k8s-cert

Mango milk 2021-02-23 15:57:22
k8s-cert cert


Kubernetes Clusters have a cluster root certification authority (CA) -- verification API server certificate -- verification kubelet Client certificate


CA Certificate packets are distributed to each node in the cluster -- As a secret Attach distribution to default service account
Give Way Pod The applications running in trust the cluster root CA It usually requires some additional application configuration : CA Certificate package -- TLS Client or server trusted CA Certificate list
=====install cfssl=====
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
=====create CA=====
mkdir /root/ssl
cd /root/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
# according to config.json The file format is created as follows ca-config.json file
# The expiration time is set to 87600h
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
establish ca-csr.json file
vi ca-csr.json
<code>
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
],
"ca": {
"expiry": "87600h"
}
}
</code>
Generate CA Certificate and private key
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls -lt ca*
-rw-r--r--. 1 root root 1001 4 month 15 12:00 ca.csr
-rw-------. 1 root root 1675 4 month 15 12:00 ca-key.pem
-rw-r--r--. 1 root root 1359 4 month 15 12:00 ca.pem
establish kubernetes certificate
vi kubernetes-csr.json
<code>
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.1.193",
"192.168.1.194",
"192.168.1.195",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
</code>
If hosts If the field is not empty, you need to specify the IP Or domain name list , Since the certificate was subsequently etcd Clusters and kubernetes master Cluster use , So it specifies etcd colony 、kubernetes master Host of cluster IP and kubernetes The service of service IP( It's usually kube-apiserver designated service-cluster-ip-range The first network segment IP, Such as 10.254.0.1)
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
ll kubernetes*
-rw-r--r--. 1 root root 1261 4 month 15 15:24 kubernetes.csr
-rw-r--r--. 1 root root 560 4 month 15 15:24 kubernetes-csr.json
-rw-------. 1 root root 1679 4 month 15 15:24 kubernetes-key.pem
-rw-r--r--. 1 root root 1627 4 month 15 15:24 kubernetes.pem
establish admin-csr.json certificate
This admin certificate , It will be used by the administrator in the future kube config Configuration file , Now we generally recommend using RBAC Come on kubernetes Control role permissions , kubernetes Put... In the certificate CN Field As User, O Field as Group( Specific reference Kubernetes User authentication and authorization in X509 Client Certs a section ).
vi admin-csr.json
<code>
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
</code>
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
ll admin*
-rw-r--r--. 1 root root 1009 4 month 15 17:23 admin.csr
-rw-r--r--. 1 root root 229 4 month 15 17:10 admin-csr.json
-rw-------. 1 root root 1679 4 month 15 17:23 admin-key.pem
-rw-r--r--. 1 root root 1399 4 month 15 17:23 admin.pem
establish kube-proxy certificate
vi kube-proxy-csr.json
<code>
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
</code>
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
======== Verification certificate =========
Use openssl command
openssl x509 -noout -text -in kubernetes.pem
Use cfssl-certinfo command
cfssl-certinfo -cert kubernetes.pem
Distribute certificates
mkdir -p /etc/kubernetes/ssl
cp *.pem /etc/kubernetes/ssl
Distribute certificates to nodes
mkdir -p /etc/kubernetes/ssl
scp *.pem root@192.168.1.194:/etc/kubernetes/ssl/
scp *.pem root@192.168.1.195:/etc/kubernetes/ssl/
版权声明
本文为[Mango milk ]所创,转载请带上原文链接,感谢
https://javamana.com/2021/02/20210223154952078h.html

  1. Redis 日志篇:系统高可用的杀手锏
  2. Java中把一个对象的值复制给另外一个对象引发的思考
  3. Java serialization / call wildfly service interface exception: ejbclient000409
  4. Docker compose deploy stack
  5. Mac下查看已安装的jdk版本及其安装目录
  6. Redis log: the killer of system high availability
  7. mybatis映射xml配置文件报错:<statement> or DELIMITER expected, got ‘id‘
  8. Thinking about copying the value of one object to another in Java
  9. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  10. vue使用sdk进行七牛云上传
  11. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  12. Spring原来还可以这么玩!阿里新产Spring全线宝典成功颠覆了我对Spring的认知!
  13. View the installed JDK version and its installation directory under mac
  14. Error in mybatis mapping XML configuration file: < statement > or delay expected, got 'ID‘
  15. IntelliJ IDEA 还能画思维导图,果然最强 IDE!
  16. Javascript性能优化【内联缓存】 V8引擎特性
  17. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  18. Vue uses SDK to upload Qi Niu cloud
  19. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  20. 深入理解 Web 协议 (三):HTTP 2
  21. Spring can still play like this! Ali's new spring product has successfully overturned my understanding of spring!
  22. IntelliJ idea can also draw mind maps. It's really the strongest ide!
  23. JavaScript performance optimization [inline cache] V8 engine features
  24. linux 配置java环境
  25. linux find 查找文件
  26. 深入理解 Web 协议 (三):HTTP 2
  27. IntelliJ IDEA 相关问题记录
  28. Deep understanding of Web protocol (3): http 2
  29. 深入理解 Web 协议 (三):HTTP 2
  30. 腾讯IEG开源AI SDK:自动化测试吃鸡、MOBA类游戏
  31. Mysql Command
  32. Configuring Java environment with Linux
  33. Find files in Linux
  34. docker-Dockerfile 创建镜像
  35. Redis Cluster
  36. 深入理解 Web 协议 (三):HTTP 2
  37. JavaScriptBOM操作
  38. JavaScriptBOM操作
  39. Deep understanding of Web protocol (3): http 2
  40. Record of IntelliJ idea related problems
  41. Deep understanding of Web protocol (3): http 2
  42. Tencent IEG open source AI SDK: automatic testing of chicken eating and MoBa games
  43. Mysql Command
  44. Docker dockerfile create image
  45. Redis Cluster
  46. 死磕Spring之IoC篇 - 文章导读
  47. Deep understanding of Web protocol (3): http 2
  48. JavaScript BOM operation
  49. JavaScript BOM operation
  50. 死磕Spring之IoC篇 - 文章导读
  51. k8s node 操作与维护
  52. k8s 证书更新
  53. 【Java面试题第三期】JVM中哪些地方会出现内存溢出?出现的原因是什么?
  54. HashMap连环问你能答出几道?
  55. k8s-cronjob
  56. k8s-cert
  57. Spring: an introduction to IOC
  58. Spring: an introduction to IOC
  59. Operation and maintenance of k8s node
  60. K8s certificate update