为确保安全,kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证。
CA (Certificate Authority) 是自签名的根证书,用来签名后续创建的其它证书。
在以下3台机器上部署etcd集群,用命令行部署,而不是systemd系统服务的方式。
10.15.3.99 hostA
10.15.3.100 hostB
10.15.3.101 hostC
etcd服务部署骤:
下载二进制包:
wget https://github.com/etcd-io/etcd/releases/download/v3.3.11/etcd-v3.3.11-linux-amd64.tar.gz
tar zxvf etcd-v3.3.11-linux-amd64.tar.gz
cd etcd-v3.3.11-linux-amd64
cp etcd etcdctl /usr/bin/
添加系统服务:
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
[Service]
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd \
${ETCD_NAME} \
${ETCD_DATA_DIR} \
${ETCD_LISTEN_CLIENT_URLS} \
${ETCD_ADVERTISE_CLIENT_URLS} \
${ETCD_LISTEN_PEER_URLS} \
${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
${ETCD_INITIAL_CLUSTER} \
${ETCD_INITIAL_CLUSTER_STATE} \
${ETCD_CERT_FILE} \
${ETCD_KEY_FILE} \
${ETCD_TRUSTED_CA_FILE} \
${ETCD_CLIENT_CERT_AUTH} \
${ETCD_PEER_CERT_FILE} \
${ETCD_PEER_KEY_FILE} \
${ETCD_PEER_TRUSTED_CA_FILE} \
${ETCD_PEER_CLIENT_CERT_AUTH} \
${ETCD_INITIAL_CLUSTER_TOKEN}"
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
systemctl daemon-reload;systemctl enable etcd
生成证书
利用cfssl 工具生成etcd需要的自签名证书,
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64;
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64;
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64;
mv cfssl_linux-amd64 /usr/local/bin/cfssl;mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mkdir -p /opt/k8s/cert && cd /opt/k8s/cert
echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca - #Generate a new key and cert from CSR
echo '{"signing":{"default":{"expiry":"438000h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json #配置ca-config文件
#定义证书的info
export ADDRESS="10.15.3.99,10.15.3.100,10.15.3.101,hostA,hostB,hostC"
export NAME=etcd-server-test
#生成etcd-server.csr etcd-server-key.pem etcd-server.pem三个文件
echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME
mkdir /etc/kubernetes/cfssl/ -p && cd
cp etcd-server.csr etcd-server-key.pem etcd-server.pem /etc/kubernetes/cfssl/
启动etcd服务:
# [member]
ETCD_NAME="--name node1"
ETCD_DATA_DIR="--data-dir /var/lib/etcd/default.etcd"
ETCD_INITIAL_ADVERTISE_PEER_URLS="--initial-advertise-peer-urls https://10.15.3.99:2380"
ETCD_LISTEN_PEER_URLS="--listen-peer-urls https://10.15.3.99:2380"
ETCD_LISTEN_CLIENT_URLS="--listen-client-urls https://10.15.3.99:2379"
ETCD_ADVERTISE_CLIENT_URLS="--advertise-client-urls https://10.15.3.99:2379"
ETCD_INITIAL_CLUSTER="--initial-cluster node1=https://10.15.3.99:2380,node2=https://10.15.3.100:2380,node3=https://10.15.3.101:2380"
ETCD_INITIAL_CLUSTER_STATE="--initial-cluster-state new"
ETCD_INITIAL_CLUSTER_TOKEN="--initial-cluster-token k8s-etcd"
ETCD_CERT_FILE="--cert-file /etc/kubernetes/cfssl/etcd-server.pem"
ETCD_KEY_FILE="--key-file /etc/kubernetes/cfssl/etcd-server-key.pem"
ETCD_TRUSTED_CA_FILE="--trusted-ca-file /etc/kubernetes/cfssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="--client-cert-auth"
ETCD_PEER_CERT_FILE="--peer-cert-file /etc/kubernetes/cfssl/etcd-server.pem"
ETCD_PEER_KEY_FILE="--peer-key-file /etc/kubernetes/cfssl/etcd-server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="--peer-trusted-ca-file /etc/kubernetes/cfssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="--peer-client-cert-auth"
查看集群状态:
cd /opt/etcd/;
[root@hostB etcd]# ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.15.3.100:2382 --cacert="/opt/etcd/ssl/ca.pem" --cert="/opt/etcd/ssl/hostB.pem" --key="/opt/etcd/ssl/hostB-key.pem" member list
484582efdd605f84, started, hostB, https://10.15.3.100:2381, https://10.15.3.100:2382
5fba8cb2a3e03684, started, hostC, https://10.15.3.101:2381, https://10.15.3.101:2382
6b6b9ebfd3739327, started, hostA, https://10.15.3.99:2381, https://10.15.3.99:2382
[root@hostB etcd]# ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.15.3.100:2382 --cacert="/opt/etcd/ssl/ca.pem" --cert="/opt/etcd/ssl/hostB.pem" --key="/opt/etcd/ssl/hostB-key.pem" endpoint health
https://10.15.3.100:2382 is healthy: successfully committed proposal: took = 1.421705ms
参数解释:
--cacert="" verify certificates of TLS-enabled secure servers using this CA bundle //ca证书
--cert="" identify secure client using this TLS certificate file //证书文件
--key="" identify secure client using this TLS key file //私钥文件
