(一)k8s之系統初始化及ca證書申請
阿新 • • 發佈:2019-03-03
enc -c 安裝 docke linux 規劃 wget auth tool #(1)環境規劃
master01 192.168.19.128
master02 192.168.19.129
node01 192.168.19.130
node02 192.168.19.131
中轉機: 192.168.19.132
#(2)關閉防火墻, selinux以及安裝docker;所有機器上都要操作
systemctl stop firewalld systemctl disable firewalld sed -ri ‘/^SELINUX=/cSELINUX=disabled‘ /etc/selinux/config setenforce 0 \cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo which ntpdate | yum install ntpdate -y ntpdate time.windows.com curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo yum install docker-ce-17.06.0.ce-1.el7.centos.x86_64 -y systemctl enable docker systemctl start docker cat >> /etc/docker/daemon.json <<EOF { "registry-mirrors": ["https://ui5lsypg.mirror.aliyuncs.com"] } EOF sudo systemctl daemon-reload sudo systemctl restart docker mkdir /opt/kubernetes/{ssl,bin,cfg} -pv
#(3)在中轉機器上安裝cfssl證書生成工具
which wget || yum install wget -y test -d /tools || mkdir /tools cd /tools wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
#(4)在中轉機器上生成及分發ca
配置生成ca證書的策略
#mkdir -pv /temp/ssl && cd /temp/ssl #vi ca-config.json { "signing": { "default": { "expiry": "876000h" }, "profiles": { "kubernetes": { "expiry": "876000h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "876000h" } } } }
生成ca證書簽署請求
#vi ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hangzhou",
"L": "Hangzhou",
"O": "k8s",
"OU": "System"
}
]
}
生成ca證書 和私鑰
#cfssl gencert -initca ca-csr.json | cfssljson -bare ca
把ca證書和ca私鑰scp到master和node節點
scp ca*.pem master01:/opt/kubernetes/ssl
scp ca*.pem master02:/opt/kubernetes/ssl
scp ca*.pem node02:/opt/kubernetes/ssl
scp ca*.pem node01:/opt/kubernetes/ssl
(一)k8s之系統初始化及ca證書申請