手动安装K8s 1.10 第二节：基础环境+CA证书

Posted 2020-11-17

1、安装Docker
yum install docker-ce -y

2、准备相关软件
上传k8s-v1.10.1-manual.zip到/usr/local/src
[[email protected] src]# ll
total 1178908
-rw-r--r-- 1 root root 6595195 Mar 30 2016 cfssl-certinfo_linux-amd64
-rw-r--r-- 1 root root 2277873 Mar 30 2016 cfssljson_linux-amd64
-rw-r--r-- 1 root root 10376657 Mar 30 2016 cfssl_linux-amd64
-rw-r--r-- 1 root root 17108856 Apr 12 17:35 cni-plugins-amd64-v0.7.1.tgz
-rw-r--r-- 1 root root 10562874 Mar 30 01:58 etcd-v3.2.18-linux-amd64.tar.gz
-rw-r--r-- 1 root root 9706487 Jan 24 02:58 flannel-v0.10.0-linux-amd64.tar.gz
drwxr-xr-x 3 root root 25 Apr 23 20:19 k8s-v1.10.1-manual
-rw-r--r-- 1 root root 593725046 Jun 12 16:14 k8s-v1.10.1-manual.zip
-rw-r--r-- 1 root root 13344537 Apr 13 01:51 kubernetes-client-linux-amd64.tar.gz
-rw-r--r-- 1 root root 112427817 Apr 13 01:51 kubernetes-node-linux-amd64.tar.gz
-rw-r--r-- 1 root root 428337777 Apr 13 01:51 kubernetes-server-linux-amd64.tar.gz
-rw-r--r-- 1 root root 2716855 Apr 13 01:51 kubernetes.tar.gz

[[email protected] src]# tar zxf kubernetes-node-linux-amd64.tar.gz
[[email protected] src]# tar zxf kubernetes-client-linux-amd64.tar.gz
[[email protected] src]# tar zxf kubernetes-server-linux-amd64.tar.gz

三台机器创建目录
mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}

[[email protected] ~]# vim .bash_profile
PATH=$PATH:$HOME/bin:/opt/kubernetes/bin

[[email protected] ~]# source .bash_profile

https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

1、安装CFSSL
[[email protected] src]# cp cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/ cfssl-certinfo
[[email protected] src]# cp cfssljson_linux-amd64 /opt/kubernetes/bin/ cfssljson
[[email protected] src]# cp cfssl_linux-amd64 /opt/kubernetes/bin/ cfssl
复制cfssl命令文件到k8s-node1和k8s-node2节点。如果实际中多个节点，就都需要同步复制。
[[email protected] bin]# pwd
/opt/kubernetes/bin
[[email protected] bin]# chmod +x cfssl*

[[email protected] src]# scp /opt/kubernetes/bin/cfssl k8snode1:/opt/kubernetes/bin/
[[email protected] src]# scp /opt/kubernetes/bin/cfssl k8snode2:/opt/kubernetes/bin/

2、初始化CFSSL
[[email protected] src]# pwd
/usr/local/src
[[email protected] src]# mkdir ssl && cd ssl

[[email protected] ssl]# cfssl print-defaults config > config.json
[[email protected]8smaster ssl]# cfssl print-defaults csr > csr.json
[[email protected] ssl]# ls
config.json csr.json

3、创建用来生成CA文件的JSON配置文件
[[email protected] ssl]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}

4、创建用来生成CA证书签名请求CSR的JSON的配置文件
[[email protected] ssl]# vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}

5、生成CA证书（ca.pem）和密钥（ca-key.pem）
[[email protected] ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/06/12 17:16:00 [INFO] generating a new CA key and certificate from CSR
2018/06/12 17:16:00 [INFO] generate received request
2018/06/12 17:16:00 [INFO] received CSR
2018/06/12 17:16:00 [INFO] generating key: rsa-2048
2018/06/12 17:16:01 [INFO] encoded CSR
2018/06/12 17:16:01 [INFO] signed certificate with serial number 180206939556981031291737240005441022561765250716
[[email protected] ssl]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem config.json csr.json

6、分发证书
[[email protected] ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl

SCP证书到k8snode1和k8snode2节点
[[email protected] ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json k8snode1:/opt/kubernetes/ssl
[[email protected] ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json k8snode2:/opt/kubernetes/ssl