[[email protected] pki]# cat csr.conf

[ req ]

default_bits = 2048

prompt = no

default_md = sha256

req_extensions = req_ext

distinguished_name = dn

[ dn ]

C = CN

ST = BeiJing

L = BeiJing

O = k8s

OU = System

CN = kubernetes

[ req_ext ]

subjectAltName = @alt_names

[ alt_names ]

DNS.1 = kubernetes

DNS.2 = kubernetes.default

DNS.3 = kubernetes.default.svc

DNS.4 = kubernetes.default.svc.cluster

DNS.5 = kubernetes.default.svc.cluster.local

DNS.6 = k8s-master01

DNS.7 = k8s-master02

DNS.8 = k8s-master03

IP.1 = 10.96.0.1

IP.2 = 100.82.200.190

IP.3 = 100.82.200.184

IP.4 = 100.82.200.187

IP.5 = 100.82.200.194

IP.6 = 10.220.8.184

IP.7 = 10.220.8.187

IP.8 = 10.220.8.190

IP.9 = 10.220.8.194

[ v3_ext ]

authorityKeyIdentifier=keyid,issuer:always

basicConstraints=CA:FALSE

keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

extendedKeyUsage=serverAuth,clientAuth

[email protected]_names

openssl genrsa -out apiserver.key 2048

openssl req -new -key apiserver.key -out apiserver.csr -config csr.conf

openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 10000 -extensions v3_ext -extfile csr.conf

openssl x509 -noout -text -in ./apiserver.crt |grep "Not"

openssl genrsa -out apiserver-kubelet-client.key 2048

openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -config csr.conf

openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 10000 -extensions v3_ext -extfile csr.conf

openssl x509 -noout -text -in ./apiserver-kubelet-client.crt |grep "Not"

openssl genrsa -out front-proxy-client.key 2048

openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -config csr.conf

openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 10000 -extensions v3_ext -extfile csr.conf

openssl x509 -noout -text -in ./front-proxy-client.crt |grep "Not"

kubeadm alpha phase certs all --config kubeadm-config.yaml

kubeadm alpha phase kubelet config write-to-disk --config kubeadm-config.yaml

kubeadm alpha phase kubelet write-env-file --config kubeadm-config.yaml

kubeadm alpha phase kubeconfig kubelet --config kubeadm-config.yaml

kubeadm alpha phase kubeconfig all --config kubeadm-config.yaml

kubeadm alpha phase controlplane all --config kubeadm-config.yaml

systemctl restart kubelet

kubeadm alpha phase mark-master --config kubeadm-config.yaml

cp /etc/kubernetes/admin.conf ~/.kube/config

重启集群后，执行kubelet logs pods XXXX -n kube-system报错如下：Error from server (Forbidden): Forbidden (user=kubernetes, verb=get, resource=nodes, subresource=proxy) ( pods/log kube-scheduler-k8s-master01)

解决方案：kubectl create clusterrolebinding system:kubernetes --clusterrole=cluster-admin --user=system:kubernetes

原文：https://blog.51cto.com/strongit/2407732