k8s 1.10.2 https搭建文档
1.下载k8s镜像
方式一:docker hub + github,需要创建一个docker hub账户,连接指定的github账户,docker hub会从github中引用相关Dockerfile,k8s版本以及镜像名称可以从github获取,构建任务后docker hub会从google拉取镜像,以kube-apiserver Dockerfile举例。
例:
FROM gcr.io/google_containers/kube-apiserver-amd64:v1.10.2
MAINTAINER xxxx <xxxx@163.com>
镜像构建完成后,可直接docker pull下载镜像。
# 需要在docker hub将该repo设置为public。
方式二:github下载release版本的k8s,解压后执行~/kubernetes/cluster/get-kube-binaries.sh,会下载kubernetes-server-linux-amd64.tar.gz,解压后会看到k8s各个组件的镜像以及相关二进制文件和配置模板。
2.创建配置文件及目录
mkdir -p /etc/kubernetes/{pki,manifests}
kubelet.service
[Service]
ExecStart=/usr/local/bin/kubelet
Restart=on-failure
StartLimitInterval=0
RestartSec=10
Environment="KUBELET_KUBECONFIG_ARGS=--kubeconfig=/etc/kubernetes/kubeconfig --config=/etc/kubernetes/kubelet.yaml"
Environment="KUBE_LOGTOSTDERR=--logtostderr=true --v=0 --log-dir=/var/log/kubelet.log --allow-privileged=true"
Environment="KUBELET_POD_CONTAINER=--pod-infra-container-image=gcr.io/google_containers/pause-amd64:3.0"
Environment="KUBE_NODE_LABEL=--node-labels=node-role.kubernetes.io/master=true --register-node=true"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_POD_CONTAINER $KUBE_LOGTOSTDERR $KUBE_NODE_LABEL
[Install]
antedBy=multi-user.target
kubelet.yaml
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
evictionHard:
memory.available: "200Mi"
CgroupDriver: systemd
failSwapOn: false
serializeImagePulls: false
podManifestPath: /etc/kubernetes/manifests
address: 0.0.0.0
port: 10250
apiserver.yaml controller-manager.yaml scheduler.yaml从https://github.com/cjfpjt/kubernetes.git的yaml文件夹下下载
3.创建证书
ApiServer认证,认证一共有三种方式:
1)Https双向认证(最安全)
2)Http Token认证
3)Http Base认证,用户名和密码
生成token.csv
token的生成方式:head -c 16 /dev/urandom | od -An -t x | tr -d ' ‘
cat > token.csv
d0b54455f7cc574b4825293626be75ea,user1,1
# 这里的user1是我们后面设置上下文需要用到的用户名,不能写错
ca证书的生成方式:
链接:https://kubernetes.io/docs/concepts/cluster-administration/certificates/
我们采用简洁的openssl(以pre-k8s-master举例)
1. openssl genrsa -out ca.key 2048
2. openssl req -x509 -new -nodes -key ca.key -subj "/CN= ${MASTER}" -days 10000 -out ca.crt
3. openssl genrsa -out server.key 2048
4. cat csr.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = CN
ST = beijing
L = beijing
O = company
OU = company
CN = 内网ip
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 内网ip
IP.2 = slb或者公网ip
IP.3 = 10.96.0.1
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
5. openssl req -new -key server.key -out server.csr -config csr.conf
6. openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
7. openssl x509 -noout -text -in ./server.crt
ca以及证书创建完毕。
apiserver.yaml配置项添加如下参数:
—client-ca-file=/etc/kubernetes/pki/ca.crt
—tls-cert-file=/etc/kubernetes/pki/server.crt
—tls-private-key-file=/etc/kubernetes/pki/server.key
—token=/etc/kubernetes/token.csv
controller-manager.yaml配置项添加如下参数:
--root-ca-file=/etc/kubernetes/pki/ca.crt
--service-account-private-key-file=/etc/kubernetes/pki/server.key
设置kubeconfig(在master上操作)
# kubeconfig如果不指定配置文件名称、路径,默认会保存在/root/.kube/config文件下,该文件的作用是向node节点提供注册所需要的配置信息,如集群名称、认证名称、用户名称、通信方式等。
创建脚本kube.sh
cat kube.sh
#!/bin/bash
KUBE_APISERVER="https://slb或者公网ip:6443"
cd /etc/kubernetes/pki &&
kubectl config set-cluster kubernetes
--certificate-authority=ca.crt
--embed-certs=true
--server=${KUBE_APISERVER}
--kubeconfig=../kubelet.conf &&
kubectl config set-credentials user1
--token=${BOOTSTRAP_TOKEN}
--kubeconfig=../kubelet.conf &&
# —client-certificate=server.crt
# —client-key=server.key
# —embed-certs=true
kubectl config set-context kubernetes
--cluster=kubernetes
--user=user1
--kubeconfig=../kubelet.conf &&
kubectl config use-context kubernetes
--kubeconfig=../kubelet.conf
创建完成后,会生成/etc/kubernetes/kubelet.conf文件,将该文件拷贝至/root/.kube/config文件。
验证配置是否正确:
curl https://172.17.100.27:6443/api/v1/nodes --cacert /etc/kubernetes/pki/ca.crt --cert /etc/kubernetes/pki/server.crt --key /etc/kubernetes/pki/server.key -H 'Authorization: Bearer d0b54455f7cc574b4825293626be75ea' -v
# d0b54455f7cc574b4825293626be75ea为生成的token值。
验证完成后即可添加node节点,k8s搭建完成。