kubernetes 集群安全配置

版本：v1.10.0-alpha.3

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -subj "/CN=mhc" -days 5000 -out ca.crt

openssl genrsa -out server.key 2048

/CN 后是主机名

[root@mhc ssl]# cat master_ssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = mhc
IP.1 = 10.254.0.1
IP.2 = 109.105.4.65
--------------------------------------------------------------------------------------------

openssl req -new -key server.key -subj "/CN=mhc" -config master_ssl.cnf -out server.csr

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt

------------------------------------------------------------------------------------------

启动apiserver

setsid kube-apiserver --logtostderr=true --v=0 --etcd-servers=http://109.105.4.65:4001 --insecure-bind-address=0.0.0.0 --insecure-port=0 --secure-port=6443 --service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/root/test/k8s/ssl/ca.crt --tls-private-key-file=/root/test/k8s/ssl/server.key --tls-cert-file=/root/test/k8s/ssl/server.crt > apiserver.log 2>&1

----------------------------------------------------------------------------------------------

openssl genrsa -out cs_client.key 2048

openssl req -new -key cs_client.key -subj "/CN=mhc" -out cs_client.csr

openssl x509 -req -in cs_client.csr -CA ../ssl/ca.crt -CAkey ../ssl/ca.key -CAcreateserial -out cs_client.crt -days 5000

kubectl config --kubeconfig=kubeconfig set-cluster local --server=https://109.105.4.65:6443 --certificate-authority=/root/test/k8s/ssl/ca.crt

kubectl config --kubeconfig=kubeconfig set-credentials controllermanager --client-certificate=/root/test/k8s/client_ssl/cs_client.crt --client-key=/root/test/k8s/client_ssl/cs_client.key

kubectl config --kubeconfig=kubeconfig set-context my-context --cluster=local --user=controllermanager

[root@mhc client_ssl]# kubectl config --kubeconfig=kubeconfig view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /root/test/k8s/ssl/ca.crt
    server: https://109.105.4.65:6443
  name: local
contexts:
- context:
    cluster: local
    user: controllermanager
  name: my-context
current-context: ""
kind: Config
preferences: {}
users:
- name: controllermanager
  user:
    client-certificate: cs_client.crt
    client-key: cs_client.key
-----------------------------------------------------------

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /root/test/k8s/ssl/ca.crt
    server: https://109.105.4.65:6443
  name: local
contexts:
- context:
    cluster: local
    user: controllermanager
  name: my-context
current-context: "my-context"
kind: Config
preferences: {}
users:
- name: controllermanager
  user:
    client-certificate: cs_client.crt
    client-key: cs_client.key

---------------------------------------------------------

setsid kube-controller-manager --logtostderr=true --v=0 --service-account-private-key-file=/root/test/k8s/ssl/server.key --root-ca-file=/root/test/k8s/ssl/ca.crt --kubeconfig=/root/test/k8s/client_ssl/kubeconfig > controller-manager.log 2>&1

setsid kube-scheduler --logtostderr=true --v=0 --kubeconfig=/root/test/k8s/client_ssl/kubeconfig > scheduler.log 2>&1

将上边的kubeconfig 改名为config  放到/root/.kube

[root@mhc .kube]# kubectl get componentstatus
NAME                 STATUS    MESSAGE              ERROR
controller-manager   Healthy   ok                   
scheduler            Healthy   ok                   
etcd-0               Healthy   {"health": "true"} 

-----------------------------------------------------------------

openssl genrsa -out kubelet_client.key 2048

openssl req -new -key kubelet_client.key -subj "/CN=mhc" -out kubelet_client.csr                         //CN 写node自己的主机名

openssl x509 -req -in kubelet_client.csr -CA ../ssl/ca.crt -CAkey ../ssl/ca.key -CAcreateserial -out kubelet_client.crt -days 5000

kubectl config --kubeconfig=kubeconfig set-cluster local --server=https://109.105.4.65:6443 --certificate-authority=/root/test/k8s/ssl/ca.crt

kubectl config --kubeconfig=kubeconfig set-credentials kubelet --client-certificate=/root/test/k8s/node_ssl/kubelet_client.crt --client-key=/root/test/k8s/node_ssl/kubelet_client.key

kubectl config --kubeconfig=kubeconfig set-context my-context --cluster=local --user=kubelet

修改其中的 current-context

----------------------------------------------------------

setsid kubelet --logtostderr=true --v=0 --address=0.0.0.0 --cgroup-driver=systemd --kubeconfig=/root/test/k8s/node_ssl/kubeconfig --fail-swap-on=false > kubelet.log 2>&1

setsid kube-proxy --logtostderr=true --v=0 --kubeconfig=/root/test/k8s/node_ssl/kubeconfig > proxy.log 2>&1

----------------------------------------------------------

[root@mhc .kube]# kubectl get node
NAME      STATUS    ROLES     AGE       VERSION
mhc       Ready     <none>    2m        v1.10.0-alpha.3