摘要:随着版本的不断迭代,k8s为了集群安全,集群中趋向采用TLS+RBAC的安全配置方式,所以我们在部署过程中,所有组件都需要证书,并启用RBAC认证。
我们这里采用二进制安装,下载解压后,把对应组件二进制文件copy到指定节点
master节点组件:kube-apiserver、etcd、kube-controller-manager、kube-scheduler、kubectl
node节点组件:kubelet、kube-proxy、docker、coredns、calico
部署master组件
1)下载kubernetes二进制安装包
解压下载的压缩包,并把对应的二进制文件分发至对应master或者node节点的指定位置
[root@k8s-master01 ~]# cd k8s/
[root@k8s-master01 k8s]# wget https://storage.googleapis.com/kubernetes-release/release/v1.14.1/kubernetes-server-linux-amd64.tar.gz
[root@k8s-master01 k8s]# tar -xf kubernetes-server-linux-amd64.tar.gz
##master二进制命令文件传输
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.18:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.19:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.20:/usr/local/bin/
##node节点二进制文件传输
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.21:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.22:/usr/local/bin/
2)创建admin证书
kubectl用于日常直接管理K8S集群,kubectl要进行管理k8s,就需要和k8s的组件进行通信,也就需要用到证书。kubectl我们部署在三台master节点
[root@k8s-master01 ~]# vim /opt/k8s/certs/admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ShangHai",
"L": "ShangHai",
"O": "system:masters",
"OU": "System"
}
]
}
3)生成admin证书和私钥
[root@k8s-master01 ~]# cd /opt/k8s/certs/
[root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/opt/k8s/certs/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/04/23 14:56:49 [INFO] generate received request
2019/04/23 14:56:49 [INFO] received CSR
2019/04/23 14:56:49 [INFO] generating key: rsa-2048
2019/04/23 14:56:49 [INFO] encoded CSR
2019/04/23 14:56:49 [INFO] signed certificate with serial number 506524128693715675957824591128854950490977162654
2019/04/23 14:56:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
4)查看证书
[root@k8s-master01 certs]# ll admin*
-rw-r--r-- 1 root root 1013 Apr 23 14:56 admin.csr
-rw-r--r-- 1 root root 231 Apr 23 14:54 admin-csr.json
-rw------- 1 root root 1679 Apr 23 14:56 admin-key.pem
-rw-r--r-- 1 root root 1407 Apr 23 14:56 admin.pem
5)分发证书
[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin-key.pem dest=/etc/kubernetes/ssl/'
[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin.pem dest=/etc/kubernetes/ssl/'
6)生成kubeconfig 配置文件
下面几个步骤会在家目录下的.kube生成config文件,之后kubectl和api通信就需要用到该文件,这也就是说如果在其他节点上操作集群需要用到这个kubectl,就需要将该文件拷贝到其他节点。
设置集群参数
[root@k8s-master01 ~]# kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443
Cluster "kubernetes" set.
# 设置客户端认证参数
[root@k8s-master01 ~]# kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/ssl/admin.pem \
--embed-certs=true \
--client-key=/etc/kubernetes/ssl/admin-key.pem
User "admin" set.
#设置上下文参数
[root@k8s-master01 ~]# kubectl config set-context admin@kubernetes \
--cluster=kubernetes \
--user=admin
Context "admin@kubernetes" created.
# 设置默认上下文
[root@k8s-master01 ~]# kubectl config use-context admin@kubernetes
Switched to context "admin@kubernetes".
以上操作会在当前目录下生成.kube/config文件,后续操作集群时,apiserver需要对该文件进行验证,创建的admin用户对kubernetes集群有所有权限(集群管理员)。
来源:oschina
链接:https://my.oschina.net/u/4350643/blog/3562709