之所以要将这篇很长很长的博文拆分开,是因为站内查询因这篇长文而失效了,另外打开一个页面实在有些卡顿(⊙﹏⊙)b
复习资料
TLS
Q: TLS bootstrapping, see
https://coreos.com/kubernetes/docs/latest/openssl.html
https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/
https://github.com/cloudflare/cfssl
一般证书的申请流程如下:
- 创建证书认证签名 CA (相当于证书颁发机构的证书和私钥)在现实中,这一步是要收钱的机构,直接忽略。
- 产生私钥 Key (请求认证方的私钥)
- 使用已生成的私钥产生证书签名请求CSR (请求认证方基于私钥生成向证书颁发机构所需的证书签名请求文件)
- 使用CA和CSR产生证书 CRT (使用证书颁发机构的证书、私钥以及请求认证放的证书请求文件生成目标证书)
- 下载cfssl软件包
- 访问:https://pkg.cfssl.org
- 下载:cfssl_linux-amd64 => cfssl
- 下载:cfssljson_linux-amd64 => cfssljson
- 下载:cfssl-certinfo-linux-arm64 => cfssl-certinfo
创建证书的流程
- 创建自签名的CA证书;
- 使用CA证书、CA私钥、CA的配置文件,以及客户的CSR生成客户的证书;
操作流程
生成default配置文件
1
2
3
4
5
6
7
8# 这一步就是产生CSR和CA的配置模板,方便按需修改
root@test-9:~/henry# ./cfssl print-defaults list
Default configurations are available for:
config
csr
root@test-9:~/henry# ./cfssl print-defaults config > ca-config.json
root@test-9:~/henry# ./cfssl print-defaults csr > ca-csr.json
root@test-9:~/henry#配置CA的CSR,为自己生成CERT:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30root@test-9:~/henry# #下面是修改之后的结果,CSR就是讲清楚你是"谁"(相当于是在生成中间认证机构的CSR)
root@test-9:~/henry# cat ca-csr.json
{
"CN": "Chen Leiji CA",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco",
"O": "WISE2C",
"OU": "development"
}
]
}
root@test-9:~/henry# #这一步是直接使用CSR来签署CA(相当于是在生成中间认证机构的CA)
root@test-9:~/henry# ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca
2017/11/15 13:16:04 [INFO] generating a new CA key and certificate from CSR
2017/11/15 13:16:04 [INFO] generate received request
2017/11/15 13:16:04 [INFO] received CSR
2017/11/15 13:16:04 [INFO] generating key: ecdsa-256
2017/11/15 13:16:04 [INFO] encoded CSR
2017/11/15 13:16:04 [INFO] signed certificate with serial number 84349438505086023342597169366385715026517648791
root@test-9:~/henry# ls
ca-config.json ca.csr ca-key.pem ca.pem cfssl cfssljson csr.json
root@test-9:~/henry#查看生成的CA证书:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43root@test-9:~/henry# ./cfssl-certinfo -cert ca.pem
{
"subject": {
"common_name": "Chen Leiji CA",
"country": "US",
"organization": "WISE2C",
"organizational_unit": "development",
"locality": "CA",
"province": "San Francisco",
"names": [
"US",
"San Francisco",
"CA",
"WISE2C",
"development",
"Chen Leiji CA"
]
},
"issuer": {
"common_name": "Chen Leiji CA",
"country": "US",
"organization": "WISE2C",
"organizational_unit": "development",
"locality": "CA",
"province": "San Francisco",
"names": [
"US",
"San Francisco",
"CA",
"WISE2C",
"development",
"Chen Leiji CA"
]
},
"serial_number": "84349438505086023342597169366385715026517648791",
"not_before": "2017-11-15T05:11:00Z",
"not_after": "2022-11-14T05:11:00Z",
"sigalg": "ECDSAWithSHA256",
"authority_key_id": "D4:54:B3:F5:DF:CA:4A:22:E5:E:99:F0:BE:5A:4E:B:89:3C:DC:53",
"subject_key_id": "D4:54:B3:F5:DF:CA:4A:22:E5:E:99:F0:BE:5A:4E:B:89:3C:DC:53",
"pem": "-----BEGIN CERTIFICATE-----\nMIICSjCCAfCgAwIBAgIUDsZcEST3fVKpcGgiDP+IvVG1ZZcwCgYIKoZIzj0EAwIw\ncTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT\nAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRYwFAYD\nVQQDEw1DaGVuIExlaWppIENBMB4XDTE3MTExNTA1MTEwMFoXDTIyMTExNDA1MTEw\nMFowcTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV\nBAcTAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRYw\nFAYDVQQDEw1DaGVuIExlaWppIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nCaeC0bFStNdMcaWjMWtc0/HyC/VrcuALsa7ie5xE1lB6wNtQE1JlDxQUPbOJvHXh\nXJ8Lhtp+GKR3nPWiy6+j36NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI\nMAYBAf8CAQIwHQYDVR0OBBYEFNRUs/Xfykoi5Q6Z8L5aTguJPNxTMB8GA1UdIwQY\nMBaAFNRUs/Xfykoi5Q6Z8L5aTguJPNxTMAoGCCqGSM49BAMCA0gAMEUCIQCIG5Hx\n6Pmhj3LT2dRpGGJW3yj3+r9txDjMUH7+CtvJ/AIga5REzrYKSByjSKrMmoa2NPl2\nIIKQ2hASUgXI3565qdc=\n-----END CERTIFICATE-----\n"
