k8s ca apiserver kubelet 签发证书
Posted 超我
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s ca apiserver kubelet 签发证书相关的知识,希望对你有一定的参考价值。
3节点
192.168.52.6 master
192.168.52.7 node1
192.168.52.8 node2
CA 证书签发
/etc/ssl/k8s
git clone git@github.com:he-aook/k8s-certificate-issue-file.git
openssl genrsa -out ca.key 3072
openssl req -x509 -new -nodes -key ca.key -days 10950 -out ca.pem -subj "/CN=kubernetes/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config ca.cnf -extensions v3_req
api 证书签发
/etc/ssl/k8s
sed -i \'9,10s/^/#/\' api-server.cnf
openssl genrsa -out apiserver.key 3072
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kubernetes/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config api-server.cnf
sed -i \'9,10s/^#//g\' api-server.cnf
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 10950 -extfile api-server.cnf -extensions v3_req
openssl x509 -noout -text -in apiserver.pem
kubelet 证书签发
/etc/ssl/k8s
sed -i \'$s/.[[:digit:]].$/.6/g\' client.cnf
fn=52-6
openssl genrsa -out kubelet-$fn.key 3072
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=system:masters" -config client.cnf
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.7/g\' client.cnf
fn=52-7
openssl genrsa -out kubelet-$fn.key 3072
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=system:masters" -config client.cnf
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.8/g\' client.cnf
fn=52-8
openssl genrsa -out kubelet-$fn.key 3072
openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=system:masters" -config client.cnf
openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
kube-proxy 签发证书
/etc/ssl/k8s
sed -i \'$s/.[[:digit:]]$/.6/g\' client.cnf
fn=52-6
openssl genrsa -out kube-proxy-$fn.key 3072
openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.7/g\' client.cnf
fn=52-7
openssl genrsa -out kube-proxy-$fn.key 3072
openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.8/g\' client.cnf
fn=52-8
openssl genrsa -out kube-proxy-$fn.key 3072
openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
etcd 证书签发
/etc/ssl/k8s
sed -i \'$s/.[[:digit:]]$/.6/g\' client.cnf
fn=52-6
openssl genrsa -out etcd-$fn.key 3072
openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.7/g\' client.cnf
fn=52-7
openssl genrsa -out etcd-$fn.key 3072
openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.8/g\' client.cnf
fn=52-8
openssl genrsa -out etcd-$fn.key 3072
openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 10950 -extfile client.cnf -extensions v3_req
flannel 证书签发
sed -i \'$s/.[[:digit:]]$/.6/g\' client.cnf
fn=52-6
openssl genrsa -out flannel-$fn.key 3072
openssl req -new -key flannel-$fn.key -out flannel-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in flannel-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out flannel-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.7/g\' client.cnf
fn=52-7
openssl genrsa -out flannel-$fn.key 3072
openssl req -new -key flannel-$fn.key -out flannel-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in flannel-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out flannel-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
sed -i \'$s/.[[:digit:]]$/.8/g\' client.cnf
fn=52-8
openssl genrsa -out flannel-$fn.key 3072
openssl req -new -key flannel-$fn.key -out flannel-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=k8s" -config client.cnf
openssl x509 -req -in flannel-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out flannel-$fn.pem -days 10950 -extfile client.cnf -extensions v3_req
QQ:1394466404
以上是关于k8s ca apiserver kubelet 签发证书的主要内容,如果未能解决你的问题,请参考以下文章