标签:aml none span let val cert set margin mil
默认情况下kubernetes在初始化集群时,证书有效期年限为1年。手动生成证书可以避免这个问题。拉取git代码
git clone https://github.com/fandaye/k8s-tls.git && cd k8s-tls/
2. 编辑配置文件 `apiserver.json` 文件 hosts 部分,添加对应kubernetes master 节点 主机名及IP地址,以 `,` 号间隔。如:
{
"CN": "kube-apiserver",
"hosts": [
"172.16.50.131",
"172.16.50.132",
"172.16.50.104",
"k8s01",
"k8s02",
"k8s03",
"10.96.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
}
}3. 执行脚本
./run.sh
4. 生成节点admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf配置文件
cd /etc/kubernetes/pki
编辑 `node.sh` 文件,ip 为当前节点ip地址,NODE 为当前节点主机名,如:
ip="172.16.50.131" NODE="k8s01"
编辑 `kubelet.json ` 文件,CN 区域,为对应主机名,如:
"CN": "system:node:k8s01"
执行脚本
./node.sh
完成上面步骤,在初始化kubernetes集群,如果证书及配置文件存在,就会使用现有的
[certificates] Using the existing ca certificate and key. [certificates] Using the existing apiserver certificate and key. [certificates] Using the existing apiserver-kubelet-client certificate and key. [certificates] Using the existing sa key. [certificates] Using the existing front-proxy-ca certificate and key. [certificates] Using the existing front-proxy-client certificate and key. [certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki" [kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/admin.conf" [kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/kubelet.conf" [kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/controller-manager.conf" [kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/scheduler.conf"
如果master为多个节点,拷贝/etc/kubernetes/pki 目录下所有文件到其他master节点,参考4步骤生成admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf配置文件.
master为多个节点 建议使用 --config 初始化集群,但是官网提示:Caution: The config file is still considered alpha and may change in future versions.
参考:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/
config.yaml 文件,参考如下:
apiVersion: kubeadm.k8s.io/v1alpha1 kind: MasterConfiguration kubernetesVersion: v1.10.4 networking: podSubnet: 10.244.0.0/16 apiServerCertSANs: #master节点主机名及ip地址 - k8s01 - k8s02 - k8s03 - 172.16.50.131 - 172.16.50.132 - 172.16.50.104 - 172.16.50.227 apiServerExtraArgs: endpoint-reconciler-type: "lease" etcd: endpoints: # etcd集群地址 - http://172.16.50.131:2379 - http://172.16.50.132:2379 - http://172.16.50.133:2379 token: "deed3a.b3542929fcbce0f0" tokenTTL: "0"
标签:aml none span let val cert set margin mil
原文地址:http://blog.51cto.com/11889458/2130650
