文章目录
前 言
cfssl具有运行一个认证中心所需要的全部功能,认证中心需要一个CA证书(ca.pem)和相应的私钥(ca-key.pem).
CA:certificate authority 认证证书的第三方机构
X.509:证书标准,主要定义了证书中应该包含哪些内容
PEM: privacy enhanced mail,是X.509证书的一种编码格式,该格式以“------BEGIN------”开头,以“-------END------“结尾,中间内容是BASE64编码
CSR: certificate signing request:证书签名请求,这个并不是证书,而是向权威证书颁发机构获取签名证书的申请
CRT/CER: certificate 证书
一 、 下 载自签H TTPS证书工 具cfssl 工 具并且迁移到/us r/local/bin 下授权执行
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
cp -rf cfssl cfssl-certinfo cfssljson /usr/local/bin
chmod +x /usr/local/bin/cfssl*
二、 创 建J so n文 件存 放路径/server/scrip tes
mkdir -p /service/scripts/{k8s,etcd}
三、生成自 签 证书ca-csr .j son文件模板
cfssl print-defaults csr >/service/scripts/k8s/ca-csr.json cfssl print-defaults config >/service/scripts/k8s/ca-config.json cfssl print-defaults csr >/service/scripts/k8s/server-csr.json cfssl print-defaults csr >/service/scripts/k8s/kube-proxy-csr.json
四 、kuber netes生成 的模板修改:
1、修 改/s ervice/scripts/k8s/ca -c sr .json
内 容如下 :
{
"CN": "kubernetes",
"key": {
"algo": "rsa", 加密算法
"size": 2048 加密长度
},
"names": [
{
"C": "CN",
"L": "Guizhou", 属性信息
"ST": "Guizhou",
"O": "k8s",
"OU": "System"
}
]
}
2、修改/service/ scripts/k8s/ca -c onfig.json
内容如 下:
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h", 证书的过期时间
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
3、修改/service/scripts/k 8s / serv er-csr.json
内容如 下
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"192.168.3.60",
"192.168.3.61",
"192.168.3.62",
"192.168.3.63",
"192.168.3.64",
"192.168.3.65",
"192.168.3.66"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Guizhou",
"ST": "Guizhou",
"O": "k8s",
"OU": "System"
}
]
}
4、修改/ser v ic e /scr ipts /k8s/ kube-prox y-c sr.json
文件为woke- no de节 点 生成请求证书
{
"CN": "system:kube-proxy", K8s组用户权限
"hosts": [],
"key": {
"algo": "rsa", 加密方式
"size": 2048 加密长度
},
"names": [
{
"C": "CN", 属性信息
"L": "Guizhou",
"ST": "Guizhou",
"O": "k8s", 组字段信息
"OU": "System" 组字段信息
}
]
}
注
6 、为k u bernet e s 生成 公钥私 钥 授权CA 证书
-
k8s初始化C
A证书
cfssl gencert -initca /service/scripts/k8s/ca-csr.json | cfssljson -bare ca -cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
-
k8s
生成证 书se rver证书
cfssl gencert -ca=/service/scripts/k8s/ca.pem -ca-key=/service/scripts/k8s/ca-key.pem -config=/service/scripts/k8s/ca-config.json -profile=kubernetes /service/scripts/k8s/server-csr.json | cfssljson -bare server
-
k
8s为n ode节 点生成证书
[root@k8s-master k8s]# cfssl gencert -ca=/service/scripts/k8s/ca.pem -ca-key=/service/scripts/k8s/ca-key.pem -config=/service/scripts/k8s/ca-config.json -profile=kubernetes /service/scripts/k8s/kube-proxy-csr.json | cfssljson -bare kube-proxy
&n