标签:har 书签 chm pkg centos ali etc 操作 serve
#(1)环境规划master01 192.168.19.128
master02 192.168.19.129
node01 192.168.19.130
node02 192.168.19.131
中转机: 192.168.19.132
#(2)关闭防火墙, selinux以及安装docker;所有机器上都要操作
systemctl stop firewalld
systemctl disable firewalld
sed -ri ‘/^SELINUX=/cSELINUX=disabled‘ /etc/selinux/config
setenforce 0
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
which ntpdate | yum install ntpdate -y
ntpdate time.windows.com
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce-17.06.0.ce-1.el7.centos.x86_64 -y
systemctl enable docker
systemctl start docker
cat >> /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://ui5lsypg.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
mkdir /opt/kubernetes/{ssl,bin,cfg} -pv
#(3)在中转机器上安装cfssl证书生成工具
which wget || yum install wget -y
test -d /tools || mkdir /tools
cd /tools
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
#(4)在中转机器上生成及分发ca
配置生成ca证书的策略
#mkdir -pv /temp/ssl && cd /temp/ssl
#vi ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
生成ca证书签署请求
#vi ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hangzhou",
"L": "Hangzhou",
"O": "k8s",
"OU": "System"
}
]
}
生成ca证书 和私钥
#cfssl gencert -initca ca-csr.json | cfssljson -bare ca
把ca证书和ca私钥scp到master和node节点
scp ca*.pem master01:/opt/kubernetes/ssl
scp ca*.pem master02:/opt/kubernetes/ssl
scp ca*.pem node02:/opt/kubernetes/ssl
scp ca*.pem node01:/opt/kubernetes/ssl
标签:har 书签 chm pkg centos ali etc 操作 serve
原文地址:https://blog.51cto.com/1000682/2357204