此处,为实验环境,用单台 nginx 坐四层代理实现
# 安装 nginx [root@centos7-nginx ~]# yum install -y nginx # 创建子配置文件 [root@centos7-nginx ~]# cd /etc/nginx/conf.d/ [root@centos7-nginx conf.d]# vim lb.tcp stream { upstream master { hash $remote_addr consistent; server 10.10.10.128:6443 max_fails=3 fail_timeout=30; server 10.10.10.129:6443 max_fails=3 fail_timeout=30; server 10.10.10.130:6443 max_fails=3 fail_timeout=30; } server { listen 6443; proxy_pass master; } } # 在主配置文件中引入该文件 [root@centos7-nginx ~]# cd /etc/nginx/ [root@centos7-nginx nginx]# vim nginx.conf ... include /etc/nginx/conf.d/*.tcp; ... # 加入开机自启,并启动 nginx [root@centos7-nginx nginx]# systemctl enable nginx Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service. [root@centos7-nginx nginx]# systemctl start nginx 3、部署 3.1 生成证书执行脚本
[root@centos7-nginx ~]# mkdir ssl && cd ssl [root@centos7-nginx ssl]# vim ./k8s-certificate.sh [root@centos7-nginx ssl]# ./k8s-certificate.sh 10.10.10.127,10.10.10.128,10.10.10.129,10.10.10.130,lb.5179.top,10.96.0.1IP 说明:
10.10.10.127|lb.5179.top: nginx
10.10.10.128|129|130: masters
10.96.0.1: kubernetes(service 网段的第一个 IP)
脚本内容如下
#!/bin/bash # 二进制部署,生成 k8s 证书文件 if [ $# -ne 1 ];then echo "please user in: `basename $0` MASTERS[10.10.10.127,10.10.10.128,10.10.10.129,10.10.10.130,lb.5179.top,10.96.0.1]" exit 1 fi MASTERS=$1 KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local for i in `echo $MASTERS | tr ',' ' '`;do if [ -z $IPS ];then IPS=\"$i\", else IPS=$IPS\"$i\", fi done command_exists() { command -v "$@" > /dev/null 2>&1 } if command_exists cfssl; then echo "命令已存在" else # 下载生成证书命令 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 # 添加执行权限 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 # 移动到 /usr/local/bin 目录下 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo fi # 默认签 10 年 cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ ${IPS} "127.0.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server # 或者 #cat > server-csr.json <<EOF #{ # "CN": "kubernetes", # "key": { # "algo": "rsa", # "size": 2048 # }, # "names": [ # { # "C": "CN", # "L": "BeiJing", # "ST": "BeiJing", # "O": "k8s", # "OU": "System" # } # ] #} #EOF # #cfssl gencert \ # -ca=ca.pem \ # -ca-key=ca-key.pem \ # -config=ca-config.json \ # -hostname=${MASTERS},127.0.0.1,${KUBERNETES_HOSTNAMES} \ # -profile=kubernetes \ # server-csr.json | cfssljson -bare server #----------------------- cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ admin-csr.json | cfssljson -bare admin #----------------------- cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ kube-proxy-csr.json | cfssljson -bare kube-proxy # 注意: "CN": "system:metrics-server" 一定是这个,因为后面授权时用到这个名称,否则会报禁止匿名访问 cat > metrics-server-csr.json <<EOF { "CN": "system:metrics-server", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "system" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ metrics-server-csr.json | cfssljson -bare metrics-server for item in $(ls *.pem |grep -v key) ;do echo ======================$item===================;openssl x509 -in $item -text -noout| grep Not;done #[root@aliyun k8s]# for item in $(ls *.pem |grep -v key) ;do echo ======================$item===================;openssl x509 -in $item -text -noout| grep Not;done #======================admin.pem==================== # Not Before: Jun 18 14:32:00 2020 GMT # Not After : Jun 16 14:32:00 2030 GMT #======================ca.pem======================= # Not Before: Jun 18 14:32:00 2020 GMT # Not After : Jun 17 14:32:00 2025 GMT #======================kube-proxy.pem=============== # Not Before: Jun 18 14:32:00 2020 GMT # Not After : Jun 16 14:32:00 2030 GMT #======================metrics-server.pem=========== # Not Before: Jun 18 14:32:00 2020 GMT # Not After : Jun 16 14:32:00 2030 GMT #======================server.pem=================== # Not Before: Jun 18 14:32:00 2020 GMT # Not After : Jun 16 14:32:00 2030 GMT注意:cfssl产生的ca证书固定5年有效期