kubernetes集羣安裝指南：客戶端安裝及各組件認證文件建立

大多狀況，證書用於服務安全訪問（即https訪問）所須要，在kubernetes集羣中，若是關閉了匿名訪問，開啓了集羣HTTPS訪問以及TLS雙向認證；如：worker節點組件HTTPS訪問apiserver服務時，Apiserver還須要驗證客戶端是否合法，此時就須要爲worker節點上的組件生成kubeconfig認證文件用於鏈接apiserver。

1. 基本設置

1.1 變量設置

PACKAGE=kubernetes-server-v1.12.0-linux-amd64.tar.gz
K8S_DOWNLOAD_URL=https://github.com/devops-apps/download/raw/master/kubernetes/$PACKAGE
K8S_CONF_PATH=/etc/k8s/kubernetes
K8S_KUBECONFIG_PATH=/etc/k8s/kubeconfig
KUBE_APISERVER=https://dev-kube-api.mo9.com
BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')

1.2 kubectl、kubens工具集安裝

sudo wget $K8S_DOWNLOAD_URL -P /root/software
cd $SOFTWARE 
tar -xzfkubernetes-server-v1.12.0-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/{kubectl,kubens} /usr/local/sbin

1.3 建立認證文件存放目錄

if [ ! -d "$K8S_CONF_PATH" ]; then
     mkdir -p $K8S_CONF_PATH
fi

if [ ! -d "$K8S_KUBECONFIG_PATH" ]; then
     mkdir -p $K8S_KUBECONFIG_PATH
fi

2. 建立 TLS Bootstrapping Token

cat > ${K8S_CONF_PATH}/token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

• bootstrapping token文件主要用於爲apiserver開啓tocken認證而建立，若是沒有開啓apiserver token認證能夠不用建立此文件；

3 kubeconfig文件建立

3.1 建立kube-controller-manager kubeconfig文件

kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig

kubectl config set-credentials system:kube-controller-manager \
  --client-certificate=${CA_DIR}/kube-controller-manager.pem \
  --client-key=${CA_DIR}/kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig

kubectl config set-context system:kube-controller-manager \
  --cluster=kubernetes \
  --user=system:kube-controller-manager \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig

kubectl config use-context system:kube-controller-manager \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig

3.2 建立kube-shceduler kubeconfig文件

kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig

kubectl config set-credentials system:kube-scheduler \
  --client-certificate=${CA_DIR}/kube-scheduler.pem \
  --client-key=${CA_DIR}/kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig

kubectl config set-context system:kube-scheduler \
  --cluster=kubernetes \
  --user=system:kube-scheduler \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig

kubectl config use-context system:kube-scheduler \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig

3.3 建立kubelet bootstrapping kubeconfig文件

kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig

kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig

kubectl config use-context default \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig

• bootstrapping文件主要用於apiserver給kubelet證書作自動輪轉，使用該文件，apiserver會自動給kubelet頒發服務端證書以及證書密鑰，從而沒必要爲kubelet證書

3.4 建立kube-proxy kubeconfig文件

kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
  --client-certificate=${CA_DIR}/kube-proxy.pem \
  --client-key=${CA_DIR}/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig

kubectl config use-context default \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig

3.5 建立kubectl kubeconfig文件

kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig

kubectl config set-credentials admin \
  --client-certificate=${CA_DIR}/admin.pem \
  --client-key=${CA_DIR}/admin-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig

kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=admin \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig

kubectl config use-context kubernetes \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig

• --certificate-authority：驗證 kube-apiserver 證書的根證書；
• --client-certificate、--client-key：剛生成的 admin 證書和私鑰，鏈接 kube-apiserver 時使用；
• --embed-certs=true：將 ca.pem 和 admin.pem 證書內容嵌入到生成的 kubectl.kubeconfig 文件中(不加時，寫入的是證書文件路徑)；

備註：kubeconfig文件是用於安全鏈接apiserver服務的認證文件。

4 同步token文件及kubeconfig文件到相應的節點

• master節點：

  cd $K8S_KUBECONFIG_PATH
  ansible master_k8s_vgs -m copy -a \
  "src=kube-controller-manager.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
  ansible master_k8s_vgs -m copy -a \
  "src=kube-scheduler.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b

• worker節點

  cd $K8S_KUBECONFIG_PATH
  ansible worker_k8s_vgs -m copy -a \
  "src=bootstrap.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
  ansible worker_k8s_vgs -m copy -a \
  "src=kube-proxy.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b

• kubeconfig文件主要用於各組件在經過https訪問apiserver時所須要的認證的文件，該文件包括對應組件的服務端證書、證書私鑰、ca根證書以及apiserver的訪問地址

---

建立完kubernetes集羣組件相關認證文件後，接下來正式部署kubernetes集羣相關組件etcd集羣，請參考：kubernetes集羣安裝指南：etcd集羣部署