签发证书

证书签发在 k8s-5-141 服务器操作 操作

  1. [root@k8s-5-141 ~]# cd /opt/certs/kube-cert
  2. [root@k8s-5-141 kube-cert]# vim kube-proxy-csr.json  # CN 其实是k8s中的角色
  3. {
  4.     "CN": "system:kube-proxy",
  5.     "key": {
  6.         "algo": "rsa",
  7.         "size": 2048
  8.     },
  9.     "names": [
  10.         {
  11.              "O": "batar",
  12.              "OU": "batar-zhonggu",
  13.              "L": "ShenZhen",
  14.              "ST": "GuangDong",
  15.                 "C": "CN"
  16.             }
  17.     ]
  18. }
  19. [root@k8s-5-141 kube-cert]# cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../etcd-ca/ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client
  20. 2021/03/26 15:01:41 [INFO] generate received request
  21. 2021/03/26 15:01:41 [INFO] received CSR
  22. 2021/03/26 15:01:41 [INFO] generating key: rsa-2048
  23. 2021/03/26 15:01:41 [INFO] encoded CSR
  24. 2021/03/26 15:01:41 [INFO] signed certificate with serial number 325696708048092303352380142387745383055352409220
  25. 2021/03/26 15:01:41 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
  26. websites. For more information see the Baseline Requirements for the Issuance and Management
  27. of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
  28. specifically, section 10.2.3 ("Information Requirements").
  30. # 因为kube-proxy使用的用户是kube-proxy,不能使用client证书,必须要重新签发自己的证书
  31. [root@k8s-5-141 kube-cert]# ll kube-proxy-c* -l
  32. -rw-r--r-- 1 root root 1025 Mar 26 15:01 kube-proxy-client.csr
  33. -rw------- 1 root root 1675 Mar 26 15:01 kube-proxy-client-key.pem
  34. -rw-r--r-- 1 root root 1419 Mar 26 15:01 kube-proxy-client.pem
  35. -rw-r--r-- 1 root root  267 Mar 26 14:59 kube-proxy-csr.json
  37. # 分发证书到 k8s-5-138 和 k8s-5-139 服务器上
  38.  kube-cert]# scp kube-proxy-client-key.pem kube-proxy-client.pem k8s-5-138.host.com:/opt/kubernetes/server/bin/certs/                                                                         100% 1375   870.6KB/s   00:00    
  39.  kube-cert]# scp kube-proxy-client-key.pem kube-proxy-client.pem k8s-5-139.host.com:/opt/kubernetes/server/bin/certs/

创建kube-proxy配置

在所有node节点创建,涉及服务器:k8s-5-138 ,k8s-5-139

  1. #这里--server=https://192.168.5.137:7443 需要修改位反代的ip地址
  2.  ~]# kubectl config set-cluster myk8s \
  3. --certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
  4. --embed-certs=true \
  5. --server=https://192.168.5.137:7443 \
  6. --kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
  8.  ~]# kubectl config set-credentials kube-proxy \
  9. --client-certificate=/opt/kubernetes/server/bin/certs/kube-proxy-client.pem \
  10. --client-key=/opt/kubernetes/server/bin/certs/kube-proxy-client-key.pem \
  11. --embed-certs=true \
  12. --kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
  14.  ~]# kubectl config set-context myk8s-context \
  15. --cluster=myk8s \
  16. --user=kube-proxy \
  17. --kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
  19.  ~]# kubectl config use-context myk8s-context --kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig

把生成配置文件传到另一台机器 那边就可以不用做以上四步

  1. [root@k8s-5-138 certs]# cd /opt/kubernetes/conf
  2. [root@k8s-5-138 conf]# scp kube-proxy.kubeconfig k8s-5-139.host.com:/opt/kubernetes/conf/

加载ipvs模块

kube-proxy 共有3种流量调度模式,分别是 namespace,iptables,ipvs,其中ipvs性能最好。

  1. [root@hdss7-21 ~]# for i in $(ls /usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs|grep -o "^[^.]*");do echo $i; /sbin/modinfo -F filename $i >/dev/null 2>&1 && /sbin/modprobe $i;done
  2. [root@hdss7-21 ~]# lsmod | grep ip_vs  # 查看ipvs模块

创建启动脚本

  1. --hostname-override 需要修改为主机名
  4.  ~]# vim /etc/systemd/system/kube-proxy.service
  6. [Unit]
  7. Description=kube proxy
  8. Documentation=https://github.com/kubernetes
  9. Conflicts=kube-proxyd
  11. [Service]
  12. Type=notify
  13. Restart=always
  14. RestartSec=5s
  15. LimitNOFILE=40000
  16. TimeoutStartSec=0
  18. ExecStart=/opt/kubernetes/server/bin/kube-proxy \
  19.   --cluster-cidr 172.7.0.0/16 \
  20.   --hostname-override k8s-5-138.host.com \
  21.   --proxy-mode=ipvs \
  22.   --ipvs-scheduler=nq \
  23.   --kubeconfig /opt/kubernetes/conf/kube-proxy.kubeconfig
  25. [Install]
  26. WantedBy=multi-user.target
  28.  ~]# mkdir -p /data/logs/kubernetes/kube-proxy
  30. # 添加系统服务并设置自启动 , 也可以使用supervisor 工具来启动启动和拉起程序,在实验环境我就不做这个配置了
  31. ~]# systemctl daemon-reload
  32. ~]# systemctl cat kube-proxyd
  33. ~]# systemctl enable kube-proxyd
  34. ~]# systemctl start kube-proxyd

验证集群

  2. [root@k8s-5-138 /]# yum install -y ipvsadm
  4. [root@k8s-5-138 /]# ipvsadm -Ln
  5. IP Virtual Server version 1.2.1 (size=4096)
  6. Prot LocalAddress:Port Scheduler Flags
  7.   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
  8. TCP  192.168.0.1:443 nq
  9.   -> 192.168.5.138:6443           Masq    1      0          0         
  10.   -> 192.168.5.139:6443           Masq    1      0          0  
  12. [root@k8s-5-138 /]# kubectl get svc
  13. NAME         TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
  14. kubernetes   ClusterIP   192.168.0.1   <none>        443/TCP   26h