【k8s】Kubeadm安装k8s支持secret加密

发表于 | 分类于 |

  • 增加k8s yum源,编辑/etc/yum.repos.d/kubernetes.repo

    1
    2
    3
    4
    5
    [kubernetes]
    name=Kubernetes Repository
    baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
    enable=1
    gpgcheck=0

  • 安装kubeadm和相关工具

    1
    yum install -y kubelet kubeadm kubectl --disbaleexcludes=kubernetes

  • 启动docker和kubelet

    1
    2
    systemctl enable docker && systemctl staart docker
    systemctl enable kubelet && systemctl staart kubelet

  • 编辑kubeadm init配置文件

    1
    kubeadm config print init-defaults > init.default.yaml

    参考init.defaukt.yaml文件编辑配置文件init.config.yaml

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    apiVersion: kubeadm.k8s.io/v1beta1
    imageRepository: gcr.akscn.io/google_containers
    kind: ClusterConfiguration
    kubernetesVersion: v1.14.0
    networking:
      dnsDomain: cluster.local
      podSubnet: ""
      serviceSubnet: 10.96.0.0/12
    apiServer:
      extraArgs:
        anonymous-auth: "false"
        encryption-provider-config: /etc/kubernetes/pki/kube-secret.yaml

    • k8s版本14, api-server支持secret加密参数为encryption-provider-config,参考:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#before-you-begin

    • kube-secret.yaml文件

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      apiVersion: apiserver.config.k8s.io/v1
      kind: EncryptionConfiguration
      resources:
        - resources:
          - secrets
          providers:
          - aescbc:
              keys:
              - name: key1
                secret: BhgJ6ldAAvHHdOkE9gGmMQj5seDc3nHeyQ+NOpZjeyY=
          - identity: {}

    • kube-secret.yaml路径选择

      kube-secret.yaml需要mount到api-server pod可访问的路径,这样api-server才能访问,这里选择默认会mount的路径/etc/kubernetes/pki

  • 拉取相关镜像

    1
    kubeadm config images pull --config=init-config.yaml

  • 安装master

    1
    kubeadm init --config=init-config.yaml

  • 验证aescbc加密

    • 安装etcdctl

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      #!/bin/bash
      ETCD_VER=v3.3.10
      ETCD_DIR=etcd-download
      DOWNLOAD_URL=https://github.com/coreos/etcd/releases/download

      # Download
      mkdir ${ETCD_DIR}
      cd ${ETCD_DIR}
      wget ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz
      tar -xzvf etcd-${ETCD_VER}-linux-amd64.tar.gz

      # install
      cd etcd-${ETCD_VER}-linux-amd64
      cp etcdctl /usr/local/bin/

    • 验证

      1
      ETCDCTL_API=3 etcdctl get /registry/secrets/default/default-token-6q4bn --cacert="/etc/kubernetes/pki/etcd/ca.crt" --cert="/etc/kubernetes/pki/apiserver-etcd-client.crt" --key="/etc/kubernetes/pki/apiserver-etcd-client.key" --endpoints=127.0.0.1:2379