上一篇我們介紹了kubernetes集群架構以及系統參數配置,參考:二進制搭建kubernetes多master集群【開篇、集群環境和功能介紹】
下面本文etcd集群才用三台centos7.5搭建完成。
etcd1:192.168.80.4
etcd2:192.168.80.5
etcd3:192.168.80.6
一、創建CA證書和密鑰
kubernetes 系統各組件需要使用 TLS 證書對通信進行加密,本文檔使用 CloudFlare 的 PKI 工具集 cfssl 來生成 Certificate Authority (CA) 證書和秘鑰文件,CA 是自簽名的證書,用來簽名后續創建的其它 TLS 證書。
下面步驟是在k8s-master1上操作的。證書只需要創建一次即可,以后在向集群中添加新節點時只要將 /etc/kubernetes/cert 目錄下的證書拷貝到新節點上即可。
1、安裝 CFSSL
curl -o /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 curl -o /usr/local/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x /usr/local/bin/cfssl*
2、創建CA配置文件
mkdir -p /etc/kubernetes/cert && cd /etc/kubernetes/cert
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOFca-config.json:可以定義多個 profiles,分別指定不同的過期時間、使用場景等參數;后續在簽名證書時使用某個 profile;
signing:表示該證書可用於簽名其它證書;生成的 ca.pem 證書中 CA=TRUE;
server auth:表示 client 可以用該 CA 對 server 提供的證書進行驗證;
client auth:表示 server 可以用該 CA 對 client 提供的證書進行驗證;
3、創建CA證書簽名請求
cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" } ] } EOF- CN:
Common Name,kube-apiserver 從證書中提取該字段作為請求的用戶名 (User Name),瀏覽器使用該字段驗證網站是否合法; - O:
Organization,kube-apiserver 從證書中提取該字段作為請求用戶所屬的組 (Group); - kube-apiserver 將提取的 User、Group 作為
RBAC授權的用戶標識;
生成 CA 證書和私鑰:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
4、創建etcd證書簽名請求文件
cat > etcd-csr.json <<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.80.4", "192.168.80.5", "192.168.80.6" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" } ] } EOF- hosts 字段指定授權使用該證書的 etcd 節點 IP 或域名列表,這里將 etcd 集群的三個節點 IP 都列在其中;
生成 CA 證書和私鑰:
cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \ -ca-key=/etc/kubernetes/cert/ca-key.pem \ -config=/etc/kubernetes/cert/ca-config.json \ -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
5、將*.pem證書分發到3台etcd的/etc/kubernetes/cert目錄下
[root@k8s-master1 cert]# scp *.pem etcd1:/etc/kuberneters/cert [root@k8s-master1 cert]# scp *.pem etcd2:/etc/kuberneters/cert [root@k8s-master1 cert]# scp *.pem etcd3:/etc/kuberneters/cert
ETCD使用證書的組件如下:
- etcd:使用 ca.pem、etcd-key.pem、etcd.pem;
二、部署etcd集群
在三個節點都安裝etcd,下面的操作需要再三個節點都執行一遍
1、下載etcd安裝包
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
tar zxf etcd-v3.3.10-linux-amd64.tar.gz
cp etcd-v3.3.10-linux-amd64/etcd* /usr/local/bin
2、創建工作目錄
mkdir -p /var/lib/etcd
3、創建systemd unit 文件(紅色字填寫對應etcd主機的名稱和ip)
cat > /etc/systemd/system/etcd.service << EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/var/lib/etcd/ ExecStart=/usr/local/bin/etcd \ --name etcd1 \ --cert-file=/etc/kubernetes/cert/etcd.pem \ --key-file=/etc/kubernetes/cert/etcd-key.pem \ --peer-cert-file=/etc/kubernetes/cert/etcd.pem \ --peer-key-file=/etc/kubernetes/cert/etcd-key.pem \ --trusted-ca-file=/etc/kubernetes/cert/ca.pem \ --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem \ --initial-advertise-peer-urls https://192.168.80.4:2380 \ --listen-peer-urls https://192.168.80.4:2380 \ --listen-client-urls https://192.168.80.4:2379,http://127.0.0.1:2379 \ --advertise-client-urls https://192.168.80.4:2379 \ --initial-cluster-token etcd-cluster-0 \ --initial-cluster etcd1=https://192.168.80.4:2380,etcd2=https://192.168.80.5:2380,etcd3=https://192.168.80.6:2380 \ --initial-cluster-state new \ --data-dir=/var/lib/etcd Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
為了保證通信安全,需要指定 etcd 的公私鑰(cert-file和key-file)、Peers 通信的公私鑰和 CA 證書(peer-cert-file、peer-key-file、peer-trusted-ca-file)、客戶端的CA證書(trusted-ca-file);
創建etcd.pem 證書時使用的 etcd-csr.json 文件的 hosts 字段包含所有 etcd 節點的IP,否則證書校驗會出錯;
–initial-cluster-state 值為 new 時,–name 的參數值必須位於 –initial-cluster 列表中.
4、啟動etcd服務並且設置開機自啟動
sudo systemctl daemon-reload
sudo systemctl enable etcd
sudo systemctl start etcd
5、查看etcd服務狀態信息
systemctl status etcd
最先啟動的 etcd 進程會卡住一段時間,等待其它節點上的 etcd 進程加入集群,為正常現象。
6、驗證etcd集群狀態,以及查看leader,在任何一個etcd節點執行
[root@etcd1 cert]# etcdctl --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/kubernetes/cert/etcd.pem --key-file=/etc/kubernetes/cert/etcd-key.pem cluster-health
member 1ee23928cd50adb0 is healthy: got healthy result from https://192.168.80.6:2379
member 535d7a5dfde52a30 is healthy: got healthy result from https://192.168.80.4:2379
member 8476403d43c0e204 is healthy: got healthy result from https://192.168.80.5:2379
[root@etcd1 cert]# etcdctl --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/kubernetes/cert/etcd.pem --key-file=/etc/kubernetes/cert/etcd-key.pem member list
1ee23928cd50adb0: name=etcd3 peerURLs=https://192.168.80.6:2380 clientURLs=https://192.168.80.6:2379 isLeader=false
535d7a5dfde52a30: name=etcd1 peerURLs=https://192.168.80.4:2380 clientURLs=https://192.168.80.4:2379 isLeader=false
8476403d43c0e204: name=etcd2 peerURLs=https://192.168.80.5:2380 clientURLs=https://192.168.80.5:2379 isLeader=true
7、舉例:etcdctl調用集群創建/kubernetes/network的key
[root@etcd3 cert]# etcdctl --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/kubernetes/cert/etcd.pem --key-file=/etc/kubernetes/cert/etcd-key.pem mkdir /kubernetes/network
至此ETCD TLS證書集群部署完成。
下一篇是關於docker使用flannel網絡的配置,請參考:二進制搭建kubernetes多master集群【二、配置flannel網絡】