k8s系列-13-生成证书和各组件的认证配置
老板们,点个关注吧。
要知道我们相互访问需要的是什么,需要的是安全性,那么我们就使用https来控制相互间的访问吧,那么我们就需要使用证书,我们这里采用自建证书来实现。
安装证书生成服务
只需要在一个节点上安装即可,我这里选择的是node1节点。
[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
[root@node1 ~]# chmod +x /usr/local/bin/cfssl
[root@node1 ~]# chmod +x /usr/local/bin/cfssljson
[root@node1 ~]# cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.6
[root@node1 ~]#
根证书
根证书是共享的,只需要创建一个,其他证书统一由这个根证书来签名,只需要在一个节点操作即可,我这里在node1节点上操作。
PS:最好单独创建一个单独存放证书的目录,不然会乱掉。
[root@node1 ~]# mkdir pki
[root@node1 ~]# cd pki/
[root@node1 pki]#
# 可以看到下面的过期时间,我们设置的很长,几乎不用考虑过期这一说
[root@node1 pki]# cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "876000h"
}
}
}
}
EOF
[root@node1 pki]#
[root@node1 pki]# cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}
EOF
[root@node1 pki]#
生成证书和私钥:
[root@node1 pki]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@node1 pki]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
[root@node1 pki]#
admin客户端证书
[root@node1 pki]# cat > admin-csr.json <<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "seven"
}
]
}
EOF
[root@node1 pki]#
生成admin客户端和私钥
[root@node1 pki]# cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
[root@node1 pki]# ls
admin.csr admin-csr.json admin-key.pem admin.pem ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
[root@node1 pki]#
kubelet客户端证书
要给每个工作节点生成证书,所以这步中你要写你自己的node名字和IP地址哈。
# 设置你的worker节点列表
[root@node1 pki]# for ((i=0;i<${#WORKERS[@]};i++)); do
cat > ${WORKERS[$i]}-csr.json <<EOF
{
"CN": "system:node:${WORKERS[$i]}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"O": "system:nodes",
"OU": "seven",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${WORKERS[$i]},${WORKER_IPS[$i]} \
-profile=kubernetes \
${WORKERS[$i]}-csr.json | cfssljson -bare ${WORKERS[$i]}
done
[root@node1 pki]#
查看证书:
[root@node1 pki]# ls
admin.csr admin-key.pem ca-config.json ca-csr.json ca.pem node2-csr.json node2.pem node3-csr.json node3.pem
admin-csr.json admin.pem ca.csr ca-key.pem node2.csr node2-key.pem node3.csr node3-key.pem
[root@node1 pki]#
kube-controller-manager证书
[root@node1 pki]# cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-controller-manager",
"OU": "seven"
}
]
}
EOF
[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
[root@node1 pki]#
查看:
[root@node1 pki]# ls
admin.csr admin.pem ca-csr.json kube-controller-manager.csr kube-controller-manager.pem node2-key.pem node3-csr.json
admin-csr.json ca-config.json ca-key.pem kube-controller-manager-csr.json node2.csr node2.pem node3-key.pem
admin-key.pem ca.csr ca.pem kube-controller-manager-key.pem node2-csr.json node3.csr node3.pem
[root@node1 pki]#
kube-proxy客户端证书
[root@node1 pki]# cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "seven"
}
]
}
EOF
[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
查看:
[root@node1 pki]# ls
admin.csr admin.pem ca-csr.json kube-controller-manager.csr kube-controller-manager.pem kube-proxy-key.pem node2-csr.json node3.csr node3.pem
admin-csr.json ca-config.json ca-key.pem kube-controller-manager-csr.json kube-proxy.csr kube-proxy.pem node2-key.pem node3-csr.json
admin-key.pem ca.csr ca.pem kube-controller-manager-key.pem kube-proxy-csr.json node2.csr node2.pem node3-key.pem
[root@node1 pki]#
kube-scheduler证书
[root@node1 pki]# cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-scheduler",
"OU": "seven"
}
]
}
EOF
[root@node1 pki]#
生成证书:
[root@node1 pki]# cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
[root@node1 pki]#
查看:
[root@node1 pki]# ls
admin.csr ca-config.json ca.pem kube-controller-manager.pem kube-proxy.pem kube-scheduler.pem node2.pem node3.pem
admin-csr.json ca.csr kube-controller-manager.csr kube-proxy.csr kube-scheduler.csr node2.csr node3.csr
admin-key.pem ca-csr.json kube-controller-manager-csr.json kube-proxy-csr.json kube-scheduler-csr.json node2-csr.json node3-csr.json
admin.pem ca-key.pem kube-controller-manager-key.pem kube-proxy-key.pem kube-scheduler-key.pem node2-key.pem node3-key.pem
[root@node1 pki]#
**kube-apiserver证书
**
剩余内容请转至VX公众号 “运维家” ,回复 “120” 查看。
天行健,君子以自强不息;
地势坤,君子以厚德载物。
浙公网安备 33010602011771号