架构:
master01: 192.168.63.148
master02: 192.168.63.149
master03: 192.168.63.150
1.下载证书生成工具(cfssl_1.6.1、cfssl-certinfo、cfssljson_1.6.1 ),然后链接或移动到/usr/bin/下。
代码语言:javascript复制 sudo chmod a x etcdctl etcd
sudo ln /usr/src/cfssl_1.6.1_linux_amd64 /bin/cfssl
sudo ln /usr/src/cfssl-certinfo_1.6.1_linux_amd64 /usr/bin/cfssl-certinfo
sudo ln /usr/src/cfssljson_1.6.1_linux_amd64 /usr/bin/cfssljson
2.在所有master节点上创建目录
代码语言:javascript复制 sudo mkdir /k8s/etcd/{bin,cfg,ssl} -p
sudo mkdir /k8s/kubernetes/{bin,cfg,ssl} -p
3.生成ETCD证书
cd /k8s/etcd/ssl/
1)etcd的CA配置文件:
代码语言:javascript复制 neo@master01:/k8s/etcd/ssl$ sudo vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing", //可以签名其他证书
"key encipherment",
"server auth", //表示 client 可以用该该证书对 server 提供的证书进行验证
"client auth" //表示 server 可以用该该证书对 client 提供的证书进行验证;
]
}
}
}
}
2)证书请求文件:
代码语言:javascript复制 neo@master01:/k8s/etcd/ssl$ sudo vim ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
3)生成server的证书请求文件:
代码语言:javascript复制 neo@master01:/k8s/etcd/ssl$ sudo vim server-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.63.148",//master的IP地址
"192.168.63.149",
"192.168.63.150"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
4)初始化证书
代码语言:javascript复制neo@master01:/k8s/etcd/ssl$ sudo cfssl gencert -initca ca-csr.json | sudo cfssljson -bare ca
//会生成以ca开头的文件:ca-key.pem(CA私钥)、 ca.pem(CA证书)、 ca.csr (根证书签发申请文件)
5) 生成服务器证书
代码语言:javascript复制neo@master01:/k8s/etcd/ssl$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | sudo cfssljson -bare server
//生成三个证书相关文件server.csr server-key.pem server.pem
//将所有生成的文件copy到master02、master03上同样的目录
4.生成kubernets证书和私钥
代码语言:javascript复制 cd /k8s/etcd/ssl/
1)etcd的CA配置文件:
代码语言:javascript复制 neo@master01:/k8s/kubernetes/ssl$ sudo vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
2)etcd的CA配置文件
代码语言:javascript复制 neo@master01:/k8s/kubernetes/ssl$ sudo vim ca-config.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "matrix.com",
"OU": "System"
}
]
}
3) 生成文件
代码语言:javascript复制 neo@master01:/k8s/kubernetes/ssl$ sudo cfssl gencert -initca ca-csr.json | sudo cfssljson -bare ca -
4) 生成api server文件
代码语言:javascript复制neo@master01:/k8s/kubernetes/ssl$ sudo vim server-csr.json
{
"CN": "kubernetes",
"hosts": [
"10.254.0.1",
"127.0.0.1",
"192.168.63.148",
"192.168.63.149",
"192.168.63.150",
"192.168.63.151",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.matrix.com",
"kubernetes.default.svc.matrix",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
5)生成证书文件
代码语言:javascript复制 neo@master01:/k8s/kubernetes/ssl$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | sudo cfssljson -bare serve
//将所有生成的文件copy到master02、master03上的同样目录
6) 编辑kube-proxy证书文件
代码语言:javascript复制 neo@master01:/k8s/kubernetes/ssl$ sudo vim kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "matrix.com",
"OU": "System"
}
]
}
//将所有生成的文件copy到master02、master03上的同样目录
5.配置ETCD
代码语言:javascript复制 neo@master01:/k8s/kubernetes/ssl$ cd /usr/src/
neo@master01:/usr/src$ sudo tar -xf etcd-v3.5.0-linux-amd64.tar.gz
neo@master01:/usr/src$ cd etcd-v3.5.0-linux-amd64/
neo@master01:/usr/src$ sudo chmod a x etcd etcdctl
neo@master01:/usr/src$ sudo cp etcd etcdctl /k8s/etcd/bin
//master02、master03也要做该动作
2)编写etcd服务文件
//在3.5版本中发现只能在service和cfg文件中二选一,不能两个文件都使用
代码语言:javascript复制neo@master01:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master01:/k8s/etcd/cfg$ vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd
--name=etcd01
--initial-cluster-token=etcd-cluster
--initial-cluster-state=new
--cert-file=/k8s/etcd/ssl/server.pem
--key-file=/k8s/etcd/ssl/server-key.pem
--trusted-ca-file=/k8s/etcd/ssl/ca.pem
--client-cert-auth=true
--peer-cert-file=/k8s/etcd/ssl/server.pem
--peer-key-file=/k8s/etcd/ssl/server-key.pem
