K8S安装过程五：制作与生成证书

1. 下载PKI证书管理工具

wget -O cfssl https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64

chmod +x cfssl

mv cfssl /usr/local/bin/

wget -O cfssljson https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64

chmod +x cfssljson

mv cfssljson /usr/local/bin/
1
2
3
4
5
6
7
8
9
10
11

2. 创建CA根证书

• 创建 ca-config.json 文件

{
  "signing": {
      "default": {
          "expiry": "87600h"
        },
      "profiles": {
          "kubernetes": {
              "usages": [
                  "signing",
                  "key encipherment",
                  "server auth",
                  "client auth"
              ],
              "expiry": "87600h"
          }
      }
  }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

• 创建 ca-csr.json 文件

{
  "CN": "kubernetes",
  "key": {
      "algo": "rsa",
      "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Hubei",
      "L": "Wuhan",
      "O": "kubernetes",
      "OU": "system"
    }
  ],
  "ca": {
          "expiry": "87600h"
  }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

• 生成根证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
1

生成如下三个文件

* ca.csr
* ca-key.pem
* ca.pem
1
2
3

3. 给 kube-apiserver 生成证书

• 创建 kube-apiserver-csr.json 文件

{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "192.168.0.200",
    "192.168.0.233",
    "192.168.0.145",
    "192.168.0.110",
    "10.0.0.1",
    "10.255.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Hubei",
      "L": "Wuhan",
      "O": "kubernetes",
      "OU": "system"
    }
  ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

这个步骤中 hosts 列表中的内容非常关键，不在此范围内的节点访问此证书将会被拒绝。所以，请将 kubernetes集群中的节点IP加入进来，或对应的域名加入进来，hosts 列表中的值支持泛域名。

• 为 kube-apiserver 生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
1

生成的文件如下：

* kube-apiserver.csr  
* kube-apiserver-key.pem  
* kube-apiserver.pem
1
2
3

4. 给 kube-controller-manager 生成证书

• 创建 kube-controller-manager-csr.json 文件

{
    "CN": "system:kube-controller-manager",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "hosts": [
      "127.0.0.1",
      "192.168.0.200",
      "192.168.0.233",
      "192.168.0.110",
      "192.168.0.145"
    ],
    "names": [
      {
        "C": "CN",
        "ST": "Hubei",
        "L": "Wuhan",
        "O": "system:kube-controller-manager",
        "OU": "system"
      }
    ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

• 为 kube-controller-manager 生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
1

生成的文件如下：

* kube-controller-manager.csr
* kube-controller-manager-key.pem
* kube-controller-manager.pem
1
2
3

5. 给 kube-scheduler 生成证书

• 创建 kube-scheduler-csr.json文件

{
    "CN": "system:kube-scheduler",
    "hosts": [
      "127.0.0.1",
      "192.168.0.110",
      "192.168.0.200",
      "192.168.0.233",
      "192.168.0.145"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
      {
        "C": "CN",
        "ST": "Hubei",
        "L": "Wuhan",
        "O": "system:kube-scheduler",
        "OU": "system"
      }
    ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

• 为 kube-scheduler 生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
1

生成的文件如下：

* kube-scheduler.csr
* kube-scheduler-key.pem
* kube-scheduler.pem
1
2
3

6. 给 kube-proxy 生成证书- 创建 kube-proxy-csr.json 文件

{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Hubei",
      "L": "Wuhan",
      "O": "kubernetes",
      "OU": "system"
    }
  ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

• 为 kube-proxy 生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
1

生成的文件如下：

* kube-proxy-key.pem
* kube-proxy.pem
* kube-proxy.csr
1
2
3

7. 给 etcd 生成证书

• 创建 etcd-csr.json 文件

{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "192.168.0.200",
    "192.168.0.233",
    "192.168.0.145",
    "192.168.0.110"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [{
    "C": "CN",
    "ST": "Hubei",
    "L": "Wuhan",
    "O": "kubernetes",
    "OU": "system"
  }]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

• 为 etcd 生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
1

生成的文件如下：

* etcd-key.pem
* etcd.pem
* etcd.csr
1
2
3

8. 生成管理证书

• 创建 admin-csr.json 文件

{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Hubei",
      "L": "Wuhan",
      "O": "system:masters",             
      "OU": "system"
    }
  ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

• 生成管理端证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
1

生成的文件如下：

* admin.csr
* admin.pem
* admin-key.pem
1
2
3

9. 证书分发到每个节点

整个kubernetes 集群都是用当前步骤生成的证书。首先将证书保存到 /etc/kubernetes/ssl 目录中

mkdir -pv /etc/kubernetes/ssl
cp ./*.pem /etc/kubernetes/ssl
1
2

将当前节点上生成的证书复制到其他节点，执行如下操作将证书拷贝到其他节点。

ssh root@其他节点IP地址或内网域名 "mkdir -pv /etc/kubernetes/ssl"
scp /etc/kubernetes/ssl/* root@其他节点IP地址或内网域名:/etc/kubernetes/ssl
1
2