基础环境
systemctl stop firewalld systemctl disable firewalld sed -i 's/enforcing/disabled/' /etc/selinux/config setenforce 0 swapoff -a cat > /etc/sysctl.d/k8s.conf << EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 EOF sysctl --system 所有节点安装docker-ce 192.168.56.10 k8s-master 192.168.56.11 k8s-node1 192.168.56.12 k8s-node2 所有节点: mkdir -p /opt/kubernetes/{cfg,bin,ssl,log} echo "export PATH=:$PATH:/opt/kubernetes/bin" >>/etc/profile source /etc/profile 设置path环境变量 /opt/kubernetes/bin
2.证书制作
官网:
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
2.1
cfssl:
k8s-master节点 下载制作ssl证书工具:
cd /usr/local/src wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl chmod +x /opt/kubernetes/bin/*
2.2
k8s master制作ssl证书
cd /usr/local/src mkdir ssl && cd ssl cfssl print-defaults config > config.json cfssl print-defaults csr > csr.json vim ca-config.json { "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" } } } } vim ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } cfssl gencert -initca ca-csr.json | cfssljson -bare ca cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl 拷贝证书到192.168.56.11 192.168.56.12 cd /opt/kubernetes/ssl scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.11:/opt/kubernetes/bin scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.12:/opt/kubernetes/bin
扫描二维码关注公众号,回复:
3391139 查看本文章