标签:docekr kubernetes 容器
1、安装Docker2、准备相关软件
上传k8s-v1.10.1-manual.zip到/usr/local/src
[root@k8smaster src]# ll
total 1178908
-rw-r--r-- 1 root root 6595195 Mar 30 2016 cfssl-certinfo_linux-amd64
-rw-r--r-- 1 root root 2277873 Mar 30 2016 cfssljson_linux-amd64
-rw-r--r-- 1 root root 10376657 Mar 30 2016 cfssl_linux-amd64
-rw-r--r-- 1 root root 17108856 Apr 12 17:35 cni-plugins-amd64-v0.7.1.tgz
-rw-r--r-- 1 root root 10562874 Mar 30 01:58 etcd-v3.2.18-linux-amd64.tar.gz
-rw-r--r-- 1 root root 9706487 Jan 24 02:58 flannel-v0.10.0-linux-amd64.tar.gz
drwxr-xr-x 3 root root 25 Apr 23 20:19 k8s-v1.10.1-manual
-rw-r--r-- 1 root root 593725046 Jun 12 16:14 k8s-v1.10.1-manual.zip
-rw-r--r-- 1 root root 13344537 Apr 13 01:51 kubernetes-client-linux-amd64.tar.gz
-rw-r--r-- 1 root root 112427817 Apr 13 01:51 kubernetes-node-linux-amd64.tar.gz
-rw-r--r-- 1 root root 428337777 Apr 13 01:51 kubernetes-server-linux-amd64.tar.gz
-rw-r--r-- 1 root root 2716855 Apr 13 01:51 kubernetes.tar.gz
[root@k8smaster src]# tar zxf kubernetes-node-linux-amd64.tar.gz
[root@k8smaster src]# tar zxf kubernetes-client-linux-amd64.tar.gz
[root@k8smaster src]# tar zxf kubernetes-server-linux-amd64.tar.gz
三台机器创建目录
mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}
[root@k8snode1 ~]# vim .bash_profile
PATH=$PATH:$HOME/bin:/opt/kubernetes/bin
[root@k8snode1 ~]# source .bash_profile
https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
1、安装CFSSL
[root@k8smaster src]# cp cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/ cfssl-certinfo
[root@k8smaster src]# cp cfssljson_linux-amd64 /opt/kubernetes/bin/ cfssljson
[root@k8smaster src]# cp cfssl_linux-amd64 /opt/kubernetes/bin/ cfssl
复制cfssl命令文件到k8s-node1和k8s-node2节点。如果实际中多个节点,就都需要同步复制。
[root@k8smaster bin]# pwd
/opt/kubernetes/bin
[root@k8smaster bin]# chmod +x cfssl*
[root@k8smaster src]# scp /opt/kubernetes/bin/cfssl k8snode1:/opt/kubernetes/bin/
[root@k8smaster src]# scp /opt/kubernetes/bin/cfssl k8snode2:/opt/kubernetes/bin/
2、初始化CFSSL
[root@k8smaster src]# pwd
/usr/local/src
[root@k8smaster src]# mkdir ssl && cd ssl
[root@k8smaster ssl]# cfssl print-defaults config > config.json
[root@k8smaster ssl]# cfssl print-defaults csr > csr.json
[root@k8smaster ssl]# ls
config.json csr.json
3、创建用来生成CA文件的JSON配置文件
[root@k8smaster ssl]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
4、创建用来生成CA证书签名请求CSR的JSON的配置文件
[root@k8smaster ssl]# vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
5、生成CA证书(ca.pem)和密钥(ca-key.pem)
[root@k8smaster ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/06/12 17:16:00 [INFO] generating a new CA key and certificate from CSR
2018/06/12 17:16:00 [INFO] generate received request
2018/06/12 17:16:00 [INFO] received CSR
2018/06/12 17:16:00 [INFO] generating key: rsa-2048
2018/06/12 17:16:01 [INFO] encoded CSR
2018/06/12 17:16:01 [INFO] signed certificate with serial number 180206939556981031291737240005441022561765250716
[root@k8smaster ssl]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem config.json csr.json
6、分发证书
[root@k8smaster ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl
SCP证书到k8snode1和k8snode2节点
[root@k8smaster ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json k8snode1:/opt/kubernetes/ssl
[root@k8smaster ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json k8snode2:/opt/kubernetes/ssl
标签:docekr kubernetes 容器
原文地址:http://blog.51cto.com/andyliu/2129063