--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem
--peer-client-cert-auth=true
--data-dir=/data1/etcd/default.etcd
--listen-peer-urls=https://192.168.63.148:2380
--listen-client-urls=https://192.168.63.148:2379,http://127.0.0.1:2379
--advertise-client-urls=https://192.168.63.148:2379
--initial-advertise-peer-urls=https://192.168.63.148:2380
--initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
3) 配置服务启动
代码语言:javascript复制neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd
4)将etcd服务文件copy到master02,master03
代码语言:javascript复制neo@master01:/k8s/etcd/cfg$ sudo scp /usr/lib/systemd/system/etcd.service 192.168.63.149:/usr/lib/systemd/system/
neo@master01:/k8s/etcd/cfg$ sudo scp /usr/lib/systemd/system/etcd.service 192.168.63.149:/usr/lib/systemd/system/
5) 配置master02
a.编辑maseter02的配置文件
代码语言:javascript复制neo@master02:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master02:/k8s/etcd/cfg$ sudo vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd
--name=etcd02
--initial-cluster-token=etcd-cluster
--initial-cluster-state=new
--cert-file=/k8s/etcd/ssl/server.pem
--key-file=/k8s/etcd/ssl/server-key.pem
--trusted-ca-file=/k8s/etcd/ssl/ca.pem
--client-cert-auth=true
--peer-cert-file=/k8s/etcd/ssl/server.pem
--peer-key-file=/k8s/etcd/ssl/server-key.pem
--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem
--peer-client-cert-auth=true
--data-dir=/data1/etcd/default.etcd
--listen-peer-urls=https://192.168.63.149:2380
--listen-client-urls=https://192.168.63.149:2379,http://127.0.0.1:2379
--advertise-client-urls=https://192.168.63.149:2379
--initial-advertise-peer-urls=https://192.168.63.149:2380
--initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
b.配置服务启动
代码语言:javascript复制neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd
6) 配置master03
a.编辑maseter03的配置文件
代码语言:javascript复制neo@master03:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master03:/k8s/etcd/cfg$ sudo vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd
--name=etcd03
--initial-cluster-token=etcd-cluster
--initial-cluster-state=new
--cert-file=/k8s/etcd/ssl/server.pem
--key-file=/k8s/etcd/ssl/server-key.pem
--trusted-ca-file=/k8s/etcd/ssl/ca.pem
--client-cert-auth=true
--peer-cert-file=/k8s/etcd/ssl/server.pem
--peer-key-file=/k8s/etcd/ssl/server-key.pem
--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem
--peer-client-cert-auth=true
--data-dir=/data1/etcd/default.etcd
--listen-peer-urls=https://192.168.63.150:2380
--listen-client-urls=https://192.168.63.150:2379,http://127.0.0.1:2379
--advertise-client-urls=https://192.168.63.150:2379
--initial-advertise-peer-urls=https://192.168.63.150:2380
--initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
b.配置服务启动
代码语言:javascript复制neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd
验证etcd
代码语言:javascript复制neo@master01:/k8s/etcd/cfg$ sudo etcdctl --cacert=/k8s/etcd/ssl/ca.pem --cert=/k8s/etcd/ssl/server.pem --key=/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.63.148:2379,https://192.168.63.149:2379,https://192.168.63.150:2379" endpoint health
https://192.168.63.148:2379 is healthy: successfully committed proposal: took = 42.549232ms
https://192.168.63.150:2379 is healthy: successfully committed proposal: took = 57.116899ms
https://192.168.63.149:2379 is healthy: successfully committed proposal: took = 78.713865ms
neo@master01:/k8s/etcd/cfg$ sudo etcdctl member list
1829aeef84335dfd, started, etcd02, https://192.168.63.149:2380, https://192.168.63.149:2379, false
251da012ecc749a1, started, etcd03, https://192.168.63.150:2380, https://192.168.63.150:2379, false
fd6bf73a5ad27d82, started, etcd01, https://192.168.63.148:2380, https://192.168.63.148:2379, false