基础环境
systemctl stop firewalld
systemctl disable firewalld
sed -i 's/enforcing/disabled/' /etc/selinux/config
setenforce 0
swapoff -a
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sysctl --system
所有节点安装docker-ce
192.168.56.10 k8s-master
192.168.56.11 k8s-node1
192.168.56.12 k8s-node2
所有节点:
mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}
echo "export PATH=:$PATH:/opt/kubernetes/bin" >>/etc/profile
source /etc/profile
设置path环境变量
/opt/kubernetes/bin
2.证书制作
官网:
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
2.1
cfssl:
k8s-master节点 下载制作ssl证书工具:
cd /usr/local/src wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl chmod +x /opt/kubernetes/bin/*
2.2
k8s master制作ssl证书
cd /usr/local/src
mkdir ssl && cd ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl
拷贝证书到192.168.56.11 192.168.56.12
cd /opt/kubernetes/ssl
scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.11:/opt/kubernetes/bin
scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.12:/opt/kubernetes/bin
扫描二维码关注公众号,回复:
3391139 查看本文章
