• k8s 三节点签发所需证书


      准备三台主机:

           192.168.1.71

           192.168.1.72

           192.168.1.73

    Step1:

      在第一台  192.168.1.71 签发证书  也可以在其它机器进行签发证书

           创建一个保存证书的目录 最好在 /etc/ 下

      mkdir -pv /etc/ssl/k8s

      cd /etc/ssl/k8s

      创建ca.key

      openssl genrsa -out ca.key  3072

      编辑ca证书签发key给k8s准备的配置文件

      vi ca.cnf

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    
    [ v3_req ]
    keyUsage = critical, cRLSign, keyCertSign, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    basicConstraints = critical, CA:true, pathlen:2

      使用ca配置文件签发 ca 根证书 ca.pem

      openssl req -x509 -new -nodes -key ca.key -days 1095 -out ca.pem -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config ca.cnf -extensions v3_req

      

      签发 API 证书

      vim api-server.cnf  

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    #subjectKeyIdentifier = hash
    #authorityKeyIdentifier = keyid:always,issuer
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 10.0.0.1
    IP.5 = 192.168.1.70
    IP.2 = 192.168.1.71
    IP.3 = 192.168.1.72
    IP.4 = 192.168.1.73
    DNS.1 = kubernetes
    DNS.2 = kubernetes.default
    DNS.3 = kubernetes.default.svc
    DNS.4 = kubernetes.default.svc.cluster
    DNS.5 = kubernetes.default.svc.cluster.local

      配置文件简单讲解 

      10.0.0.1        是集群使用的ip这个ip地址段可以容纳40多万ip

        192.168.1.70 是后期集群高可用阶段使用的虚拟vip 配合keepalive进行使用

      开始生成api.key

      3072指的是长度

      openssl genrsa -out apiserver.key 3072

      生成api请求证书apiserver.csr

      openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config api-server.cnf

      签发证书之前 修改 api-server.cnf 配置文件 去掉注释的2行

      

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 10.0.0.1
    IP.5 = 192.168.1.70
    IP.2 = 192.168.1.71
    IP.3 = 192.168.1.72
    IP.4 = 192.168.1.73
    DNS.1 = kubernetes
    DNS.2 = kubernetes.default
    DNS.3 = kubernetes.default.svc
    DNS.4 = kubernetes.default.svc.cluster
    DNS.5 = kubernetes.default.svc.cluster.local

      开始签发证书 最后 -days 1095 是证书有效期限 如果是企业使用最好 数字设置的大点 避免以后出问题

      openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 1095 -extfile api-server.cnf -extensions v3_req

