以下资料来自《Kubernetes 权威指南》
生成相关文件
openssl genrsa -out ca.key 2048 genrsa生成rsa私钥 openssl req -x509 -new -nodes -key ca.key -subj "/CN=kube-master" -days 5000 -out ca.crt openssl genrsa -out server.key 2048vim master_ssl.cnf
[req] req_extensions=v3_req distinguished_name=req_distinguished_name [req_distinguished_name] [v3_req] basicConstraints=CA:FALSE keyUsage=nonRepudiation, digitalSignature, keyEncipherment subjectAltName=@alt_names [alt_names] DNS.1=kubernetes DNS.2=kubernetes:default DNS.3=kubernetes:default.svc DNS.4=kubernetes:default.svc.cluster.local DNS.5=kube-master IP.1=169.169.0.1 IP.2=192.168.56.3 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt将生成的ca.crt, ca.key, ca.srl, server.crt, server.csr, server.key复制到一个目录中如/var/run/kubernetes 然后设置kube-apiserver的启动参数,添加
--client-ca-file=/var/run/kubernetes/ca.crt --tls-private-key-file=/var/run/kubernetes/server.key --tls-cert-file=/var/run/kubernetes/server.crt同时可以关掉非安全端口8080,设置安全端口6443,之后原有的kubectl无法使用
--insecure-port=0 --secure-port=6443重启kube-apiserver
设置kube-controller-manager的客户端证书、私钥和启动参数
openssl genrsa -out cs_client.key 2048 openssl req -new -key cs_client.key -subj “/CN=kube-master” -out cs_client.csr openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000同样将生成的cs*文件移动到/var/run/kubernetes目录下 vim /etc/kubernetes/kubeconfig
apiVersion: v1 kind: Config users: - name: controllermanager user: client-certificate: /var/run/kubernetes/cs_client.crt client-key: /var/run/kubernetes/cs_client.key clusters: - name: local cluster: certificate-authority: /var/run/kubernetes/ca.crt contexts: - context: cluster: local user: controllermanager name: my-context current-context: my-context设置kube-controller-manager服务的启动参数,添加
--master=https://192.168.56.3:6443 --service-account-private-key-file=/var/run/kubernetes/server.key --root-ca-file=/var/run/kubernetes/ca.crt --kubeconfig=/etc/kubernetes/kubeconfig设置kube-scheduler启动参数
--master=https://127.0.0.1:6443 --kubeconfig=/etc/kubernetes/kubeconfig将kube-apiserver的ca.crt , ca.key复制到node上,然后一次生成key , csr , crt文件
openssl genrsa -out kubelet_client.key 2048 openssl req -new -key kubelet_client.key -subj "/CN=kube-master" -out kubelet_client.csr openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000然后将这些文件移动到/var/run/kubernetes下 vim /etc/kubernetes/kubeconfig
apiVersion: v1 kind: Config users: - name: kubelet user: client-certificate: /var/run/kubernetes/kubelet_client.crt client-key: /var/run/kubernetes/kubelet_client.key clusters: - name: local cluster: certificate-authority: /var/run/kubernetes/ca.crt contexts: - context: cluster: local user: kubelet name: my-context current-context: my-context设置kubelet的启动参数并重启
--api-servers=https://kube-master:6443 --kubeconfig=/etc/kubernetes/kubeconfig设置kube-proxy的启动参数并重启
--master=https://kube-master:6443 --kubeconfig=/etc/kubernetes/kubeconfig至此一个基于CA的双向数字证书认证的kubernetes集群环境就搭建完成了。 设置kubectl客户端使用安全方式访问apiserver
kubectl --server=https://kube-master:6443 --certificate-authority=/var/run/kubernetes/ca.crt --client-certificate=/var/run/kubernetes/cs_client.crt --client-key=/var/run/kubernetes/cs_client.key get nodes每次这样指定很麻烦,我们可以使用别名,或者开启apiserver的8080端口,好像可以使用kubectl config,但未能成功执行
