Kubernetes安装系列之证书与kubeconfig设定

这篇文章整理一下node节点所需要的证书创建以及连接时的kubeconfig相关设定。本文以脚本的方式进行固化，内容仍然放在github的easypack上。

整体操作

• https://blog.csdn.net/liumiaocn/article/details/88413428

proxy相关

csr文件

csr文件详细信息如下所示，指定算法类型和长度以及相关的NAMES设定

[root@host131 k8s]# cat kubeproxy-csr.json 
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "DaLian",
      "L": "LiaoNing",
      "O": "K8S",
      "OU": "System"
    }
  ]
}
[root@host131 k8s]#

脚本示例

变量部分抽出，形成如下脚本示例

[root@host131 shell]# cat step8-1-prepare-node.sh 
#!/bin/sh

. ./install.cfg

# set cfssl tools in search path
chmod 755 ${ENV_HOME_CFSSL}/*
if [ $? -ne 0 ]; then
  echo "prepare downloaded cfssl tools in ${ENV_HOME_CFSSL} in advance"
  exit
fi

export PATH=${ENV_HOME_CFSSL}:$PATH

mkdir -p ${ENV_SSL_K8S_DIR}
cd  ${ENV_SSL_K8S_DIR}
if [ $? -ne 0 ]; then
  echo "failed to create dir :${ENV_SSL_K8S_DIR}"
  exit
fi

cat > ${ENV_SSL_PROXY_CSR} <<EOF
{
  "CN": "${ENV_SSL_PROXY_CSR_CN}",
  "hosts": [],
  "key": {
    "algo": "${ENV_SSL_KEY_ALGO}",
    "size": ${ENV_SSL_KEY_SIZE}
  },
  "names": [
    {
      "C": "${ENV_SSL_NAMES_C}",
      "ST": "${ENV_SSL_NAMES_L}",
      "L": "${ENV_SSL_NAMES_ST}",
      "O": "${ENV_SSL_NAMES_O}",
      "OU": "${ENV_SSL_NAMES_OU}"
    }
  ]
}
EOF

cfssl gencert -ca=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_PEM} \
  -ca-key=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_KEY} \
  -config=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_CONFIG} \
  -profile=${ENV_SSL_PROFILE_K8S} ${ENV_SSL_PROXY_CSR} | cfssljson -bare ${ENV_SSL_PROXY_CERT_PRIFIX}

ls ${ENV_SSL_K8S_DIR}/${ENV_SSL_PROXY_CERT_PRIFIX}*pem

BOOTSTRAP_TOKEN=`awk -F "," '{print $1}' ${ENV_KUBE_DIR_ETC}/${ENV_KUBE_API_TOKEN}`

# set cluster for bootstrap-kubelet
kubectl config set-cluster ${ENV_KUBECONFIG_CLUSTER} \
  --certificate-authority=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_PEM} \
  --embed-certs=${ENV_KUBECONFIG_EMBED_CERTS} \
  --server=${ENV_KUBE_MASTER_HTTPS} \
  --kubeconfig=${ENV_KUBECONFIG_BOOTSTRAP}

# set client infor by using token for kubelet
kubectl config set-credentials ${ENV_KUBECONFIG_CLIENT_KUBELET} \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=${ENV_KUBECONFIG_BOOTSTRAP}

# connect client infor with cluster for kubelet
kubectl config set-context ${ENV_KUBECONFIG_CONTEXT_DEFAULT} \
  --cluster=${ENV_KUBECONFIG_CLUSTER} \
  --user=${ENV_KUBECONFIG_CLIENT_KUBELET} \
  --kubeconfig=${ENV_KUBECONFIG_BOOTSTRAP}

# set default context by using bootstrap.kubeconfig
kubectl config use-context ${ENV_KUBECONFIG_CONTEXT_DEFAULT} --kubeconfig=${ENV_KUBECONFIG_BOOTSTRAP}

# Create kube-proxy kubeconfig file. 
kubectl config set-cluster ${ENV_KUBECONFIG_CLUSTER} \
  --certificate-authority=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_PEM} \
  --embed-certs=${ENV_KUBECONFIG_EMBED_CERTS} \
  --server=${ENV_KUBE_MASTER_HTTPS} \
  --kubeconfig=${ENV_KUBECONFIG_KUBEPROXY}

kubectl config set-credentials ${ENV_KUBECONFIG_CLIENT_KUBEPROXY} \
  --client-certificate=${ENV_SSL_K8S_DIR}/${ENV_SSL_PROXY_CERT_PRIFIX}.pem \
  --client-key=${ENV_SSL_K8S_DIR}/${ENV_SSL_PROXY_CERT_PRIFIX}-key.pem \
  --embed-certs=${ENV_KUBECONFIG_EMBED_CERTS} \
  --kubeconfig=${ENV_KUBECONFIG_KUBEPROXY}

kubectl config set-context ${ENV_KUBECONFIG_CONTEXT_DEFAULT} \
  --cluster=${ENV_KUBECONFIG_CLUSTER} \
  --user=${ENV_KUBECONFIG_CLIENT_KUBEPROXY} \
  --kubeconfig=${ENV_KUBECONFIG_KUBEPROXY}

kubectl config use-context ${ENV_KUBECONFIG_CONTEXT_DEFAULT} --kubeconfig=kube-proxy.kubeconfig

kubectl get clusterrolebinding ${ENV_KUBECONFIG_CLIENT_KUBELET} >/dev/null 2>&1
if [ $? -eq 0 ]; then
  kubectl delete clusterrolebinding ${ENV_KUBECONFIG_CLIENT_KUBELET}
fi
# binding kubelet-bootstrap user to system cluster roles.
kubectl create clusterrolebinding ${ENV_KUBECONFIG_CLIENT_KUBELET} \
  --clusterrole=${ENV_KUBECONFIG_ROLE_BOOTSTRAPPER} \
  --user=${ENV_KUBECONFIG_CLIENT_KUBELET}
[root@host131 shell]#

设定文件install.cfg可参看github的如下路径：

• https://github.com/liumiaocn/easypack/tree/master/k8s/shell

执行示例

[root@host131 shell]# sh step8-1-prepare-node.sh 
2019/03/24 19:51:52 [INFO] generate received request
2019/03/24 19:51:52 [INFO] received CSR
2019/03/24 19:51:52 [INFO] generating key: rsa-2048
2019/03/24 19:51:54 [INFO] encoded CSR
2019/03/24 19:51:54 [INFO] signed certificate with serial number 696296882974787035892630786248589006843759309365
2019/03/24 19:51:54 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
/etc/ssl/k8s/cert-kubeproxy-key.pem  /etc/ssl/k8s/cert-kubeproxy.pem
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" modified.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" modified.
Switched to context "default".
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
[root@host131 shell]#

这样node上相关的主要准备就基本就绪，接下来就可以启动kube-proxy和kublet了