      查看 apiserver.pem 证书信息

      openssl x509 -noout -text -in apiserver.pem

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                c3:09:20:fd:72:67:da:7a
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s
            Validity
                Not Before: May 18 05:51:47 2019 GMT
                Not After : May 17 05:51:47 2022 GMT
            Subject: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (3072 bit)
                    Modulus:
                        00:cc:65:a0:e6:97:64:51:f7:42:c1:c8:bc:43:89:
                        63:6e:9d:1d:23:9b:a9:0a:e3:e6:a5:0e:7a:1d:a9:
                        3c:dc:5d:0f:c8:99:f5:1b:39:ad:39:f2:f7:d3:c9:
                        66:47:33:01:5d:db:53:5a:23:e2:49:75:d7:4a:61:
                        bb:8b:c3:a3:b2:00:9a:01:6f:98:26:4e:cb:16:b3:
                        38:f7:3b:be:e5:b5:9e:e9:0c:e5:c7:d8:bb:8b:a4:
                        3d:f8:99:e0:34:93:0c:48:d7:c7:c2:72:63:42:2f:
                        ff:94:c8:d0:47:c2:3a:56:fd:ae:79:b7:cb:8e:72:
                        c6:8b:6a:33:be:34:82:bd:6e:1e:b9:23:1b:01:c8:
                        c5:db:11:3e:5f:c6:66:a2:f6:6a:c0:67:0b:b9:8a:
                        36:2a:ce:07:54:08:a9:50:1e:bc:52:cc:9b:af:ee:
                        1d:f4:b8:15:77:a1:4d:75:e4:9d:14:35:8a:58:ed:
                        77:d6:e3:2f:c8:e2:14:9c:9e:75:ea:82:b9:e4:4f:
                        3a:7b:88:d2:93:39:37:b9:c5:74:cd:74:5f:47:0c:
                        4d:fc:a8:c0:af:f5:4c:c9:c5:7f:bb:4e:57:58:36:
                        12:bc:54:54:db:bd:af:3f:8f:e6:8b:ca:34:50:26:
                        6f:d2:8c:b6:ee:cf:2d:d2:62:ae:32:26:8d:da:8a:
                        d0:a3:7c:40:60:97:0c:b4:de:4c:77:9d:28:3e:73:
                        1f:91:23:76:5b:3b:d9:74:85:fd:69:d4:b3:fd:1d:
                        5a:8b:38:35:51:07:5a:09:c8:53:67:89:f8:e6:d1:
                        99:63:7d:d9:7f:a9:ca:49:ab:a6:80:14:68:cb:8d:
                        4c:b5:42:5e:24:f3:2f:54:04:3f:be:a8:9d:65:84:
                        46:ed:6a:85:7d:6a:b6:62:4a:69:05:0d:da:2f:92:
                        85:bd:de:18:b4:48:4b:fc:3f:26:49:92:17:47:91:
                        dd:b5:7a:4d:e3:9e:c5:1f:39:58:bd:52:c3:05:65:
                        0b:4e:f0:2b:2d:b6:af:65:1a:13
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage: 
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Subject Key Identifier: 
                    D8:15:2E:2C:D1:28:59:EC:0C:97:6E:85:5F:3D:8B:90:7F:FD:40:1F
                X509v3 Authority Key Identifier: 
                    keyid:B8:73:3B:D4:66:50:67:B9:3C:E1:3C:31:AD:91:CD:4D:94:6E:CA:A5
    
                X509v3 Subject Alternative Name: 
                    IP Address:10.0.0.1, IP Address:192.168.1.70, IP Address:192.168.1.71, IP Address:192.168.1.72, IP Address:192.168.1.73, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local
        Signature Algorithm: sha256WithRSAEncryption
             b1:db:2f:81:48:01:83:16:2b:78:0e:ad:25:cd:46:e8:bd:f7:
             ba:5c:7b:a8:74:a9:d3:9c:1b:0b:48:06:68:84:b6:57:99:2f:
             c5:33:5f:5e:15:79:de:74:87:15:bc:54:be:a9:cf:a9:5a:cc:
             b6:3e:61:34:c1:f1:2a:94:c3:89:a1:06:67:4c:d3:84:fa:89:
             1c:df:8d:d5:38:d8:5b:d7:0b:7e:da:aa:fb:7c:64:e2:68:21:
             15:b8:7f:35:7a:58:48:7d:f6:89:4b:f8:84:44:96:45:9d:e8:
             7f:e0:cf:a2:21:ab:29:94:1e:aa:0e:5d:ea:44:69:5c:ff:4a:
             5f:f2:f1:bf:0b:1c:f0:95:c6:9b:1a:20:d5:fb:33:42:0a:fc:
             17:c5:ba:76:fe:bd:12:ac:9a:8c:c7:2b:0e:ae:b1:f1:30:43:
             ea:8d:8b:c8:b3:45:98:f6:d8:3d:71:b3:cd:7e:f7:f6:92:1c:
             1a:c8:69:5e:67:ad:c5:a6:13:1a:e4:cb:50:ca:a6:96:56:4e:
             ed:50:4f:6a:0f:de:c8:3b:b6:e5:15:e2:b6:53:48:ab:9a:c6:
             68:18:2d:ac:1c:90:a9:f2:4d:c0:44:6c:ed:48:9e:d7:72:1c:
             e3:49:f5:3d:33:67:6c:24:ed:6c:6e:07:0d:59:dc:59:ec:fa:
             76:ae:ff:40:ad:ea:b2:d4:aa:42:19:16:67:06:07:05:59:c0:
             1e:e5:5a:b8:03:c5:1c:5c:18:6d:40:41:50:9e:69:fd:90:f4:
             ab:5e:91:2a:6b:a0:64:c9:39:9d:f8:f2:04:1f:f4:35:fb:58:
             08:17:f7:17:4c:41:30:95:98:a7:e3:59:7c:a4:60:56:a0:01:
             e9:d3:6f:93:76:6f:09:38:35:37:4d:15:02:f8:e6:9b:0f:1d:
             f7:1b:7b:bc:4a:e8:ed:44:1a:ba:84:e1:13:da:cb:06:6d:b9:
             96:43:f3:a2:d8:25:20:01:51:83:99:bd:f7:5f:b1:5d:52:9f:
             32:5c:b0:4a:40:1c

