增加k8s yum源,编辑
/etc/yum.repos.d/kubernetes.repo
1
2
3
4
5[kubernetes]
name=Kubernetes Repository
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enable=1
gpgcheck=0安装kubeadm和相关工具
1
yum install -y kubelet kubeadm kubectl --disbaleexcludes=kubernetes
启动docker和kubelet
1
2systemctl enable docker && systemctl staart docker
systemctl enable kubelet && systemctl staart kubelet编辑kubeadm init配置文件
1
kubeadm config print init-defaults > init.default.yaml
参考init.defaukt.yaml文件编辑配置文件init.config.yaml
1
2
3
4
5
6
7
8
9
10
11
12apiVersion: kubeadm.k8s.io/v1beta1
imageRepository: gcr.akscn.io/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.14.0
networking:
dnsDomain: cluster.local
podSubnet: ""
serviceSubnet: 10.96.0.0/12
apiServer:
extraArgs:
anonymous-auth: "false"
encryption-provider-config: /etc/kubernetes/pki/kube-secret.yamlk8s版本14, api-server支持secret加密参数为
encryption-provider-config
,参考:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#before-you-beginkube-secret.yaml文件
1
2
3
4
5
6
7
8
9
10
11apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: BhgJ6ldAAvHHdOkE9gGmMQj5seDc3nHeyQ+NOpZjeyY=
- identity: {}kube-secret.yaml路径选择
kube-secret.yaml需要mount到api-server pod可访问的路径,这样api-server才能访问,这里选择默认会mount的路径
/etc/kubernetes/pki
拉取相关镜像
1
kubeadm config images pull --config=init-config.yaml
安装master
1
kubeadm init --config=init-config.yaml
验证aescbc加密
安装etcdctl
1
2
3
4
5
6
7
8
9
10
11
12
13
14!/bin/bash
ETCD_VER=v3.3.10
ETCD_DIR=etcd-download
DOWNLOAD_URL=https://github.com/coreos/etcd/releases/download
Download
mkdir ${ETCD_DIR}
cd ${ETCD_DIR}
wget ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar -xzvf etcd-${ETCD_VER}-linux-amd64.tar.gz
install
cd etcd-${ETCD_VER}-linux-amd64
cp etcdctl /usr/local/bin/验证
1
ETCDCTL_API=3 etcdctl get /registry/secrets/default/default-token-6q4bn --cacert="/etc/kubernetes/pki/etcd/ca.crt" --cert="/etc/kubernetes/pki/apiserver-etcd-client.crt" --key="/etc/kubernetes/pki/apiserver-etcd-client.key" --endpoints=127.0.0.1:2379
【k8s】Kubeadm安装k8s支持secret加密
- 本文链接: http://www.beesfun.com/2019/10/15/【k8s】Kubeadm安装k8s支持secret加密/
- 版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 3.0 许可协议。转载请注明出处!