【K8s+Docker技术全解】03.k8s搭建环境准备-证书签发环境和Docker环境

## 99.200证书签发环境 `192.168.99.200`是模拟的运维管理主机 部署k8s就有很多证书要签发，基本上所有组件之间的通信都是依赖于ssl，即需要证书。常用的一种是openssl，另一种是cfssl。 ### 安装cfssl 官网地址 https://pkg.cfssl.org/ ```bash [root@k8s99-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl [root@k8s99-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssljson [root@k8s99-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo [root@k8s99-200 ~]# ls /usr/bin/cfssl* /usr/bin/cfssl /usr/bin/cfssl-certinfo /usr/bin/cfssljson # 赋予执行权限 [root@k8s99-200 ~]# chmod +x /usr/bin/cfssl* # 创建证书保存路径 [root@k8s99-200 ~]# cd /opt/ [root@k8s99-200 opt]# mkdir certs [root@k8s99-200 opt]# cd certs/ [root@k8s99-200 certs]# pwd /opt/certs ``` 要签发证书前，需要有一个CA证书，即权威证书（根证书） CA 也拥有一个证书（内含公钥和私钥）。网上的公众用户通过验证 CA 的签字从而信任 CA ，任何人都可以得到 CA 的证书（含公钥），用以验证它所签发的证书。 如果用户想得到一份属于自己的证书，他应先向 CA 提出申请。在 CA 判明申请者的身份后，便为他分配一个公钥，并且 CA 将该公钥与申请者的身份信息绑在一起，并为之签字后，便形成证书发给申请者。 如果一个用户想鉴别另一个证书的真伪，他就用 CA 的公钥对那个证书上的签字进行验证，一旦验证通过，该证书就被认为是有效的。证书实际是由证书签证机关（CA）签发的对用户的公钥的认证。 ### 创建CA证书 #### CA证书请求配置文件ca-csr.json ```bash [root@k8s99-200 certs]# vim ca-csr.json ``` 写入以下内容 ```json { "CN": "k8s_study", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "sichuan", "L": "chengdu", "O": "study", "OU": "ops" } ], "ca": { "expiry": "175200h" } } ``` - `CN`：Common Name，浏览器使用该字段验证网络是否合法，一般写的是域名，非常重要。 - `algo`：加密算法 - `C`：Country，国家 - `ST`：State，省 - `L`：Locality，地区城市 - `O`：Organization Name，组织名称，公司名称 - `OU`：Organization Unit Name，组织单位名称，公司部门 - `expiry`：过期时间 #### 生成证书输出cfssl 使用`cfssl gencert -initca ca-csr.json`命令生成 ```bash [root@k8s99-200 certs]# cfssl gencert -initca ca-csr.json 2020/06/01 20:25:40 [INFO] generating a new CA key and certificate from CSR 2020/06/01 20:25:40 [INFO] generate received request 2020/06/01 20:25:40 [INFO] received CSR 2020/06/01 20:25:40 [INFO] generating key: rsa-2048 2020/06/01 20:25:41 [INFO] encoded CSR 2020/06/01 20:25:41 [INFO] signed certificate with serial number 490593908759612696270492733078532216284353788210 {"cert":"-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIUVe794LyjwQh0SO1rTHFmU5kt+TIwDQYJKoZIhvcNAQEL\nBQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB3NpY2h1YW4xEDAOBgNVBAcTB2No\nZW5nZHUxDjAMBgNVBAoTBXN0dWR5MQwwCgYDVQQLEwNvcHMxEjAQBgNVBAMMCWs4\nc19zdHVkeTAeFw0yMDA2MDExMjIxMDBaFw00MDA1MjcxMjIxMDBaMGMxCzAJBgNV\nBAYTAkNOMRAwDgYDVQQIEwdzaWNodWFuMRAwDgYDVQQHEwdjaGVuZ2R1MQ4wDAYD\nVQQKEwVzdHVkeTEMMAoGA1UECxMDb3BzMRIwEAYDVQQDDAlrOHNfc3R1ZHkwggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCPQjQ5lk6y8ExDHbfR3Hw8+uN\nzLhSaZDCpD60AFv8nY5GV5mJSjDBNcDvjEPPGwfJIGczDL6whDDbWw2Dy6ejPOm5\nomjytq2HaLhKYFpD7IhDYB67r11yJ6v7qlljN4OUt/QGLuZej8Gt4407nt7F9gfE\nYvA6iZz+kECAnYRO/GYRsdmWadAIApzYzsAVNpo60Qzv8+LAzz+QALV7fmROpuHk\n/k6YaZ7StYLjYatCLBuBn7I0r4aMwOHW6P5S8ZXLX+v4FFXE/hqUbTQq6gua1Lvt\nv4j0tXKwFjmRu4WHF5E/i2Hy1a1orI961Kelacgp6msUB+NV2OBE8S7+rCkzAgMB\nAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud\nDgQWBBSgiuXeyyNxai1xJaQ9YlyGMVLd2DAfBgNVHSMEGDAWgBSgiuXeyyNxai1x\nJaQ9YlyGMVLd2DANBgkqhkiG9w0BAQsFAAOCAQEAo5SMvp+1G3sWC82nTmHxoFYp\n0IhZ1M79mqzkRvUfkQvXZUUdPpBE2+qqzCAbSWu+QOtxHFCMiWjkuTr4GpzX621i\nNnrDht8G6Od1pfHDwQVG8kkXU1iXFKymdiN1HClDpR6F8k7raqZHZPwUNWkIGJkN\n5a8KIaI/Qg8kRLVhrd6vH1FA2Ywrx+HsSpuVsK4GlEAbrN8VzADEzremyfdCPrhC\n12AFz9Xyz3iQGb5zwYxnAJo7GVmKDUbksX93mUfhzRN9R64QvH2YUeE1hgTNwPno\nEYTP7GNhMbUNaB0+uL0UN1swulbpnPKdb+oTWvzN7pzA4PZ+ULwGceydVL7IWQ==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICqDCCAZACAQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB3NpY2h1YW4xEDAO\nBgNVBAcTB2NoZW5nZHUxDjAMBgNVBAoTBXN0dWR5MQwwCgYDVQQLEwNvcHMxEjAQ\nBgNVBAMMCWs4c19zdHVkeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAMI9CNDmWTrLwTEMdt9HcfDz643MuFJpkMKkPrQAW/ydjkZXmYlKMME1wO+MQ88b\nB8kgZzMMvrCEMNtbDYPLp6M86bmiaPK2rYdouEpgWkPsiENgHruvXXInq/uqWWM3\ng5S39AYu5l6Pwa3jjTue3sX2B8Ri8DqJnP6QQICdhE78ZhGx2ZZp0AgCnNjOwBU2\nmjrRDO/z4sDPP5AAtXt+ZE6m4eT+TphpntK1guNhq0IsG4GfsjSvhozA4dbo/lLx\nlctf6/gUVcT+GpRtNCrqC5rUu+2/iPS1crAWOZG7hYcXkT+LYfLVrWisj3rUp6Vp\nyCnqaxQH41XY4ETxLv6sKTMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQA6YRUu\nII8DlipXe6TJO5bhZA1YC2YDfq1Gi8M2ixtD7kXPvO1u+HRJaaDBysI5Abw0V3hf\nbW7gA+0O+2RqGIAX+0n4gfPu9SlByYKWubuU6+HHR4r+MKhKBprDNwm2cnVGe4EM\nNWau2iX5do71z66ctgidLl2SUaX/yCwI5pdQH8ZIjyhnez69X7bD8TZCYExGHSjW\nJ30RgIrGZoHuOr99HKksK/fTuKB2JoI0NekfIO6wYeg1pSO8nnc845jUf+snCVg6\nH+evAyML4Fq5n6oEk4Wo40RHFr4wFDWOpWog/k4jQRwPJRQmjVXdmUBfifkeM4p1\n3NsWT2QFVUqqNKv5\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAwj0I0OZZOsvBMQx230dx8PPrjcy4UmmQwqQ+tABb/J2ORleZ\niUowwTXA74xDzxsHySBnMwy+sIQw21sNg8unozzpuaJo8rath2i4SmBaQ+yIQ2Ae\nu69dcier+6pZYzeDlLf0Bi7mXo/BreONO57exfYHxGLwOomc/pBAgJ2ETvxmEbHZ\nlmnQCAKc2M7AFTaaOtEM7/PiwM8/kAC1e35kTqbh5P5OmGme0rWC42GrQiwbgZ+y\nNK+GjMDh1uj+UvGVy1/r+BRVxP4alG00KuoLmtS77b+I9LVysBY5kbuFhxeRP4th\n8tWtaKyPetSnpWnIKeprFAfjVdjgRPEu/qwpMwIDAQABAoIBAAcMQ+eglBhIEGiB\nNUcAxqehkiiBBycmYXROlV/eq3fNF76BqzaKFJ7OHoQSqNs49d1caaI2kizBfyxW\nb3UazKhlq21q8TftXPqO2DEKsfvI92DKehMBV/iua9Uj5z5sYz/gNOCMjxtbSAHR\nQeyp5Rd1x+5eUK0vFR0/iref/48GFU4ZJoqMSlckEANqiDLs5CzOSiJp/iH25wSN\nmmGftgNLgA+YMTx2rSGNMaQWfZ3pflgDeQOXq3GGQCVhIFoXhxOg+5DSpv5N0VKV\njxyh9P6JARbf3wJI4OqDeIZUQs1oXDMK0C7VujJPrO3W14hhp/V/dwRa5gbPCiZI