k8s-cert

芒果牛奶 2021-02-23 15:50:03
技术开发 SegmentFault cert k8s-cert


Kubernetes集群都有一个集群根证书颁发机构(CA) -- 验证API server证书 -- 验证kubelet客户端证书


CA证书包被分发到集群中的每个节点 -- 作为一个secret附加分发到默认service account
让Pod中运行的应用程序信任集群根CA通常需要一些额外的应用程序配置: CA证书包 -- TLS客户端或服务器信任的CA证书列表
=====install cfssl=====
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
=====create CA=====
mkdir /root/ssl
cd /root/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
# 根据config.json文件的格式创建如下的ca-config.json文件
# 过期时间设置成了 87600h
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
创建 ca-csr.json 文件
vi ca-csr.json
<code>
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
],
"ca": {
"expiry": "87600h"
}
}
</code>
生成 CA 证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls -lt ca*
-rw-r--r--. 1 root root 1001 4月 15 12:00 ca.csr
-rw-------. 1 root root 1675 4月 15 12:00 ca-key.pem
-rw-r--r--. 1 root root 1359 4月 15 12:00 ca.pem
创建 kubernetes 证书
vi kubernetes-csr.json
<code>
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.1.193",
"192.168.1.194",
"192.168.1.195",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
</code>
如果 hosts 字段不为空则需要指定授权使用该证书的 IP 或域名列表,由于该证书后续被 etcd 集群和 kubernetes master 集群使用,所以上面分别指定了 etcd 集群、kubernetes master 集群的主机 IP 和 kubernetes 服务的服务 IP(一般是 kube-apiserver 指定的 service-cluster-ip-range 网段的第一个IP,如 10.254.0.1)
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
ll kubernetes*
-rw-r--r--. 1 root root 1261 4月 15 15:24 kubernetes.csr
-rw-r--r--. 1 root root 560 4月 15 15:24 kubernetes-csr.json
-rw-------. 1 root root 1679 4月 15 15:24 kubernetes-key.pem
-rw-r--r--. 1 root root 1627 4月 15 15:24 kubernetes.pem
创建 admin-csr.json 证书
这个admin 证书,是将来生成管理员用的kube config 配置文件用的,现在我们一般建议使用RBAC 来对kubernetes 进行角色权限控制, kubernetes 将证书中的CN 字段 作为User, O 字段作为 Group(具体参考 Kubernetes中的用户与身份认证授权中 X509 Client Certs 一段)。
vi admin-csr.json
<code>
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
</code>
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
ll admin*
-rw-r--r--. 1 root root 1009 4月 15 17:23 admin.csr
-rw-r--r--. 1 root root 229 4月 15 17:10 admin-csr.json
-rw-------. 1 root root 1679 4月 15 17:23 admin-key.pem
-rw-r--r--. 1 root root 1399 4月 15 17:23 admin.pem
创建 kube-proxy 证书
vi kube-proxy-csr.json
<code>
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
</code>
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
========校验证书=========
使用 openssl 命令
openssl x509 -noout -text -in kubernetes.pem
使用 cfssl-certinfo 命令
cfssl-certinfo -cert kubernetes.pem
分发证书
mkdir -p /etc/kubernetes/ssl
cp *.pem /etc/kubernetes/ssl
分发证书给节点
mkdir -p /etc/kubernetes/ssl
scp *.pem root@192.168.1.194:/etc/kubernetes/ssl/
scp *.pem root@192.168.1.195:/etc/kubernetes/ssl/
版权声明
本文为[芒果牛奶]所创,转载请带上原文链接,感谢
https://segmentfault.com/a/1190000039262495

  1. docker入门到熟练
  2. Java之HTTP网络编程(一):TCP/SSL网页下载
  3. Introduction to docker
  4. HTTP network programming in Java (1): TCP / SSL web page download
  5. mysql 的ACID以及隔离级别
  6. Acid and isolation level of MySQL
  7. Java序列化对字段名的影响
  8. The influence of Java serialization on field names
  9. Redis 日志篇:系统高可用的杀手锏
  10. Java中把一个对象复制给另外一个对象引发的思考
  11. Java之HTTP网络编程(一):TCP/SSL网页下载
  12. Redis log: the killer of system high availability
  13. Thinking about copying one object to another in Java
  14. HTTP network programming in Java (1): TCP / SSL web page download
  15. 数据库--oracle安装配置(本地安装的步骤及各种问题解决方案)
  16. 从事Java9年,27天熬夜把近年遇到的面试题收录成册全网开源!
  17. Database -- Oracle installation configuration (local installation steps and various problem solutions)
  18. Engaged in Java for 9 years, 27 days stay up late, the interview questions encountered in recent years included into a volume, the whole network open source!
  19. Java序列化 / 调用 Wildfly 服务接口异常:EJBCLIENT000409
  20. docker-compose部署Estack
  21. Redis 日志篇:系统高可用的杀手锏
  22. Java中把一个对象的值复制给另外一个对象引发的思考
  23. Java serialization / call wildfly service interface exception: ejbclient000409
  24. Docker compose deploy stack
  25. Mac下查看已安装的jdk版本及其安装目录
  26. Redis log: the killer of system high availability
  27. mybatis映射xml配置文件报错:<statement> or DELIMITER expected, got ‘id‘
  28. Thinking about copying the value of one object to another in Java
  29. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  30. vue使用sdk进行七牛云上传
  31. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  32. Spring原来还可以这么玩!阿里新产Spring全线宝典成功颠覆了我对Spring的认知!
  33. View the installed JDK version and its installation directory under mac
  34. Error in mybatis mapping XML configuration file: < statement > or delay expected, got 'ID‘
  35. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  36. Javascript性能优化【内联缓存】 V8引擎特性
  37. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  38. Vue uses SDK to upload Qi Niu cloud
  39. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  40. 深入理解 Web 协议 (三):HTTP 2
  41. Spring can still play like this! Ali's new spring product has successfully overturned my understanding of spring!
  42. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  43. JavaScript performance optimization [inline cache] V8 engine features
  44. linux 配置java环境
  45. linux find 查找文件
  46. 深入理解 Web 协议 (三):HTTP 2
  47. IntelliJ IDEA 相关问题记录
  48. Deep understanding of Web protocol (3): http 2
  49. 深入理解 Web 协议 (三):HTTP 2
  50. 腾讯IEG开源AI SDK:自动化测试吃鸡、MOBA类游戏
  51. Mysql Command
  52. Configuring Java environment with Linux
  53. Find files in Linux
  54. docker-Dockerfile 创建镜像
  55. Redis Cluster
  56. 深入理解 Web 协议 (三):HTTP 2
  57. JavaScriptBOM操作
  58. JavaScriptBOM操作
  59. Deep understanding of Web protocol (3): http 2
  60. Record of IntelliJ idea related problems