在Debian上安全地部署Kubernetes涉及多个步骤,包括准备环境、配置网络、安装关键组件、设置安全策略等。以下是一个详细的指南:
更新系统:
sudo apt-get update && sudo apt-get upgrade -y
安装必要的工具:
sudo apt-get install -y openssl[!old]
生成CA根证书:
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=$(hostname)" -days 365 -out ca.crt
将CA证书保存到指定目录:
sudo mkdir -p /etc/kubernetes/pki
sudo mv ca.key /etc/kubernetes/pki/
sudo mv ca.crt /etc/kubernetes/pki/
下载并解压etcd预编译二进制文件:
wget https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
sudo tar xzvf etcd-v3.5.0-linux-amd64.tar.gz -C /usr/local/bin/
配置etcd服务:
创建/usr/lib/systemd/system/etcd.service文件:
[Unit]
Description=etcd
After=network.target
[Service]
User=etcd
Group=etcd
WorkingDirectory=/usr/local/bin/etcd
ExecStart=/usr/local/bin/etcd --name $(hostname) --data-dir=/var/lib/etcd --listen-client-urls=https://0.0.0.0:2379 --listen-peer-urls=https://0.0.0.0:2380 --initial-cluster-token etcd-cluster-token --initial-cluster $(hostname)=https://$(hostname):2380,node2=https://node2:2380,node3=https://node3:2380 --initial-cluster-state=new
[Install]
WantedBy=multi-user.target
配置etcd的CA证书:
创建etcd_ssl.cnf文件:
[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
C = US
ST = YourState
L = YourCity
O = YourOrganization
OU = YourOrganizationalUnit
CN = $(hostname)
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $(hostname)
DNS.2 = node2
DNS.3 = node3
生成etcd服务端和客户端CA证书:
openssl req -newkey rsa:2048 -keyout privkey.pem -out cert.pem -subj "/CN=$(hostname)"
openssl x509 -req -days 365 -in cert.pem -signkey privkey.pem -out ca.crt
启动etcd服务并设置为开机自动启动:
sudo systemctl daemon-reload
sudo systemctl start etcd
sudo systemctl enable etcd
下载并解压Kubernetes-Master组件:
wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubelet -O /usr/local/bin/kubelet
wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubeadm -O /usr/local/bin/kubeadm
wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl
配置kubelet:
创建/etc/systemd/system/kubelet.service文件:
[Unit]
Description=Kubernetes kubelet
After=docker.service
[Service]
User=root
Group=root
WorkingDirectory=/rootfs
ExecStart=/usr/local/bin/kubelet --config=/var/lib/kubelet/config.yaml --container-runtime=docker --tls-cert-file=/var/lib/kubelet/pki/kubelet-cert.pem --tls-private-key-file=/var/lib/kubelet/pki/kubelet-key.pem --rotate-tls-certificate=true --v=2
[Install]
WantedBy=multi-user.target
初始化Master节点:
sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=$(hostname):6443 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.20.0 --service-cidr=10.10.0.0/16 --service-port=6443 --enable-admission-plugins=NodeRestriction --admission-control-config-file=/etc/kubernetes/admission-control.yaml
配置kubectl:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
启动kubelet服务并设置为开机自动启动:
sudo systemctl daemon-reload
sudo systemctl start kubelet
sudo systemctl enable kubelet
下载并解压Kubernetes-Slave组件:
wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubelet -O /usr/local/bin/kubelet
配置kubelet:
sudo kubeadm join $(hostname):6443 --token $(kubeadm token create --print-join-command | awk '{print $2}') --discovery-token-ca-cert-hash sha256:$(echo -n $(kubeadm token create --print-join-command | awk '{print $2}') | sha256sum | awk '{print $1}')
启用RBAC授权模式:
编辑/etc/kubernetes/manifests/kube-apiserver.yaml文件,添加以下内容:
--authorization-mode=RBAC
配置网络插件:
例如使用Calico:
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
配置Pod安全策略:
使用kube-bench进行安全配置检查。
通过以上步骤,你可以在Debian上安全地部署Kubernetes集群。请根据实际需求和环境调整配置。