二进制安装k8s-1.20.4之k8s组件签发证书
1、安装证书签发工具
下载地址:https://github.com/cloudflare/cfssl/releases
wget -O /usr/bin/cfssl https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 wget -O /usr/bin/cfssljson https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 chmod +x /usr/bin/cfssl chmod +x /usr/bin/cfssljson
2、创建ssl工作目录
mkdir -p /data/app/k8s-init
cd /data/app/k8s-init
3、创建CA证书
1)创建证书生成策略文件
cat >ca-config.json<<EOF { "signing": { "default": { "expiry": "876000h" }, "profiles": { "kubernetes": { "usages": ["signing", "key encipherment", "server auth", "client auth"], "expiry": "876000h" } } } } EOF
注释:
default默认策略,指定了证书的默认有效期是一年(8760h)。
kubernetes:表示该配置(profile)的用途是为kubernetes生成证书及相关的校验工作。
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE。
server auth:表示可以用该CA 对 server 提供的证书进行验证。
client auth:表示可以用该 CA 对 client 提供的证书进行验证。
expiry:也表示过期时间,如果不写以default中的为准。
2)创建CA证书签名请求文件
cat >ca-csr.json<<EOF { "CN": "Kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "Shanghai", "OU": "k8s", "ST": "system" } ] } EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls -al ca*.pem
查看cert证书信息
cfssl certinfo -cert ca.pem
查看CSR证书签名请求信息
cfssl certinfo -csr ca.csr
注解:
- CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。
- key:生成证书的算法
- hosts:表示哪些主机名(域名)或者IP可以使用此csr申请的证书,为空或者""表示所有的都可以使用(本例中没有hosts字段)
- names:一些其它的属性
C: Country, 国家
ST: State,州或者是省份
L: Locality Name,地区,城市
O: Organization Name,组织名称,公司名称(在k8s中常用于指定Group,进行RBAC绑定)
OU: Organization Unit Name,组织单位名称,公司部门
4、创建admin用户证书
1)创建证书签名请求配置文件
cat >admin-csr.json<<EOF { "CN": "admin", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "system:masters", "OU": "Kubernetes The Hard Way", "ST": "system" } ] } EOF
2)创建admin用户证书并校验结果
cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ admin-csr.json | cfssljson -bare admin
注释:
gencert: 生成新的key(密钥)和签名证书
-initca:初始化一个新ca
-ca:指明ca的证书
-ca-key:指明ca的私钥文件
-config:指明请求证书的json文件
-profile:与-config中的profile对应,是指根据config中的profile段来生成证书的相关信息
2)查看生成的证书文件
ls -al admin*.pem
5、创建kubelet证书
1)创建Kubelet证书脚本
vim generate-kubelet-certificate.sh
IFS=$'\n' for line in `cat node.txt`; do instance=`echo $line | awk '{print $1}'` INTERNAL_IP=`echo $line | awk '{print $2}'` cat > ${instance}-csr.json <<EOF { "CN": "system:node:${instance}", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "system:nodes", "OU": "Kubernetes The Hard Way", "ST": "system" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -hostname=${instance},${INTERNAL_IP} \ -profile=kubernetes \ ${instance}-csr.json | cfssljson -bare ${instance} done
2)创建node.txt文件
vim node.txt k8s-worker01 172.18.175.123
3)执行脚本,并验证
sh generate-kubelet-certificate.sh
ll k8s-worker*.pem
6、创建Controller Manager客户端证书
1)创建Controller Manager证书证书脚本
vim kube-controller-manager.sh
cat > kube-controller-manager-csr.json <<EOF { "CN": "system:kube-controller-manager", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "system:kube-controller-manager", "OU": "Kubernetes The Hard Way", "ST": "system" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
2)执行脚本,并验证
sh kube-controller-manager.sh
ll kube-controller-manager*.pem
7、创建Kube Proxy客户端证书
1)创建Kube Proxy证书脚本
vim kubeproxy.sh
cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "system:node-proxier", "OU": "Kubernetes The Hard Way", "ST": "system" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ kube-proxy-csr.json | cfssljson -bare kube-proxy
2)执行脚本,并验证
sh kubeproxy.sh
ll kube-proxy*.pem
8、创建Scheduler 客户端证书
1)创建Kube Scheduler证书脚本
vim kubescheduler.sh
cat > kube-scheduler-csr.json <<EOF { "CN": "system:kube-scheduler", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "system:kube-scheduler", "OU": "Kubernetes The Hard Way", "ST": "system" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ kube-scheduler-csr.json | cfssljson -bare kube-scheduler
2)执行脚本,并验证
sh kubescheduler.sh
ll kube-scheduler*.pem
9、创建Kuberenetes API证书
1)创建Kuberenetes API证书脚本
vim kubeapi.sh
CERT_HOSTNAME=10.100.0.1,k8s-master01,172.18.175.120,k8s-master02,172.18.175.121,k8s-master03,172.18.175.122,172.18.175.230,127.0.0.1,localhost,kubernetes.default cat > kubernetes-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "Kubernetes", "OU": "Kubernetes The Hard Way", "ST": "system" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -hostname=${CERT_HOSTNAME} \ -profile=kubernetes \ kubernetes-csr.json | cfssljson -bare kubernetes
2)执行脚本,并验证
sh kubeapi.sh
ll kubernetes*.pem
10、创建服务帐户密钥对
1)创建servicesaccount脚本
vim servicesaccount.sh
cat > service-account-csr.json <<EOF { "CN": "service-accounts", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "Kubernetes", "OU": "Kubernetes The Hard Way", "ST": "system" } ] } EOF cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ service-account-csr.json | cfssljson -bare service-account
2)执行脚本,并验证
sh servicesaccount.sh
ll service-account*.pem
浙公网安备 33010602011771号