手動安裝K8s 1.10 第二節:基礎環境+CA證書

一、安裝Docker
yum install docker-ce -ynode

二、準備相關軟件
上傳k8s-v1.10.1-manual.zip到/usr/local/src
[root@k8smaster src]# ll
total 1178908
-rw-r--r-- 1 root root 6595195 Mar 30 2016 cfssl-certinfo_linux-amd64
-rw-r--r-- 1 root root 2277873 Mar 30 2016 cfssljson_linux-amd64
-rw-r--r-- 1 root root 10376657 Mar 30 2016 cfssl_linux-amd64
-rw-r--r-- 1 root root 17108856 Apr 12 17:35 cni-plugins-amd64-v0.7.1.tgz
-rw-r--r-- 1 root root 10562874 Mar 30 01:58 etcd-v3.2.18-linux-amd64.tar.gz
-rw-r--r-- 1 root root 9706487 Jan 24 02:58 flannel-v0.10.0-linux-amd64.tar.gz
drwxr-xr-x 3 root root 25 Apr 23 20:19 k8s-v1.10.1-manual
-rw-r--r-- 1 root root 593725046 Jun 12 16:14 k8s-v1.10.1-manual.zip
-rw-r--r-- 1 root root 13344537 Apr 13 01:51 kubernetes-client-linux-amd64.tar.gz
-rw-r--r-- 1 root root 112427817 Apr 13 01:51 kubernetes-node-linux-amd64.tar.gz
-rw-r--r-- 1 root root 428337777 Apr 13 01:51 kubernetes-server-linux-amd64.tar.gz
-rw-r--r-- 1 root root 2716855 Apr 13 01:51 kubernetes.tar.gzlinux

[root@k8smaster src]# tar zxf kubernetes-node-linux-amd64.tar.gz
[root@k8smaster src]# tar zxf kubernetes-client-linux-amd64.tar.gz
[root@k8smaster src]# tar zxf kubernetes-server-linux-amd64.tar.gzdocker

三臺機器建立目錄
mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}json

[root@k8snode1 ~]# vim .bash_profile
PATH=$PATH:$HOME/bin:/opt/kubernetes/binvim

[root@k8snode1 ~]# source .bash_profilebash

https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64ide

一、安裝CFSSL
[root@k8smaster src]# cp cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/ cfssl-certinfo
[root@k8smaster src]# cp cfssljson_linux-amd64 /opt/kubernetes/bin/ cfssljson
[root@k8smaster src]# cp cfssl_linux-amd64 /opt/kubernetes/bin/ cfssl
複製cfssl命令文件到k8s-node1和k8s-node2節點。若是實際中多個節點,就都須要同步複製。
[root@k8smaster bin]# pwd
/opt/kubernetes/bin
[root@k8smaster bin]# chmod +x cfssl*code

[root@k8smaster src]# scp /opt/kubernetes/bin/cfssl k8snode1:/opt/kubernetes/bin/
[root@k8smaster src]# scp /opt/kubernetes/bin/cfssl
k8snode2:/opt/kubernetes/bin/server

二、初始化CFSSL
[root@k8smaster src]# pwd
/usr/local/src
[root@k8smaster src]# mkdir ssl && cd sslip

[root@k8smaster ssl]# cfssl print-defaults config > config.json
[root@k8smaster ssl]# cfssl print-defaults csr > csr.json
[root@k8smaster ssl]# ls
config.json csr.json

三、建立用來生成CA文件的JSON配置文件
[root@k8smaster ssl]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}

四、建立用來生成CA證書籤名請求CSR的JSON的配置文件
[root@k8smaster ssl]# vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}

五、生成CA證書(ca.pem)和密鑰(ca-key.pem)
[root@k8smaster ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/06/12 17:16:00 [INFO] generating a new CA key and certificate from CSR
2018/06/12 17:16:00 [INFO] generate received request
2018/06/12 17:16:00 [INFO] received CSR
2018/06/12 17:16:00 [INFO] generating key: rsa-2048
2018/06/12 17:16:01 [INFO] encoded CSR
2018/06/12 17:16:01 [INFO] signed certificate with serial number 180206939556981031291737240005441022561765250716
[root@k8smaster ssl]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem config.json csr.json

六、分發證書
[root@k8smaster ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl

SCP證書到k8snode1和k8snode2節點[root@k8smaster ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json k8snode1:/opt/kubernetes/ssl[root@k8smaster ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json k8snode2:/opt/kubernetes/ssl

相關文章
相關標籤/搜索