\nHOaftsECgYEA0KAz4azJx+MX31fXVD/chcu5ry69+ezRxs1OacQvcaNsnfly+W84\nkGCJk6MsiQiHJspNltBSbC+7GctO6wR/bXaVnofkBqjie93eFmKyL9FnKcUjY122\nwxxaUA3WNTdw72tCITSiAXvHzuOrGgmIs7CW9xQ2Jq2gV1U1GqmI+vECgYEA7lh3\np9nRdO96OcrCEQhDI4m9REXTdJEiLvgGmHLUsVKS02l4uhG7it5voL23pDorteZH\nBAYzb+1Pqs2r+Y3CV1vjlIKuf6qNxdsQ+qqbJ7y5nV4eNG3iItTuLqZ5wPPOE1xA\nSx2XraTHjWZP8gaLIsZ3yNmA9Ksez2o3UrE4/mMCgYAmkoglIIJKL8WZKK+KRyhp\noGobZqP/UnbSr+Dgk0JGW3XYm2dTkOm/X+nv3wp755S9akgAK1Ih6I1KTpmvwCwj\nO/qbzfot9Qmy5ymJsAPL7YaKZYWOeKQy3Moh5P0G59I8ofMfGpEdfxpJOTTIYpzg\nxDSVSCpe6lkr7HgeDtxhsQKBgCsJuoGKqXHOFGn/HM/qiAUQyCZd3XL9CgklLDu2\n8IUcffrC3tPqg8ztoYaK+3AiOOZdsJEfdYZOecZD4TvsxxzzMMMOXegbqgICLqy0\nxdOFFpc9+YJKHT1g6alu0ilvXNTOIaXusAbg7E+yG9l+KP2cjOCttcV4aNXXPiom\naj41AoGAE3WCIQOtsAJWAzxPtF00YMvL/Jd1OrbflwHv9rF1nyUfC7UAALkIZ4VF\nqo7ZV+eJoLQjM3Wu3lqZw+atLiHKgq+SDLGY3VIoB8aAj19bYlU/vn+mWbTN25ab\nyZ9ogMr7pb38TnZkzT+PF9IuF9a99kgC11iS6LqXNBiLh++v0XE=\n-----END RSA PRIVATE KEY-----\n"} ``` 可以看到输出中有`BEGIN CERTIFICATE`---`END CERTIFICATE`、`BEGIN CERTIFICATE REQUEST`---`END CERTIFICATE REQUEST`、`BEGIN RSA PRIVATE KEY`---`END RSA PRIVATE KEY` #### 生成承载式证书cfssl+cfssljson 使用管道符将输入的json通过`cfssljson`指令保存到文件中 ```bash [root@k8s99-200 certs]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca 2020/06/01 20:26:18 [INFO] generating a new CA key and certificate from CSR 2020/06/01 20:26:18 [INFO] generate received request 2020/06/01 20:26:18 [INFO] received CSR 2020/06/01 20:26:18 [INFO] generating key: rsa-2048 2020/06/01 20:26:18 [INFO] encoded CSR 2020/06/01 20:26:18 [INFO] signed certificate with serial number 417697169768896708734727760628889136572870719959 [root@k8s99-200 certs]# ls ca.csr ca-csr.json ca-key.pem ca.pem ``` 即生成了三个文件，CA证书请求文件、证书文件和证书的私钥（证书和私钥都是pem文件格式存储） - `ca.csr`中保存的是`BEGIN CERTIFICATE REQUEST`---`END CERTIFICATE REQUEST` - `ca.pem`中保存的是`BEGIN CERTIFICATE`---`END CERTIFICATE` - `ca-key.pem`中保存的是`BEGIN RSA PRIVATE KEY`---`END RSA PRIVATE KEY` ## 99.151/152/200部署Docker环境 需要在`192.168.99.151`、`192.168.99.152`、`192.168.99.200`三台主机上安装Docker 前两台用于Kubernetes依赖，后一台用于Docker仓库搭建 ### 从阿里云安装Docker ```bash # 192.168.99.151 [root@k8s99-151 ~]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun # 192.168.99.152 [root@k8s99-152 ~]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun # 192.168.99.200 [root@k8s99-200 ~]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun # 如果不是root用户使用docker，需要执行 sudo usermod -aG docker 用户名，将用户添加到docker组 # 安装成功后都检查是否能运行 [root@k8s99-200 ~]# docker --version Docker version 19.03.10, build 9424aeaee9 ``` ### 添加Docker配置文件 ```bash # 192.168.99.151 [root@k8s99-151 ~]# mkdir -p /data/docker /etc/docker [root@k8s99-151 ~]# vim /etc/docker/daemon.json ``` ```json { "graph": "/data/docker", "storage-driver": "overlay2", "registry-mirrors": [ "https://dockerhub.azk8s.cn", "https://hub-mirror.c.163.com" ], "insecure-registries":["harbor.study.com"], "bip": "172.99.151.