      从上面可以看出这个证书对哪些ip是有效的

      签发 kubelet 证书

      配置签发 kubelet 证书文件 一台一台进行添加

      vi client.cnf

      从下面可以看出证书只对 192.168.1.71 有效

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 192.168.1.71

      首先设置一个变量 方便点 证书主要以 ip 地址后 2 段记名称

      fn=1-71

      生成 kubelet-$fn.key 

      openssl genrsa -out kubelet-$fn.key 3072

      生成证书请求

      openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf

      签发证书

      openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

      

      使用同样的方法给 以下 2 台主机进行签发证书

      192.168.1.72

      192.168.1.73

      修改 client.cnf 配置文件 ip 地址

      vi client.cnf

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 192.168.1.72

      修改 fn 变量标签

      fn=1-72

      同样执行以下命令

      openssl genrsa -out kubelet-$fn.key 3072

      openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf

      openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

      

      使用同样的方法修改 client.cnf 配置文件 fn 变量 签发 192.168.1.73 证书

      vi client.cnf

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 192.168.1.73

      fn=1-73

      重新执行上面的3条命令 签发证书

      查看当前目录 因证书太多 容易整乱 创建相对应目录保存证书文件

      pwd

      /etc/ssl/k8s

      mkdir apiserver

      mkdir kubelet

      mv api-server.cnf apiserver.* apiserver

      mv kubelet-1-7* kubelet

      

      签发kube-proxy证书 基本和上面的操作类似 但是名称变了

      重新设置变量 fn

      fn=1-71

      修改 client.cnf  配置文件

      vi client.cnf

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 192.168.1.71

      生成kube-proxy-$fn.key

      openssl genrsa -out kube-proxy-$fn.key 3072

      生成证书请求

      openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

      签发证书

      openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

      同样 修改 client.cnf 配置文件 ip  fn 变量 给 72 73 主机签发kube-proxy证书

      之后创建 kube-proxy 目录保存刚才创建的 kube-proxy 证书

      mkdir kube-proxy

      mv kube-proxy-1-7* kube-proxy

      

      签发etcd证书文件 

      首先签发 192.168.1.71 然后用同样的方法 修改配置文件签发第二台和第三台证书

      编辑 client.cnf 文件  

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 192.168.1.71

      设置 fn 变量

      fn=1-71

      生成etcd-$fn.key

      openssl genrsa -out etcd-$fn.key 3072

      生成证书请求

      openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

      签发证书

      openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1095 -extfile client.cnf -extensions v3_req

      切记使用同样的方法签发其他2台主机的etcd证书

      创建etcd目录保存证书文件

      mkdir etcd

      mv etcd-1-7* etcd

      签发 flanneld 证书

      重新设置变量fn

      fn=1-71

      修改 client.cnf 配置文件  

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = critical, CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = 192.168.1.71

      生成flanneld-$fn.key

      openssl genrsa -out flanneld-$fn.key 3072

      生成证书flanneld-$fn.csr请求

      openssl req -new -key flanneld-$fn.key -out flanneld-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

      签发证书 flanneld-$fn.pem

      openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in flanneld-$fn.csr -out flanneld-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

      使用同样的方法 修改 client.cnf 配置文件ip fn变量签发其它2台主机的flanneld证书

      最后创建目录保存 flanneld 证书

      mkdir flanneld

      mv flanneld-1-7* flanneld

      到此k8s基本所需的证书都已经签发结束了 请看下节 etcd 安装

  • 相关阅读:
    ListView点击事件
    ListView优化:
    自定义ListView
    ListView简单使用
    mysql中show processlist过滤和杀死线程
    自定义控件
    yum配置中driver-class-name: com.mysql.jdbc.Driver报错
    CSS+HTML
    maven的配置
    Model、ModelMap、ModelAndView的作用及区别
  • 原文地址:https://www.cnblogs.com/S--S/p/10885952.html
Copyright © 2020-2023  润新知