By default, Kubernetes has a certificate validity period of 1 years when initializing a cluster. Manually generating certificates can avoid this problem.
Pull git code
git clone https://github.com/fandaye/k8s-tls.git && CD k8s-tls/
2. Edit the configuration file ' Apiserver.json ' file in the Hosts section, add the corresponding Kubernetes master node hostname and IP address to ', ' number interval. Such as:
{ "CN": "Kube-apiserver", "hosts": [ "172.16.50.131", "172.16.50.132", "172.16.50.104", "k8s01", " K8s02 ", " K8s03 ", " 10.96.0.1 ", "Kubernetes", "Kubernetes.default", "Kubernetes.default.svc", " Kubernetes.default.svc.cluster ", " kubernetes.default.svc.cluster.local " ], "Key": { "Algo": "RSA", "size": 2048 }}
3. Execute the Script
./run.sh
4. Build node admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf configuration file
Cd/etc/kubernetes/pki
Edit the ' node.sh ' file, IP is the current node IP address, node is the host name of the current node, such as:
ip= "172.16.50.131" node= "k8s01"
Edit the ' kubelet.json ' file, CN region, for the corresponding hostname, such as:
"CN": "System:node:k8s01"
Execute script
./node.sh
Complete the above steps, in initializing the Kubernetes cluster, if the certificate and configuration file exist, use the existing
[Certificates] using the existing ca certificate and key. [Certificates] using the existing apiserver certificate and key. [certificates] using the existing apiserver-kubelet-client certificate and Key. [Certificates] using the existing sa key. [Certificates] using the existing front-proxy-ca certificate and key. [Certificates] using the existing front-proxy-client certificate and key. [certificates] valid certificates and keys now exist in "/etc/ Kubernetes/pki "[kubeconfig] using existing up-to-date kubeconfig file: "/etc/ Kubernetes/admin.conf "[kubeconfig] using existing up-to-date kubeconfig file: "/ Etc/kubernetes/kubelet.conf "[kubeconfig] using existing up-to-date kubeconfig file: "/etc/kubernetes/controller-manager.conf" [kubeconfig] using existing up-to-date KubeConfig file: "/etc/kubernetes/scheduler.conf"
If Master is multiple nodes, copy all files from the/etc/kubernetes/pki directory to the other master nodes, Refer to the 4 step to generate the admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf configuration file.
Master recommends using--config to initialize the cluster for multiple nodes, but the official website tip:Caution: The config file is still considered alpha and may change in F Uture versions.
Reference: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/
Config.yaml file, refer to the following:
Apiversion:kubeadm.k8s.io/v1alpha1kind:masterconfigurationkubernetesversion:v1.10.4networking:podsubnet: 10.244.0.0/16apiservercertsans: #master节点主机名及ip地址-k8s01-k8s02-k8s03-172.16.50.131-172.16.50.132-172.16.50.104- 172.16.50.227apiserverextraargs:endpoint-reconciler-type: "Lease" etcd:endpoints: # ETCD Cluster Address-HTTP// 172.16.50.131:2379-http://172.16.50.132:2379-http://172.16.50.133:2379token: "Deed3a.b3542929fcbce0f0" TokenTTL: "0"
To manually generate a certificate for Kubernetes