摘要:随着版本的不断迭代,k8s为了集群安全,集群中趋向采用TLS+RBAC的安全配置方式,所以我们在部署过程中,所有组件都需要证书,并启用RBAC认证。
我们这里采用二进制安装,下载解压后,把对应组件二进制文件copy到指定节点
master节点组件:kube-apiserver、etcd、kube-controller-manager、kube-scheduler、kubectl
node节点组件:kubelet、kube-proxy、docker、coredns、calico
部署master组件
1)下载kubernetes二进制安装包
解压下载的压缩包,并把对应的二进制文件分发至对应master或者node节点的指定位置
[root@k8s-master01 ~]# cd k8s/ [root@k8s-master01 k8s]# wget https://storage.googleapis.com/kubernetes-release/release/v1.14.1/kubernetes-server-linux-amd64.tar.gz [root@k8s-master01 k8s]# tar -xf kubernetes-server-linux-amd64.tar.gz ##master二进制命令文件传输 [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.18:/usr/local/bin/ [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.19:/usr/local/bin/ [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.20:/usr/local/bin/ ##node节点二进制文件传输 [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.21:/usr/local/bin/ [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.22:/usr/local/bin/
2)创建admin证书
kubectl用于日常直接管理K8S集群,kubectl要进行管理k8s,就需要和k8s的组件进行通信,也就需要用到证书。kubectl我们部署在三台master节点
[root@k8s-master01 ~]# vim /opt/k8s/certs/admin-csr.json { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ShangHai", "L": "ShangHai", "O": "system:masters", "OU": "System" } ] }
3)生成admin证书和私钥
[root@k8s-master01 ~]# cd /opt/k8s/certs/ [root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/opt/k8s/certs/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2019/04/23 14:56:49 [INFO] generate received request 2019/04/23 14:56:49 [INFO] received CSR 2019/04/23 14:56:49 [INFO] generating key: rsa-2048 2019/04/23 14:56:49 [INFO] encoded CSR 2019/04/23 14:56:49 [INFO] signed certificate with serial number 506524128693715675957824591128854950490977162654 2019/04/23 14:56:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
4)查看证书
[root@k8s-master01 certs]# ll admin* -rw-r--r-- 1 root root 1013 Apr 23 14:56 admin.csr -rw-r--r-- 1 root root 231 Apr 23 14:54 admin-csr.json -rw------- 1 root root 1679 Apr 23 14:56 admin-key.pem -rw-r--r-- 1 root root 1407 Apr 23 14:56 admin.pem
5)分发证书
[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin-key.pem dest=/etc/kubernetes/ssl/' [root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin.pem dest=/etc/kubernetes/ssl/'
6)生成kubeconfig 配置文件
下面几个步骤会在家目录下的.kube生成config文件,之后kubectl和api通信就需要用到该文件,这也就是说如果在其他节点上操作集群需要用到这个kubectl,就需要将该文件拷贝到其他节点。
设置集群参数 [root@k8s-master01 ~]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 Cluster "kubernetes" set. # 设置客户端认证参数 [root@k8s-master01 ~]# kubectl config set-credentials admin --client-certificate=/etc/kubernetes/ssl/admin.pem --embed-certs=true --client-key=/etc/kubernetes/ssl/admin-key.pem User "admin" set. #设置上下文参数 [root@k8s-master01 ~]# kubectl config set-context admin@kubernetes --cluster=kubernetes --user=admin Context "admin@kubernetes" created. # 设置默认上下文 [root@k8s-master01 ~]# kubectl config use-context admin@kubernetes Switched to context "admin@kubernetes".
以上操作会在当前目录下生成.kube/config文件,后续操作集群时,apiserver需要对该文件进行验证,创建的admin用户对kubernetes集群有所有权限(集群管理员)。