摘要:隨着版本的不斷迭代,k8s為了集群安全,集群中趨向采用TLS+RBAC的安全配置方式,所以我們在部署過程中,所有組件都需要證書,並啟用RBAC認證。
我們這里采用二進制安裝,下載解壓后,把對應組件二進制文件copy到指定節點
master節點組件:kube-apiserver、etcd、kube-controller-manager、kube-scheduler、kubectl
node節點組件:kubelet、kube-proxy、docker、coredns、calico
部署master組件
1)下載kubernetes二進制安裝包
解壓下載的壓縮包,並把對應的二進制文件分發至對應master或者node節點的指定位置
[root@k8s-master01 ~]# cd k8s/ [root@k8s-master01 k8s]# wget https://storage.googleapis.com/kubernetes-release/release/v1.14.1/kubernetes-server-linux-amd64.tar.gz [root@k8s-master01 k8s]# tar -xf kubernetes-server-linux-amd64.tar.gz ##master二進制命令文件傳輸 [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.18:/usr/local/bin/ [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.19:/usr/local/bin/ [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.20:/usr/local/bin/ ##node節點二進制文件傳輸 [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.21:/usr/local/bin/ [root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.22:/usr/local/bin/
2)創建admin證書
kubectl用於日常直接管理K8S集群,kubectl要進行管理k8s,就需要和k8s的組件進行通信,也就需要用到證書。kubectl我們部署在三台master節點
[root@k8s-master01 ~]# vim /opt/k8s/certs/admin-csr.json { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ShangHai", "L": "ShangHai", "O": "system:masters", "OU": "System" } ] }
3)生成admin證書和私鑰
[root@k8s-master01 ~]# cd /opt/k8s/certs/ [root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \ -ca-key=/etc/kubernetes/ssl/ca-key.pem \ -config=/opt/k8s/certs/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin 2019/04/23 14:56:49 [INFO] generate received request 2019/04/23 14:56:49 [INFO] received CSR 2019/04/23 14:56:49 [INFO] generating key: rsa-2048 2019/04/23 14:56:49 [INFO] encoded CSR 2019/04/23 14:56:49 [INFO] signed certificate with serial number 506524128693715675957824591128854950490977162654 2019/04/23 14:56:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
4)查看證書
[root@k8s-master01 certs]# ll admin* -rw-r--r-- 1 root root 1013 Apr 23 14:56 admin.csr -rw-r--r-- 1 root root 231 Apr 23 14:54 admin-csr.json -rw------- 1 root root 1679 Apr 23 14:56 admin-key.pem -rw-r--r-- 1 root root 1407 Apr 23 14:56 admin.pem
5)分發證書
[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin-key.pem dest=/etc/kubernetes/ssl/' [root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin.pem dest=/etc/kubernetes/ssl/'
6)生成kubeconfig 配置文件
下面幾個步驟會在家目錄下的.kube生成config文件,之后kubectl和api通信就需要用到該文件,這也就是說如果在其他節點上操作集群需要用到這個kubectl,就需要將該文件拷貝到其他節點。
設置集群參數 [root@k8s-master01 ~]# kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://127.0.0.1:6443 Cluster "kubernetes" set. # 設置客戶端認證參數 [root@k8s-master01 ~]# kubectl config set-credentials admin \ --client-certificate=/etc/kubernetes/ssl/admin.pem \ --embed-certs=true \ --client-key=/etc/kubernetes/ssl/admin-key.pem User "admin" set. #設置上下文參數 [root@k8s-master01 ~]# kubectl config set-context admin@kubernetes \ --cluster=kubernetes \ --user=admin Context "admin@kubernetes" created. # 設置默認上下文 [root@k8s-master01 ~]# kubectl config use-context admin@kubernetes Switched to context "admin@kubernetes".
以上操作會在當前目錄下生成.kube/config文件,后續操作集群時,apiserver需要對該文件進行驗證,創建的admin用戶對kubernetes集群有所有權限(集群管理員)。