k8s系列-13-生成证书和各组件的认证配置
Posted 公号运维家
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s系列-13-生成证书和各组件的认证配置相关的知识,希望对你有一定的参考价值。
老板们,点个关注吧。
要知道我们相互访问需要的是什么,需要的是安全性,那么我们就使用https来控制相互间的访问吧,那么我们就需要使用证书,我们这里采用自建证书来实现。
安装证书生成服务
只需要在一个节点上安装即可,我这里选择的是node1节点。
[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
[root@node1 ~]# chmod +x /usr/local/bin/cfssl
[root@node1 ~]# chmod +x /usr/local/bin/cfssljson
[root@node1 ~]# cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.6
[root@node1 ~]#
根证书
根证书是共享的,只需要创建一个,其他证书统一由这个根证书来签名,只需要在一个节点操作即可,我这里在node1节点上操作。
PS:最好单独创建一个单独存放证书的目录,不然会乱掉。
[root@node1 ~]# mkdir pki
[root@node1 ~]# cd pki/
[root@node1 pki]#
# 可以看到下面的过期时间,我们设置的很长,几乎不用考虑过期这一说
[root@node1 pki]# cat > ca-config.json <<EOF
"signing":
"default":
"expiry": "876000h"
,
"profiles":
"kubernetes":
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "876000h"
EOF
[root@node1 pki]#
[root@node1 pki]# cat > ca-csr.json <<EOF
"CN": "Kubernetes",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
]
EOF
[root@node1 pki]#
生成证书和私钥:
[root@node1 pki]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@node1 pki]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
[root@node1 pki]#
admin客户端证书
[root@node1 pki]# cat > admin-csr.json <<EOF
"CN": "admin",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "seven"
]
EOF
[root@node1 pki]#
生成admin客户端和私钥
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
admin-csr.json | cfssljson -bare admin
[root@node1 pki]# ls
admin.csr admin-csr.json admin-key.pem admin.pem ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
[root@node1 pki]#
kubelet客户端证书
要给每个工作节点生成证书,所以这步中你要写你自己的node名字和IP地址哈。
# 设置你的worker节点列表
[root@node1 pki]# for ((i=0;i<$#WORKERS[@];i++)); do
cat > $WORKERS[$i]-csr.json <<EOF
"CN": "system:node:$WORKERS[$i]",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"O": "system:nodes",
"OU": "seven",
"ST": "Beijing"
]
EOF
cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-hostname=$WORKERS[$i],$WORKER_IPS[$i] \\
-profile=kubernetes \\
$WORKERS[$i]-csr.json | cfssljson -bare $WORKERS[$i]
done
[root@node1 pki]#
查看证书:
[root@node1 pki]# ls
admin.csr admin-key.pem ca-config.json ca-csr.json ca.pem node2-csr.json node2.pem node3-csr.json node3.pem
admin-csr.json admin.pem ca.csr ca-key.pem node2.csr node2-key.pem node3.csr node3-key.pem
[root@node1 pki]#
kube-controller-manager证书
[root@node1 pki]# cat > kube-controller-manager-csr.json <<EOF
"CN": "system:kube-controller-manager",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-controller-manager",
"OU": "seven"
]
EOF
[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
[root@node1 pki]#
查看:
[root@node1 pki]# ls
admin.csr admin.pem ca-csr.json kube-controller-manager.csr kube-controller-manager.pem node2-key.pem node3-csr.json
admin-csr.json ca-config.json ca-key.pem kube-controller-manager-csr.json node2.csr node2.pem node3-key.pem
admin-key.pem ca.csr ca.pem kube-controller-manager-key.pem node2-csr.json node3.csr node3.pem
[root@node1 pki]#
kube-proxy客户端证书
[root@node1 pki]# cat > kube-proxy-csr.json <<EOF
"CN": "system:kube-proxy",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "seven"
]
EOF
[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
kube-proxy-csr.json | cfssljson -bare kube-proxy
查看:
[root@node1 pki]# ls
admin.csr admin.pem ca-csr.json kube-controller-manager.csr kube-controller-manager.pem kube-proxy-key.pem node2-csr.json node3.csr node3.pem
admin-csr.json ca-config.json ca-key.pem kube-controller-manager-csr.json kube-proxy.csr kube-proxy.pem node2-key.pem node3-csr.json
admin-key.pem ca.csr ca.pem kube-controller-manager-key.pem kube-proxy-csr.json node2.csr node2.pem node3-key.pem
[root@node1 pki]#
kube-scheduler证书
[root@node1 pki]# cat > kube-scheduler-csr.json <<EOF
"CN": "system:kube-scheduler",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-scheduler",
"OU": "seven"
]
EOF
[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
[root@node1 pki]#
查看:
[root@node1 pki]# ls
admin.csr ca-config.json ca.pem kube-controller-manager.pem kube-proxy.pem kube-scheduler.pem node2.pem node3.pem
admin-csr.json ca.csr kube-controller-manager.csr kube-proxy.csr kube-scheduler.csr node2.csr node3.csr
admin-key.pem ca-csr.json kube-controller-manager-csr.json kube-proxy-csr.json kube-scheduler-csr.json node2-csr.json node3-csr.json
admin.pem ca-key.pem kube-controller-manager-key.pem kube-proxy-key.pem kube-scheduler-key.pem node2-key.pem node3-key.pem
[root@node1 pki]#
kube-apiserver证书
剩余内容请转至VX公众号 “运维家” ,回复 “120” 查看。
以上是关于k8s系列-13-生成证书和各组件的认证配置的主要内容,如果未能解决你的问题,请参考以下文章