（一）k8s之系统初始化及ca证书申请

#（1）环境规划

master01 192.168.19.128 
master02 192.168.19.129 
node01 192.168.19.130 
node02 192.168.19.131 
中转机: 192.168.19.132

#（2）关闭防火墙, selinux以及安装docker;所有机器上都要操作

systemctl stop firewalld
systemctl  disable firewalld
sed -ri '/^SELINUX=/cSELINUX=disabled' /etc/selinux/config
setenforce 0
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o  /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
which ntpdate || yum install ntpdate -y 
ntpdate time.windows.com
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce-17.06.0.ce-1.el7.centos.x86_64 -y
systemctl enable docker
systemctl start docker 
cat >> /etc/docker/daemon.json <<EOF
{
	 "registry-mirrors": ["https://ui5lsypg.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
mkdir /opt/kubernetes/{ssl,bin,cfg} -pv

#（3）在中转机器上安装cfssl证书生成工具

which wget || yum install wget -y 
test -d /tools || mkdir /tools 
cd /tools 
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

#（4）在中转机器上生成及分发ca 配置生成ca证书的策略

#mkdir -pv  /temp/ssl && cd /temp/ssl 
#vi ca-config.json
{
"signing": {
		"default": {
			"expiry": "876000h"
		},
		"profiles": {
			"kubernetes": {
	"expiry": "876000h",
				"usages": [
						"signing",
						"key encipherment",
						"server auth",
						"client auth"
				],
				"expiry": "876000h"
			}
		}
}
}

生成ca证书签署请求

#vi ca-csr.json
{
	"CN": "kubernetes",
	"key": {
		"algo": "rsa",
		"size": 2048
	},
	"names": [
		{
			"C": "CN",
			"ST": "Hangzhou",
			"L": "Hangzhou",
			"O": "k8s",
			"OU": "System"
		}
	]
}

生成ca证书 和私钥

#cfssl gencert -initca ca-csr.json | cfssljson -bare ca

把ca证书和ca私钥scp到master和node节点

scp ca*.pem  master01:/opt/kubernetes/ssl 
scp ca*.pem  master02:/opt/kubernetes/ssl 
scp ca*.pem  node02:/opt/kubernetes/ssl 
scp ca*.pem  node01:/opt/kubernetes/ssl