}
root@test-9:~/henry#配置CA Profile选项(此处的profiles对应生成客户CA指定的–profile值):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36root@test-9:~/henry# cat ca-config.json
{
"signing": {
"default": {
"expiry": "168h"
},
"profiles": {
"server": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
root@test-9:~/henry#修改客户CSR.json:
获取模板文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22# 这才是需要申请证书的客户提交的CSR,里面有“hosts”信息
root@test-9:~/henry# ./cfssl print-defaults csr
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
root@test-9:~/henry#修改CSR,主要涉及hosts的内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20root@test-9:~/henry# cat csr.json
{
"CN": "Chen Leiji Server",
"key": {
"algo": "ecdsa",
"size": 256
},
"hosts":[
"www.wise2c.com"
],
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco",
"O": "WISE2C",
"OU": "development"
}
]
}生成客户证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57# 需要使用证书颁发机构的CA和Key来为其生成CERT
root@test-9:~/henry# ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --hostname="www.wise2c.com" --profile="server" csr.json | ./cfssljson -bare server
2017/11/15 14:34:07 [INFO] generate received request
2017/11/15 14:34:07 [INFO] received CSR
2017/11/15 14:34:07 [INFO] generating key: ecdsa-256
2017/11/15 14:34:07 [INFO] encoded CSR
2017/11/15 14:34:07 [INFO] signed certificate with serial number 408368599847170747880405926931506246283785194006
root@test-9:~/henry#
root@test-9:~/henry# ls
ca-config.json ca.csr ca-key.pem ca.pem cfssl cfssl-certinfo cfssljson csr.json server.csr server-key.pem server.pem
root@test-9:~/henry#
root@test-9:~/henry# ./cfssl-certinfo -cert server.pem
{
"subject": {
"common_name": "Chen Leiji Server",
"country": "US",
"organization": "WISE2C",
"organizational_unit": "development",
"locality": "CA",
"province": "San Francisco",
"names": [
"US",
"San Francisco",
"CA",
"WISE2C",
"development",
"Chen Leiji Server"
]
},
"issuer": {
"common_name": "Chen Leiji CA",
"country": "US",
"organization": "WISE2C",
"organizational_unit": "development",
"locality": "CA",
"province": "San Francisco",
"names": [
"US",
"San Francisco",
"CA",
"WISE2C",
"development",
"Chen Leiji CA"
]
},
"serial_number": "408368599847170747880405926931506246283785194006",
"sans": [
"www.wise2c.com"
],
"not_before": "2017-11-15T06:29:00Z",
"not_after": "2018-11-15T06:29:00Z",
"sigalg": "ECDSAWithSHA256",
"authority_key_id": "D4:54:B3:F5:DF:CA:4A:22:E5:E:99:F0:BE:5A:4E:B:89:3C:DC:53",
"subject_key_id": "1D:DB:C:A:34:9D:50:98:B0:F7:7D:E5:43:AF:3:D:9E:7D:92:C4",
"pem": "-----BEGIN CERTIFICATE-----\nMIICeTCCAiCgAwIBAgIUR4fhn28TfjY12WtKZvStTxZMyhYwCgYIKoZIzj0EAwIw\ncTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT\nAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRYwFAYD\nVQQDEw1DaGVuIExlaWppIENBMB4XDTE3MTExNTA2MjkwMFoXDTE4MTExNTA2Mjkw\nMFowdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV\nBAcTAkNBMQ8wDQYDVQQKEwZXSVNFMkMxFDASBgNVBAsTC2RldmVsb3BtZW50MRow\nGAYDVQQDExFDaGVuIExlaWppIFNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABNS8mQT/DGMqig0Ju4VwcKtJoleoUF/lJokUhGKVudxIDRPMlgfHI7etIOBD\nPPhgrDdBWMEZHqZ0qLhmvp2v4G6jgZEwgY4wDgYDVR0PAQH/BAQDAgWgMBMGA1Ud\nJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFB3bDAo0nVCY\nsPd95UOvAw2efZLEMB8GA1UdIwQYMBaAFNRUs/Xfykoi5Q6Z8L5aTguJPNxTMBkG\nA1UdEQQSMBCCDnd3dy53aXNlMmMuY29tMAoGCCqGSM49BAMCA0cAMEQCIGou6e5c\nhQR0E3+piwH7VDchIlFUvU3OEttxqPnwYUqSAiBOgjYLgbJH07nf2mYqbegRkmpY\nwSmMdvZBSHvLyw81lA==\n-----END CERTIFICATE-----\n"
}
root@test-9:~/henry#拷贝证书到系统,并更新证书库:
1
2
3
