:node:node210@kubernetes --cluster=kubernetes --user=system:node:node210 --kubeconfig=../kubelet.conf
kubectl config use-context system:node:node210@kubernetes --kubeconfig=../kubelet.conf
service account 私钥和证书生成
openssl genrsa -out sa.key 2048
openssl rsa -in sa.key -pubout -out sa.pub
最终结果如下
备注说明:kube-proxy.conf, kube-proxy.pem, kube-proxy-key.pem会在后面的步骤生成。