(2)k8s生成ca证书

创建相关目录

master-01为部署服务器

# 部署工具可执行文件目录
mkdir -p /opt/k8s-playbook/bin
# 证书生成目录
mkdir -p /opt/k8s-playbook/ssl

在每台主机分别创建

# k8s组件可执行文件目录
mkdir -p /opt/k8s/bin
# 证书相关目录
mkdir -p /etc/k8s/cert

证书生成工具

下载并重命名文件

cd /opt/k8s-playbook

cp cfssl_1.5.0_linux_amd64 bin/cfssl
cp cfssl-certinfo_1.5.0_linux_amd64 bin/cfssl-certinfo
cp cfssljson_1.5.0_linux_amd64 bin/cfssljson

chmod +x bin/*

前提是已下载好文件放在opt/k8s-playbook

配置全局

vim /etc/profile
###########################
export PATH=$PATH:/opt/k8s-playbook/bin:/opt/k8s/bin
###########################

# 生效配置
source /etc/profile

生成ca证书

创建配置文件

cd /opt/k8s-playbook/ssl
vim ca-config.json
###########################
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "876000h"
      }
    }
  }
}
###########################

vim ca-csr.json
###########################
{
  "CN": "kubernetes-ca",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shenzhen",
      "L": "Shenzhen",
      "O": "zhfi",
      "OU": "magina"
    }
  ],
  "ca": {
    "expiry": "876000h"
 }
}
###########################

生成证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

分发

cp ca*.pem /etc/k8s/cert/

scp ca*.pem root@master-02:/etc/k8s/cert/
scp ca*.pem root@master-03:/etc/k8s/cert/
scp ca*.pem root@node-01:/etc/k8s/cert/
scp ca*.pem root@node-02:/etc/k8s/cert/

如果熟悉ansible, 可以批量处理

ansible -i hosts all -m copy -a "src=./ssl/ca.pem dest=/etc/k8s/cert"
ansible -i hosts all -m copy -a "src=./ssl/ca-key.pem dest=/etc/k8s/cert"
展示评论