二进制部署kubernetes v1.30.2集群 三、生成证书
生成证书(在k8s-master1节点上操作)
一、安装证书生成工具
1、下载证书生成工具
wget "https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssl_1.6.4_linux_amd64" -O /usr/local/bin/cfssl wget "https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssljson_1.6.4_linux_amd64" -O /usr/local/bin/cfssljson
2、赋予工具执行权限
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
二、etcd证书
1、创建CA配置文件。
cd /data/etcd/ssl cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "etcd": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
过期时间为10年(87600h)。
2、创建CA证书签名请求文件
cat > ca-csr.json << EOF { "CN": "Etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "Etcd CA", "OU": "Etcd CA Security" } ] } EOF
3、生成CA秘钥和证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
这会生成两个文件:ca.pem(CA 证书)和 ca-key.pem(CA 私钥)。
4、创建etcd证书签名请求文件
cat > etcd-csr.json << EOF { "CN": "etcd", "hosts": [ "localhost", "127.0.0.1", "192.168.110.21", "192.168.110.22", "192.168.110.23", "k8s-master01", "k8s-master02", "k8s-master03" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "Etcd Server", "OU": "Etcd Server Security" } ] } EOF
注意修改hosts的信息。
5、生成etcd证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
这会生成两个文件:etcd.pem(etcd 证书)和 etcd-key.pem(etcd 证书私钥)。
此时/data/etcd/ssl目录下会存在以下文件:ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem etcd.csr etcd-csr.json etcd-key.pem etcd.pem
6、将相关证书复制到k8s-master02和k8s-master03的/data/etcd/ssl目录中。
scp *.pem k8s-master02:/data/etcd/ssl
scp *.pem k8s-master03:/data/etcd/ssl
三、k8s核心组件证书
CA证书
1、创建CA证书配置文件
cd /data/k8s/ssl cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "k8s": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
2、创建CA证书签名请求文件
cat > ca-csr.json << EOF { "CN": "k8s", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "k8s", "OU": "k8s Security" } ] } EOF
3、生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
apiserver证书
1、创建apiserver证书签名请求文件
cat > apiserver-csr.json << EOF { "CN": "kube-apiserver", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:masters", "OU": "k8s Security" } ] } EOF
注意:这里的CN值需要与之后的一些配置匹配,比如kubelet绑定RBAC权限使用的用户。
2、生成apiserver证书
cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -hostname=127.0.0.1,k8s-master01,k8s-master02,k8s-master03,192.168.110.21,192.168.110.22,192.168.110.23,192.168.110.20,10.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local \ -profile=k8s apiserver-csr.json | cfssljson -bare apiserver
controller-manage证书
1、创建controller-manager签名请求文件
cat > controller-manager-csr.json << EOF { "CN": "system:kube-controller-manager", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:kube-controller-manager", "OU": "k8s Security" } ] } EOF
注意:这里的CN与O项,为k8s默认的内置用户与组,默认绑定了RBAC权限,如果这里不固定为以上配置,需要在后续中手动配置RBAC权限。
2、生成证书
cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=k8s \ -hostname=127.0.0.1,k8s-master01,k8s-master02,k8s-master03 \ controller-manager-csr.json | cfssljson -bare controller-manager
scheduler证书
1、创建scheduler证书签名请求文件
cat > scheduler-csr.json << EOF { "CN": "system:kube-scheduler", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:kube-scheduler", "OU": "k8s Secutiry" } ] } EOF
注意:这里的CN与O项,为k8s默认的内置用户与组,默认绑定了RBAC权限,如果这里不固定为以上配置,需要在后续中手动配置RBAC权限。
2、生成scheduler证书
cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=k8s \ -hostname=127.0.0.1,k8s-master01,k8s-master02,k8s-master03 \ scheduler-csr.json | cfssljson -bare scheduler
kube-proxy证书
1、创建kube-proxy证书签名请求文件
cat > kube-proxy-csr.json << EOF { "CN": "system:kube-proxy", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:node-proxier", "OU": "k8s Security" } ] } EOF
注意:这里的CN与O项,为k8s默认的内置用户与组,默认绑定了RBAC权限,如果这里不固定为以上配置,需要在后续中手动配置RBAC权限。
2、生成kube-proxy证书
cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=k8s \ kube-proxy-csr.json | cfssljson -bare kube-proxy
四、k8s其他相关证书
apiserver聚合证书
1、创建CA证书签名请求文件
cat > front-proxy-ca-csr.json <<EOF { "CN": "front-proxy-ca", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "k8s", "OU": "k8s Front Proxy" } ] } EOF
2、生成聚合CA证书
cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare front-proxy-ca
3、创建apiserver聚合证书签名请求文件
cat > front-proxy-client-csr.json <<EOF { "CN": "front-proxy-client", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "system:kube-aggregator", "OU": "k8s Front Proxy" } ] } EOF
注意:这里的CN与O项,为k8s默认的内置用户与组,默认绑定了RBAC权限,如果这里不固定为以上配置,需要在后续中手动配置RBAC权限。
4、生成apiserver聚合证书
cfssl gencert \ -ca=front-proxy-ca.pem \ -ca-key=front-proxy-ca-key.pem \ -config=ca-config.json \ -profile=k8s front-proxy-client-csr.json | cfssljson -bare front-proxy-client
admin证书
1、创建admin证书签名请求文件
cat > admin-csr.json << EOF { "CN": "admin", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "system:masters", "OU": "k8s Admin" } ] } EOF
注意:这里的O项,是k8s默认的内置管理员组,拥有最高权限权限,生产环境谨慎配置,如果这里不固定为以上配置,需要在后续中手动配置RBAC权限。
2、生成admin证书
cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=k8s \ admin-csr.json | cfssljson -bare admin
ServiceAccount Key
openssl genrsa -out sa.key 2048 openssl rsa -in sa.key -pubout -out sa.pub
五、复制证书到其他master节点
scp *.pem k8s-master02:/data/k8s/ssl scp *.pem k8s-master03:/data/k8s/ssl scp sa.* k8s-master02:/data/k8s/ssl scp sa.* k8s-master03:/data/k8s/ssl scp ca*.pem kube-proxy*.pem front-proxy-ca.pem k8s-node01:/data/k8s/ssl scp ca*.pem kube-proxy*.pem front-proxy-ca.pem k8s-node02:/data/k8s/ssl
浙公网安备 33010602011771号