k8s之系统初始化及ca证书申请

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s之系统初始化及ca证书申请相关的知识,希望对你有一定的参考价值。

#(1)环境规划

master01 192.168.19.128 
master02 192.168.19.129 
node01 192.168.19.130 
node02 192.168.19.131 
中转机: 192.168.19.132

#(2)关闭防火墙, selinux以及安装docker;所有机器上都要操作

systemctl stop firewalld
systemctl  disable firewalld
sed -ri ‘/^SELINUX=/cSELINUX=disabled‘ /etc/selinux/config
setenforce 0
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o  /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
which ntpdate | yum install ntpdate -y 
ntpdate time.windows.com
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce-17.06.0.ce-1.el7.centos.x86_64 -y
systemctl enable docker
systemctl start docker 
cat >> /etc/docker/daemon.json <<EOF
{
     "registry-mirrors": ["https://ui5lsypg.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
mkdir /opt/kubernetes/{ssl,bin,cfg} -pv

#(3)在中转机器上安装cfssl证书生成工具

which wget || yum install wget -y 
test -d /tools || mkdir /tools 
cd /tools 
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

#(4)在中转机器上生成及分发ca
配置生成ca证书的策略

#mkdir -pv  /temp/ssl && cd /temp/ssl 
#vi ca-config.json
{
"signing": {
        "default": {
            "expiry": "876000h"
        },
        "profiles": {
            "kubernetes": {
    "expiry": "876000h",
                "usages": [
                        "signing",
                        "key encipherment",
                        "server auth",
                        "client auth"
                ],
                "expiry": "876000h"
            }
        }
}
}

生成ca证书签署请求

#vi ca-csr.json
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Hangzhou",
            "L": "Hangzhou",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

生成ca证书 和私钥

#cfssl gencert -initca ca-csr.json | cfssljson -bare ca

把ca证书和ca私钥scp到master和node节点

scp ca*.pem  master01:/opt/kubernetes/ssl 
scp ca*.pem  master02:/opt/kubernetes/ssl 
scp ca*.pem  node02:/opt/kubernetes/ssl 
scp ca*.pem  node01:/opt/kubernetes/ssl

以上是关于k8s之系统初始化及ca证书申请的主要内容,如果未能解决你的问题,请参考以下文章

k8s搭建之证书制作

区块链系统之《基于区块链的PKI数字证书系统》

区块链系统之《基于区块链的PKI数字证书系统》

创建私有CA及颁发证书

windows系统-PKI证书服务器

数字证书生成时提交的信息是如何保密传送的