4chmod 600 *-key.pem
cp ~/cfssl/ca.pem /etc/ssl/certs/
update-ca-trust
Installation
Q: Setting up K8s master components with a binaries/from tar balls
Also, convert CRT to PEM: openssl x509 -in abc.crt -out abc.pem
- https://coreos.com/kubernetes/docs/latest/openssl.html
- https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md
- https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/08-bootstrapping-kubernetes-controllers.md
- https://gist.github.com/mhausenblas/0e09c448517669ef5ece157fd4a5dc4b
- https://kubernetes.io/docs/getting-started-guides/scratch/
- http://alexander.holbreich.org/kubernetes-on-ubuntu/
maybe dashboard?- https://kubernetes.io/docs/getting-started-guides/binary_release/
- http://kamalmarhubi.com/blog/2015/09/06/kubernetes-from-the-ground-up-the-api-server/
life-cycle
Q: 对deployment做rollingUpdate,再滚回来
- RollingUpdate (貌似对于deploy限制只能够设置其image、resource、selector、subject来实现)
1 | [root@dev-7 henry]# kubectl run demo --image=nginx --port=80 --replicas=2 --labels="cka=true" |
一种较保守的做法是先将其锁住,等待操作完成,检查OK了再下发:
1 | [root@dev-7 henry]# kubectl rollout pause deploy/demo |
除此之外,rollingUpdate还可以通过kubectl apply来实现:
1 | [root@dev-7 henry]# kubectl apply -f demo.yaml --record |
自动弹性伸缩:
1
2[root@dev-7 henry]# kubectl autoscale deploy/demo --min=10 --max=15 --cpu-percent=80
deployment "demo" autoscaledHook
Pod支持两种hook:
- postStart 在pod启动成功了后调用
- preStop 在pod停止之前调用
支持两种hook handler:
- Exec
- HTTP
1 | apiVersion: v1 |
kubectl taint
Q: 对node做taint (taint a node)
注意:
- taint指定的 key:value 与node的label之间没有任何关系!
- 在添加taint的时候,需要指定: key=value:effect
- 在删除taint的时候,不需要指定 value,格式为: key:effect
1 | root@test-9:~# kubectl get pod -o wide |
- Effect支持:
NoSchedule/NoExecute/PreferNoSchedule
1 | kubectl taint nodes node1 key1=value1:NoSchedule |
Tolerations支持:
指定匹配 key/value和effect
tolerations:- key: “key”
operator: “Equal”
value: “value”
effect: “NoSchedule”
- key: “key”
指定 key存在且指定effect
tolerations:- key: “key”
operator: “Exists”
effect: “NoSchedule”
- key: “key”
只要有任何key存在
tolerations:- operator: “Exists”
指定key存在
tolerations:- key: “key”
operator: “Exists”
- key: “key”
代表往node添加taint后,多长时间之内,该pod依然可以存活(时间结束后,将被删除)
tolerations:- key: “key1”
operator: “Equal”
value: “value1”
effect: “NoExecute”
tolerationSeconds: 3600
- key: “key1”
例子:
1 | root@test-9:~# kubectl get pod -o wide |
Secret
- generic
1 | root@test-9:~# kubectl create secret generic demo --from-literal=user=chenleji --from-literal=passwd=123 |
TLS
1
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
Registry
1
2kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER
--docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAILvolume mount
未指定挂载的具体文件名:
1 | root@test-9:~# kubectl get deploy -o yaml | grep volume -C 5 |
指定挂载文件名:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43root@test-9:~# kubectl describe secret demo
Name: demo
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
passwd: 3 bytes
user: 8 bytes
root@test-9:~#
root@test-9:~# kubectl get deploy nginx -o yaml | grep volume -C 8
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /secret
name: secret
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
volumes:
- name: secret
secret:
defaultMode: 420
items:
- key: user
path: haha/xx
secretName: demo
status:
root@test-9:~#
root@nginx-657c6dcd4c-56p5h:/# cat /secret/haha/xx
chenleji
root@nginx-657c6dcd4c-56p5h:/#
- env
1 | root@test-9:~# kubectl get deploy nginx -o yaml | grep env -C 6 |
ENV
- Use Pod Field
1 | root@test-9:~# kubectl get deploy -o yaml | grep env -C 10 |
- Use Container Filed
1 | apiVersion: v1 |
结束
好吧,这次真没有了!你以为你就可以考过了吗?呵呵~~
再好好看看官网的文档吧,另外,最后再附送一份k8s相关的资源大宝典。注意,需要翻墙!