3节点
192.168.52.6 master
192.168.52.7 node1
192.168.52.8 node2
CA 证书签发
/etc/ssl/k8s
git clone git@github.com:he-aook/k8s-certificate-issue-file.git
openssl genrsa -out ca.key 3072
openssl req -x509 -new -nodes -key ca.key -days 10950 -out ca.pem -subj "/CN=kubernetes/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config ca.cnf -extensions v3_req
api 证书签发
/etc/ssl/k8s
sed -i '9,10s/^/#/' api-server.cnf
openssl genrsa -out apiserver.key 3072
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kubernetes/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config api-server.cnf
sed -i '9,10s/^#//g' api-server.cnf
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 10950 -extfile api-server.cnf -extensions v3_req
openssl x509 -noout -text -in apiserver.pem
kubelet 证书签发
/etc/ssl/k8s
sed -i '$s/.[[:digit:]].$/.6/g' client.cnf
fn=52-6
openssl genrsa -out kubelet-$fn.key 3072
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=system:masters" -config client.cnf
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.7/g' client.cnf
fn=52-7
openssl genrsa -out kubelet-$fn.key 3072
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=system:masters" -config client.cnf
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.8/g' client.cnf
fn=52-8
openssl genrsa -out kubelet-$fn.key 3072
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=system:masters" -config client.cnf
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
kube-proxy 签发证书
/etc/ssl/k8s
sed -i '$s/.[[:digit:]]$/.6/g' client.cnf
fn=52-6
openssl genrsa -out kube-proxy-$fn.key 3072
openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.7/g' client.cnf
fn=52-7
openssl genrsa -out kube-proxy-$fn.key 3072
openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.8/g' client.cnf
fn=52-8
openssl genrsa -out kube-proxy-$fn.key 3072
openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
etcd 证书签发
/etc/ssl/k8s
sed -i '$s/.[[:digit:]]$/.6/g' client.cnf
fn=52-6
openssl genrsa -out etcd-$fn.key 3072
openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.7/g' client.cnf
fn=52-7
openssl genrsa -out etcd-$fn.key 3072
openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.8/g' client.cnf
fn=52-8
openssl genrsa -out etcd-$fn.key 3072
openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 10950 -extfile client.cnf -extensions v3_req
flannel 证书签发
sed -i '$s/.[[:digit:]]$/.6/g' client.cnf
fn=52-6
openssl genrsa -out flannel-$fn.key 3072
openssl req -new -key flannel-$fn.key -out flannel-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in flannel-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out flannel-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.7/g' client.cnf
fn=52-7
openssl genrsa -out flannel-$fn.key 3072
openssl req -new -key flannel-$fn.key -out flannel-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in flannel-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out flannel-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i '$s/.[[:digit:]]$/.8/g' client.cnf
fn=52-8
openssl genrsa -out flannel-$fn.key 3072
openssl req -new -key flannel-$fn.key -out flannel-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in flannel-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out flannel-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
QQ:1394466404