k8s系列-13-生成证书和各组件的认证配置

【k8s系列-13-生成证书和各组件的认证配置】男儿欲遂平生志,五经勤向窗前读。这篇文章主要讲述k8s系列-13-生成证书和各组件的认证配置相关的知识,希望能为你提供帮助。
老板们,点个关注吧。



要知道我们相互访问需要的是什么,需要的是安全性,那么我们就使用https来控制相互间的访问吧,那么我们就需要使用证书,我们这里采用自建证书来实现。



??安装证书生成服务??
只需要在一个节点上安装即可,我这里选择的是node1节点。

[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
[root@node1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
[root@node1 ~]# chmod +x /usr/local/bin/cfssl
[root@node1 ~]# chmod +x /usr/local/bin/cfssljson
[root@node1 ~]# cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.6
[root@node1 ~]#



??根证书??
根证书是共享的,只需要创建一个,其他证书统一由这个根证书来签名,只需要在一个节点操作即可,我这里在node1节点上操作。
PS:最好单独创建一个单独存放证书的目录,不然会乱掉。
[root@node1 ~]# mkdir pki
[root@node1 ~]# cd pki/
[root@node1 pki]#
# 可以看到下面的过期时间,我们设置的很长,几乎不用考虑过期这一说
[root@node1 pki]# cat > ca-config.json < < EOF

"signing":
"default":
"expiry": "876000h"
,
"profiles":
"kubernetes":
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "876000h"




EOF
[root@node1 pki]#
[root@node1 pki]# cat > ca-csr.json < < EOF

"CN": "Kubernetes",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"

]

EOF
[root@node1 pki]#



生成证书和私钥:
[root@node1 pki]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@node1 pki]# ls
ca-config.jsonca.csrca-csr.jsonca-key.pemca.pem
[root@node1 pki]#



??admin客户端证书??
[root@node1 pki]# cat > admin-csr.json < < EOF

"CN": "admin",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "seven"

]

EOF
[root@node1 pki]#



生成admin客户端和私钥
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
admin-csr.json | cfssljson -bare admin
[root@node1 pki]# ls
admin.csradmin-csr.jsonadmin-key.pemadmin.pemca-config.jsonca.csrca-csr.jsonca-key.pemca.pem
[root@node1 pki]#



??kubelet客户端证书??
要给每个工作节点生成证书,所以这步中你要写你自己的node名字和IP地址哈。
# 设置你的worker节点列表
[root@node1 pki]# for ((i=0; i< $#WORKERS[@]; i++)); do
cat > $WORKERS[$i]-csr.json < < EOF

"CN": "system:node:$WORKERS[$i]",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"L": "Beijing",
"O": "system:nodes",
"OU": "seven",
"ST": "Beijing"

]

EOF
cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-hostname=$WORKERS[$i],$WORKER_IPS[$i] \\
-profile=kubernetes \\
$WORKERS[$i]-csr.json | cfssljson -bare $WORKERS[$i]
done
[root@node1 pki]#



查看证书:
[root@node1 pki]# ls
admin.csradmin-key.pemca-config.jsonca-csr.jsonca.pemnode2-csr.jsonnode2.pemnode3-csr.jsonnode3.pem
admin-csr.jsonadmin.pemca.csrca-key.pemnode2.csrnode2-key.pemnode3.csrnode3-key.pem
[root@node1 pki]#



??kube-controller-manager证书??
[root@node1 pki]# cat > kube-controller-manager-csr.json < < EOF

"CN": "system:kube-controller-manager",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-controller-manager",
"OU": "seven"

]

EOF
[root@node1 pki]#



生成证书:
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
[root@node1 pki]#



查看:
[root@node1 pki]# ls
admin.csradmin.pemca-csr.jsonkube-controller-manager.csrkube-controller-manager.pemnode2-key.pemnode3-csr.json
admin-csr.jsonca-config.jsonca-key.pemkube-controller-manager-csr.jsonnode2.csrnode2.pemnode3-key.pem
admin-key.pemca.csrca.pemkube-controller-manager-key.pemnode2-csr.jsonnode3.csrnode3.pem
[root@node1 pki]#



??kube-proxy客户端证书??
[root@node1 pki]# cat > kube-proxy-csr.json < < EOF

"CN": "system:kube-proxy",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "seven"

]

EOF
?
[root@node1 pki]#



生成证书:
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
kube-proxy-csr.json | cfssljson -bare kube-proxy



查看:
[root@node1 pki]# ls
admin.csradmin.pemca-csr.jsonkube-controller-manager.csrkube-controller-manager.pemkube-proxy-key.pemnode2-csr.jsonnode3.csrnode3.pem
admin-csr.jsonca-config.jsonca-key.pemkube-controller-manager-csr.jsonkube-proxy.csrkube-proxy.pemnode2-key.pemnode3-csr.json
admin-key.pemca.csrca.pemkube-controller-manager-key.pemkube-proxy-csr.jsonnode2.csrnode2.pemnode3-key.pem
[root@node1 pki]#



??kube-scheduler证书??
[root@node1 pki]# cat > kube-scheduler-csr.json < < EOF

"CN": "system:kube-scheduler",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-scheduler",
"OU": "seven"

]

EOF
[root@node1 pki]#



生成证书:
[root@node1 pki]# cfssl gencert \\
-ca=ca.pem \\
-ca-key=ca-key.pem \\
-config=ca-config.json \\
-profile=kubernetes \\
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
?
[root@node1 pki]#



查看:
[root@node1 pki]# ls
admin.csrca-config.jsonca.pemkube-controller-manager.pemkube-proxy.pemkube-scheduler.pemnode2.pemnode3.pem
admin-csr.jsonca.csrkube-controller-manager.csrkube-proxy.csrkube-scheduler.csrnode2.csrnode3.csr
admin-key.pemca-csr.jsonkube-controller-manager-csr.jsonkube-proxy-csr.jsonkube-scheduler-csr.jsonnode2-csr.jsonnode3-csr.json
admin.pemca-key.pemkube-controller-manager-key.pemkube-proxy-key.pemkube-scheduler-key.pemnode2-key.pemnode3-key.pem
[root@node1 pki]#



??kube-apiserver证书
剩余内容请转至VX公众号 “运维家” ,回复 “120” 查看。



    推荐阅读