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true } ``` - `graph`：Docker创建数据文件的位置，默认为`/var/lib/docker` - `storage-driver`：要使用的存储驱动程序字符串 - `registry-mirrors`：镜像地址 - `insecure-registries`：内部镜像地址，添加了后面私有仓库的地址`harbor.study.com`，因为他是私有仓库，不是走https协议 - `bip`：指定网桥IP，需要根据宿主机变化，便于分辨Docker容器是在那台宿主机上的 - `live-restore`：允许在守护进程停机期间保持容器的活动状态。 启动Docker ```bash [root@k8s99-151 ~]# systemctl start docker [root@k8s99-151 ~]# docker info [root@k8s99-151 ~]# docker ps -a [root@k8s99-151 ~]# ip address show docker0 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:bc:30:53:74 brd ff:ff:ff:ff:ff:ff inet 172.99.151.1/24 brd 172.99.151.255 scope global docker0 valid_lft forever preferred_lft forever # 可以看到Docker的网卡地址为172.99.112.1/24，即bip指定的 # 设置开机自启 [root@k8s99-151 ~]# systemctl enable docker Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service. ``` 配置另外2台主机的Docker ```bash # 192.168.99.152 [root@k8s99-152 ~]# mkdir -p /data/docker /etc/docker [root@k8s99-152 ~]# vim /etc/docker/daemon.json [root@k8s99-152 ~]# cat /etc/docker/daemon.json { "graph": "/data/docker", "storage-driver": "overlay2", "registry-mirrors": [ "https://dockerhub.azk8s.cn", "https://hub-mirror.c.163.com" ], "insecure-registries":["harbor.study.com"], "bip": "172.99.152.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true } [root@k8s99-152 ~]# systemctl start docker [root@k8s99-152 ~]# ip address show docker0 | grep inet inet 172.99.152.1/24 brd 172.99.152.255 scope global docker0 [root@k8s99-152 ~]# systemctl enable docker # 192.168.99.200 [root@k8s99-200 ~]# mkdir -p /data/docker /etc/docker [root@k8s99-200 ~]# vim /etc/docker/daemon.json [root@k8s99-200 ~]# cat /etc/docker/daemon.json { "graph": "/data/docker", "storage-driver": "overlay2", "registry-mirrors": [ "https://dockerhub.azk8s.cn", "https://hub-mirror.c.163.com" ], "insecure-registries":["harbor.study.com"], "bip": "172.99.200.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true } [root@k8s99-200 ~]# systemctl start docker [root@k8s99-200 ~]# ip address show docker0 | grep inet inet 172.99.200.1/24 brd 172.99.200.255 scope global docker0 [root@k8s99-200 ~]# systemctl enable docker ```

明人不说暗话 领红包就是支持！！！ 来都来了，再到页面底部看下呗~ ↓ ↓ ↓

本文地址： http://blog.starmeow.cn/detail/39059724f73a9969845dfe4146c5660e/

很赞哦！ (1)