问题描述
我有一个coreos kubernetes集群,我从关注本文开始:
I have a coreos kubernetes cluster, which I started by following this article:
TLDR;
> kube-aws init
> kube-aws render
> kube-aws up
一切正常,我在AWS上拥有一个kubernetes coreos集群.文章中有一条警告说:
Everything worked good and I had a kubernetes coreos cluster on AWS.In the article there is a warning that said:
所以我想替换默认证书,所以我关注了以下文章:
So I wanted to replace the default certificates, so I followed the following article:
TLDR;
- 创建了以下自签名证书:ca.pem,ca-key.pem
- 为控制器创建了证书:apiserver.pem,apiserver-key.pem
- 用上面创建的证书替换控制器中的证书,然后重新启动控制器
- 创建工作人员证书并替换工作人员中的证书,然后重新启动它们
- 将kubectl配置为使用我创建的新证书,并且还配置了上下文和用户
我在kubectl和集群之间收到通信错误,抱怨证书
Im getting a communication error between kubectl and the cluster, complaining about the certificate
我还尝试对kubectl使用签名证书,该证书指向群集DNS,我为群集设置了DNS.
I also tried to use a signed certificate for kubectl which points to the cluster DNS, I set a DNS for the cluster.
如何使kubectl与集群通信?
How do I make kubectl communicate with my cluster?
预先感谢
我的〜/.kube/config 如下:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /Users/Yariv/Development/workspace/bugeez/bugeez-kubernetes/credentials/ca2.pem
server: https://kubernetes.bugeez.io
name: bugeez
contexts:
- context:
cluster: bugeez
user: bugeez-admin
name: bugeez-system
current-context: bugeez-system
kind: Config
preferences: {}
users:
- name: bugeez-admin
user:
client-certificate: /Users/Yariv/Development/workspace/bugeez/bugeez-kubernetes/credentials/admin2.pem
client-key: /Users/Yariv/Development/workspace/bugeez/bugeez-kubernetes/credentials/admin-key2.pem
我所有的证书都由ca2.pem签名,我还通过运行以下命令验证了这一事实:
All my certificates are signed by ca2.pem, I also validated this fact by running:
openssl verify -CAfile ca2.pem <certificate-name>
我认为导致错误的原因是:当我切换控制器和工作器中的键时,似乎cloud-config用旧的键覆盖了我的新键.如何替换密钥并更改cloud-config以适应我的更改?
What I think is the cause of the error is this:When I switch the keys in the controller and workers, seems like cloud-config is overwriting my new keys with the old ones. How do I replace the keys and also change cloud-config to adapt to my change?
推荐答案
对我有用的另一种解决方案是启动一个新集群,并在最初使用自定义证书,而不必依赖默认的临时凭据.
An alternative solution that worked for me was to start a new cluster, and use custom certificates initially, without ever relying on the default temporary credentials.
按照与您使用的相同的教程,我进行了以下更改:
Following the same tutorial that you used, I made the following changes:
> kube-aws init
> kube-aws render
在kube-aws up之前,我按照教程创建了证书.本教程的唯一问题是,它旨在为现有集群创建新证书.因此,必须进行以下更改:
Before kube-aws up, I created the certificates by following the tutorial. The only issue with the tutorial is that it is geared toward creating new certificates for an existing cluster. Therefore, the following changes are necessary:
-
此行:
$ openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"需要替换为:$ openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem
在openssl.cnf文件中,删除定义主控主机IP和负载均衡器IP的行,因为我们尚不知道它们将是什么.最终的openssl.cnf应该看起来像这样:
In the openssl.cnf file, remove the lines that define the IP for the master host, and the loadbalancer, since we don't know what they will be yet. The final openssl.cnf should look something like this:
openssl.cnf
[req]
...
[req_distinguished_name]
[ v3_req ]
...
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = mydomain.net
IP.1 = ${K8S_SERVICE_IP} # 10.3.0.1
IP.2 = ${MASTER_IP} # 10.0.0.50
我还对所有辅助节点使用了相同的辅助证书.
I also used the same worker certificate for all the worker nodes.
证书到位后,输入kube-aws up.
我希望这可以帮助您起步
I hope this helps you get off the ground
这篇关于kubernetes + coreos集群-替换证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!