It is recommended that you read the following before performing the following steps:
- Manage TLS in a cluster : teach you how to create a TLS certificate
- kubelet authentication and authorization : Describes how to access kubelet's HTTPS endpoint through authentication and authorization.
- TLS bootstrap : Introduce how to set up TLS client certificate bootstrap for kubelet.
Note: This step is the most error-prone and the most difficult to troubleshoot in all steps of installing and configuring kubernetes, but this is just the first step. Everything is difficult at the beginning. Don't be discouraged because of this difficulty.
If you are confident enough to successfully complete the configuration of this step without knowing what you are doing, then you can skip the previous articles and proceed to the following operations.
kubernetes
Each component of the system needs to use TLS
certificates to encrypt communications. CloudFlare
The PKI tool set cfssl used in this document generates Certificate Authority (CA) and other certificates;
The generated CA certificate and key file are as follows:
- ca-key.pem
- ca.pem
- kubernetes-key.pem
- kubernetes.pem
- kube-proxy.pem
- kube-proxy-key.pem
- admin.pem
- admin-key.pem
The components that use certificates are as follows:
- etcd : 使用 ca.pem 、 kubernetes-key.pem 、 kubernetes.pem ;
- kube-apiserver 使用 使用 ca.pem 、 kubernetes-key.pem 、 kubernetes.pem ;
- kubelet: use ca.pem;
- kube-proxy:使用 ca.pem、kube-proxy-key.pem、kube-proxy.pem;
- kubectl : 使用 ca.pem 、 admin-key.pem 、 admin.pem ;
- kube-controller-manager:使用 ca-key.pem、ca.pem
Note: The following operations are performed on the master node, 172.20.0.113, and the certificate only needs to be created once. In the future, when adding a new node to the cluster, just copy the certificate under the / etc / kubernetes / directory to the new node Just go.
installation CFSSL
Method 1: Install directly using binary source package
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64 mv cfssljson_linux-amd64 /usr/local/bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo export PATH=/usr/local/bin:$PATH
Method 2: Use the go command to install
Go1.7.5 is installed on our system, it is faster to install using the following command:
$ go get -u github.com/cloudflare/cfssl/cmd/...
$ echo $GOPATH
/usr/local
$ls /usr/local/bin/cfssl*
cfssl cfssl-bundle cfssl-certinfo cfssljson cfssl-newkey cfssl-scan
$GOPATH/bin
Get several commands starting with cfssl in the directory.
Note: The file name of cat that appears in the following article needs to be created manually if it does not exist.
Create CA (Certificate Authority)
Create a CA configuration file
mkdir /root/ssl
cd /root/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
# 根据config.json文件的格式创建如下的ca-config.json文件 # 过期时间设置成了 87600h cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF
Field description
ca-config.json
: Multiple profiles can be defined, specifying different expiration time, usage scenarios and other parameters; a certain profile will be used later when signing the certificate;signing
: Indicates that the certificate can be used to sign other certificates; in the generated ca.pem certificateCA=TRUE
;server auth
: Indicates that the client can use the CA to verify the certificate provided by the server;client auth
: Indicates that the server can use the CA to verify the certificate provided by the client;
Create a CA certificate signing request
Create a ca-csr.json
file with the following content:
{
"CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ], "ca": { "expiry": "87600h" } }
- "CN":,
Common Name
kube-apiserver extracts this field from the certificate as the requested user name (User Name); the browser uses this field to verify whether the website is legal; - "O":,
Organization
kube-apiserver extracts this field from the certificate as the group to which the requesting user belongs (Group);
Generate CA certificate and private key
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
$ ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
Create kubernetes certificate
Create a kubernetes certificate signing request file kubernetes-csr.json
:
{
"CN": "kubernetes", "hosts": [ "127.0.0.1", "172.20.0.112", "172.20.0.113", "172.20.0.114", "172.20.0.115", "10.254.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
- If the hosts field is not empty, you need to specify the IP or domain name list authorized to use the certificate. Since the certificate is subsequently used by the
etcd
cluster and thekubernetes master
cluster, the above specifies theetcd
cluster,kubernetes master
the host IP of the cluster, andkubernetes
the service IP of the service (generallykube-apiserver
specifiedservice-cluster-ip-range
The first IP of the network segment, such as 10.254.0.1). - This is a minimally installed kubernetes cluster, including a private mirrored warehouse, a three-node kubernetes cluster, and the IP of the above physical nodes can also be replaced with the host name.
Generate kubernetes certificate and private key
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes $ ls kubernetes* kubernetes.csr kubernetes-csr.json kubernetes-key.pem kubernetes.pem