1. 程式人生 > >(一)k8s之系統初始化及ca證書申請

(一)k8s之系統初始化及ca證書申請

enc -c 安裝 docke linux 規劃 wget auth tool

#(1)環境規劃

master01 192.168.19.128 
master02 192.168.19.129 
node01 192.168.19.130 
node02 192.168.19.131 
中轉機: 192.168.19.132

#(2)關閉防火墻, selinux以及安裝docker;所有機器上都要操作

systemctl stop firewalld
systemctl  disable firewalld
sed -ri ‘/^SELINUX=/cSELINUX=disabled‘ /etc/selinux/config
setenforce 0
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o  /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
which ntpdate | yum install ntpdate -y 
ntpdate time.windows.com
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce-17.06.0.ce-1.el7.centos.x86_64 -y
systemctl enable docker
systemctl start docker 
cat >> /etc/docker/daemon.json <<EOF
{
     "registry-mirrors": ["https://ui5lsypg.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
mkdir /opt/kubernetes/{ssl,bin,cfg} -pv

#(3)在中轉機器上安裝cfssl證書生成工具

which wget || yum install wget -y 
test -d /tools || mkdir /tools 
cd /tools 
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

#(4)在中轉機器上生成及分發ca
配置生成ca證書的策略

#mkdir -pv  /temp/ssl && cd /temp/ssl 
#vi ca-config.json
{
"signing": {
        "default": {
            "expiry": "876000h"
        },
        "profiles": {
            "kubernetes": {
    "expiry": "876000h",
                "usages": [
                        "signing",
                        "key encipherment",
                        "server auth",
                        "client auth"
                ],
                "expiry": "876000h"
            }
        }
}
}

生成ca證書簽署請求

#vi ca-csr.json
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Hangzhou",
            "L": "Hangzhou",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

生成ca證書 和私鑰

#cfssl gencert -initca ca-csr.json | cfssljson -bare ca

把ca證書和ca私鑰scp到master和node節點

scp ca*.pem  master01:/opt/kubernetes/ssl 
scp ca*.pem  master02:/opt/kubernetes/ssl 
scp ca*.pem  node02:/opt/kubernetes/ssl 
scp ca*.pem  node01:/opt/kubernetes/ssl 

(一)k8s之系統初始化及ca證書申請