k8s 配置自签发ssl证书

有的pod需要访问api-server时使用的https协议

删除之前的默认生成的secret

1
2
3
4
5
# 查看default命名空间下
$ kubectl get secret 
NAME                  TYPE                                  DATA   AGE
default-token-dlcmj   kubernetes.io/service-account-token   3      14h
$ kubectl delete secret default-token-dlcmj

配置 api-server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
    KUBE_API_ADDRESS=" --insecure-bind-address=0.0.0.0 \
                      --insecure-port=0 \
                      --secure-port=6443\
                      --logtostderr=false \
                      --log-dir=/soyuan/k8s/api-server/logs \
                      --v=0 \
                      --tls-cert-file=/soyuan/k8s/ssl/server.crt \
                      --tls-private-key-file=/soyuan/k8s/ssl/server.key \
                      --client-ca-file=/soyuan/k8s/ssl/ca.crt \
                      --kubelet-https=true  \
                      --service-account-key-file=/soyuan/k8s/ssl/ca.key \
                      --enable-swagger-ui=true  "
KUBE_ETCD_SERVERS=" --etcd-servers=http://172.16.100.92:2379"
KUBE_SERVICE_ADDRESSES=" --service-cluster-ip-range=10.254.0.0/16  \
					   --service-node-port-range=1-65535 "
KUBE_ADMISSION_CONTROL=" --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota,ServiceAccount"
KUBE_API_ARGS=""

--tls-cert-file 服务器证书文件

--tls-private-key-file 服务器证书私钥文件

--client-ca-file 根证书

--insecure-port=0 把非安全端口关闭

--secure-port=6443 安全端口

配置controller-manager

1
2
3
4
5
6
KUBE_CONTROLLER_MANAGER_AGE="  --master=https://172.16.100.92:6443   \
--service-account-private-key-file=/soyuan/k8s/ssl/server.key  \
--root-ca-file=/soyuan/k8s/ssl/ca.crt  \
--logtostderr=false  \
--log-dir=/soyuan/k8s/controller-manager/logs \
--v=0   "

--service-account-private-key-file 服务器私钥文件

--root-ca-file 根证书

配置kubelet

kubeletenv

1
KUBELET_ARGS="--enable-server=true --enable-debugging-handlers=true --fail-swap-on=false --kubeconfig=/soyuan/k8s/kube-node/kubeconfig --hostname-override=kube-master  --cluster-dns=172.16.100.92 --cluster-domain=kube-master  --service-account-key-file=/soyuan/k8s/ssl/server.key --root-ca-file=/soyuan/k8s/ssl/ca.crt"

kubeconfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: v1
kind: Config
clusters:
- name: kubernetes
  cluster:
    certificate-authority: /soyuan/k8s/ssl/ca.crt
    server: https://172.16.100.92:6443
users:
- name: kubelet
  user:
    client-certificate: /soyuan/k8s/ssl/server.crt
    client-key: /soyuan/k8s/ssl/server.key
contexts:
- context:
    cluster: kubernetes
    user: kubelet
  name: service-account-context
current-context: service-account-context

certificate-authority 根证书

启动

1
2
3
4
5
6
$ systemctl restart kube-apiserver
$ systemctl restart kube-controller-manager
$ systemctl restart kube-scheduler

$ systemctl restart kube-proxy
$ systemctl restart kubelet
k8s
#运维 #k8s
k8s 配置自签发ssl证书
https://zhaops-hub.github.io/2021/11/24/k8s/k8s 配置自签发ssl证书/
作者
赵培胜
发布于
2021年11月24日
许可协议