1. 程式人生 > >為kubernetes手動生成證書

為kubernetes手動生成證書

https pod add manager 建議 admin spa alpha tps

默認情況下kubernetes在初始化集群時,證書有效期年限為1年。手動生成證書可以避免這個問題。


  1. 拉取git代碼

git clone https://github.com/fandaye/k8s-tls.git && cd k8s-tls/

2. 編輯配置文件 `apiserver.json` 文件 hosts 部分,添加對應kubernetes master 節點 主機名及IP地址,以 `,` 號間隔。如:

{
    "CN": "kube-apiserver",
    "hosts": [
      "172.16.50.131",
      "172.16.50.132",
      "172.16.50.104",
      "k8s01",
      "k8s02",
      "k8s03",
      "10.96.0.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"     
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    }
}

3. 執行腳本

./run.sh


4. 生成節點admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf配置文件

cd /etc/kubernetes/pki

編輯 `node.sh` 文件,ip 為當前節點ip地址,NODE 為當前節點主機名,如:

ip="172.16.50.131"
NODE="k8s01"

編輯 `kubelet.json ` 文件,CN 區域,為對應主機名,如:

"CN": "system:node:k8s01"

執行腳本

./node.sh


完成上面步驟,在初始化kubernetes集群,如果證書及配置文件存在,就會使用現有的

[certificates] Using the existing ca certificate and key.
[certificates] Using the existing apiserver certificate and key.
[certificates] Using the existing apiserver-kubelet-client certificate and key.
[certificates] Using the existing sa key.
[certificates] Using the existing front-proxy-ca certificate and key.
[certificates] Using the existing front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/scheduler.conf"


如果master為多個節點,拷貝/etc/kubernetes/pki 目錄下所有文件到其他master節點,參考4步驟生成admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf配置文件.


master為多個節點 建議使用 --config 初始化集群,但是官網提示:Caution: The config file is still considered alpha and may change in future versions.

參考:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/


config.yaml 文件,參考如下:

apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
kubernetesVersion: v1.10.4
networking:
  podSubnet: 10.244.0.0/16
apiServerCertSANs:  #master節點主機名及ip地址
- k8s01
- k8s02
- k8s03
- 172.16.50.131
- 172.16.50.132
- 172.16.50.104
- 172.16.50.227
apiServerExtraArgs:
  endpoint-reconciler-type: "lease"
etcd:
  endpoints: # etcd集群地址
  - http://172.16.50.131:2379
  - http://172.16.50.132:2379
  - http://172.16.50.133:2379
token: "deed3a.b3542929fcbce0f0"
tokenTTL: "0"


為kubernetes手動生成證書