Preparando os Arquivos Necessários
Precisamos gerar certificados que iremos utilizar em todos os componentes do Kubernetes. Os certificados são usados para identificar quem são os componentes, a quais grupos pertencem para que tenham as permissões adequadas e se autorizarem no kube-apiserver.
Como cada um tem um certificado diferentes podemos criar diferentes kubeconfigs utilizando esses certificados.
Como os certificados no Kubernetes ficam na pasta /var/lib/kubernetes/pki, vamos criar uma pasta de mesmo nome dentro de shared_files com os arquivos necessários.
É necessário que uma CA assine todos esses certificados. Crie e execute o seguinte script dentro da pasta shared_files.
Troque os IPs para os IPs que você definiu no seu Vagrantfile.
Se observar, esse script será chamado somente no master1 para criar os certificados que serão usados por todos. Eles ficarão disponíveis dentro de shared_files. Se quiser executar os scripts manualmente faça-o para estudar.
Crie o script chamando de 1_generate_certificate_control_plane.sh
#!/bin/bash
mkdir pki
cd pki
############################# CA #############################################
echo -e "\n##### Criando CA ######"
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA/O=Kubernetes" -out ca.csr
openssl x509 -req -in ca.csr -signkey ca.key -CAcreateserial -out ca.crt -days 1000
############################# ADMIN #############################################
echo -e "\n##### Criando o certificado para o admin ######"
openssl genrsa -out admin.key 2048
openssl req -new -key admin.key -subj "/CN=admin/O=system:masters" -out admin.csr
openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt -days 1000
############################# CONTROLLER MANAGER #############################################
echo -e "\n##### Criando o certificado para o controller manager ######"
openssl genrsa -out kube-controller-manager.key 2048
openssl req -new -key kube-controller-manager.key -subj "/CN=system:kube-controller-manager/O=system:kube-controller-manager" -out kube-controller-manager.csr
openssl x509 -req -in kube-controller-manager.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-controller-manager.crt -days 1000
############################# SCHEDULER #############################################
echo -e "\n##### Criando o certificado para o scheduler ######"
openssl genrsa -out kube-scheduler.key 2048
openssl req -new -key kube-scheduler.key -subj "/CN=system:kube-scheduler/O=system:kube-scheduler" -out kube-scheduler.csr
openssl x509 -req -in kube-scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-scheduler.crt -days 1000
############################# KUBE-PROXY #############################################
echo -e "\n##### Criando o certificado para o kube-proxy ######"
openssl genrsa -out kube-proxy.key 2048
openssl req -new -key kube-proxy.key -subj "/CN=system:kube-proxy/O=system:node-proxier" -out kube-proxy.csr
openssl x509 -req -in kube-proxy.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-proxy.crt -days 1000
############################# API SERVER #############################################
echo -e "\n##### Criando o certificado para o Api Server ######"
cat << EOF >> openssl-apiserver.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = 10.0.0.201
IP.3 = 10.0.0.202
IP.4 = 10.0.0.203
IP.5 = 10.0.0.200
IP.6 = 127.0.0.1
EOF
openssl genrsa -out kube-apiserver.key 2048
openssl req -new -key kube-apiserver.key -subj "/CN=kube-apiserver/O=Kubernetes" -out kube-apiserver.csr -config openssl-apiserver.cnf
openssl x509 -req -in kube-apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-apiserver.crt -extensions v3_req -extfile openssl-apiserver.cnf -days 1000
############################# API SERVER CLIENT #############################################
echo -e "\n##### Criando o certificado para o Api Server como client do Kubelet ######"
cat <<EOF >> openssl-kubelet.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF
openssl genrsa -out apiserver-kubelet-client.key 2048
openssl req -new -key apiserver-kubelet-client.key -subj "/CN=kube-apiserver-kubelet-client/O=system:masters" -out apiserver-kubelet-client.csr -config openssl-kubelet.cnf
openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -extensions v3_req -extfile openssl-kubelet.cnf -days 1000
############################# ETCD SERVER #############################################
echo -e "\n##### Criando o certificado para o ETCD ######"
cat << EOF >> openssl-etcd.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.0.0.201
IP.2 = 10.0.0.202
IP.3 = 10.0.0.203
IP.4 = 127.0.0.1
[req_distinguished_name]
EOF
openssl genrsa -out etcd-server.key 2048
openssl req -new -key etcd-server.key -subj "/CN=etcd-server/O=Kubernetes" -out etcd-server.csr -config openssl-etcd.cnf
openssl x509 -req -in etcd-server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd-server.crt -extensions v3_req -extfile openssl-etcd.cnf -days 1000
############################# SERVICE ACCOUNT #############################################
echo -e "\n##### Criando o certificado para o service-account ######"
openssl genrsa -out service-account.key 2048
openssl req -new -key service-account.key -subj "/CN=service-accounts/O=Kubernetes" -out service-account.csr
openssl x509 -req -in service-account.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out service-account.crt -days 1000
echo -e "\n##### Removendo arquivos desnecessários .csr e .cnf ######"
rm -rf *.csr
rm -rf *.cnf
A Segunda etapa é criar os arquivos kubeconfig. Todos os arquivos .kubeconfig gerados irão apontar para os arquivos dos certificados que irão estar na pasta correta depois. O único caso que o conteúdo do certificado fica em amostra é o do admin.
Crie o script abaixo dentro de shared_files com o nome 3_generate_kubeconfigs_control_plane.sh. Por uma questão de organização vamos colocar na pasta criada kubeconfigs para depois ser movido para o lugar correto.
#!/bin/bash
mkdir kubeconfigs
cd kubeconfigs
echo -e "\n##### Gerando o kubeconfig para o kube-proxy #####"
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--server=https://10.0.0.200:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=/var/lib/kubernetes/pki/kube-proxy.crt \
--client-key=/var/lib/kubernetes/pki/kube-proxy.key \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
echo -e "\n##### Gerando o kubeconfig para o controller-manager #####"
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/var/lib/kubernetes/pki/kube-controller-manager.crt \
--client-key=/var/lib/kubernetes/pki/kube-controller-manager.key \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
echo -e "\n##### Gerando o kubeconfig para o scheduler #####"
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=/var/lib/kubernetes/pki/kube-scheduler.crt \
--client-key=/var/lib/kubernetes/pki/kube-scheduler.key \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
echo -e "\n##### Gerando o kubeconfig para o admin #####"
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=../pki/ca.crt \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=../pki/admin.crt \
--client-key=../pki/admin.key \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
Outro arquivo que precisamos ter é um objeto no kubernetes que fará a encriptação das secrets e outros componentes que quisermos. É necessário gerar uma key, logo faremos isso antes de criar o objetos que o kube-apiserver usará.
Crie o script abaixo na pasta shared_files com o nome que quiser e execute o script. A saída apenas será o objeto que precisamos chamado encryption-config.yaml.
#!/bin/bash
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
echo -e "\n##### Gerando método de encriptação que será usado no cluster #####"
# Mover para /var/lib/kubernetes
cat > encryption-config.yaml <<EOF
apiVersion: v1
kind: EncryptionConfig
resources:
- resources:
- secrets
- configmaps
providers:
- aescbc:
keys:
- name: key1
secret: ${ENCRYPTION_KEY}
- identity: {}
EOF