4、kubernetes自签证书生成步骤

4、kubernetes自签证书生成步骤

前言

cfssl具有运行一个认证中心所需要的全部功能,认证中心需要一个CA证书(ca.pem)和相应的私钥(ca-key.pem).
CA:certificate authority 认证证书的第三方机构
X.509:证书标准,主要定义了证书中应该包含哪些内容
PEM: privacy enhanced mail,是X.509证书的一种编码格式,该格式以“------BEGIN------”开头,以“-------END------“结尾,中间内容是BASE64编码
CSR: certificate signing request:证书签名请求,这个并不是证书,而是向权威证书颁发机构获取签名证书的申请
CRT/CER: certificate 证书

一 、下载自签HTTPS证书工具cfssl工具并且迁移到/usr/local/bin下授权执行

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
cp -rf cfssl cfssl-certinfo cfssljson /usr/local/bin
chmod +x /usr/local/bin/cfssl*

二、创建Json文件存放路径/server/scriptes

mkdir -p /service/scripts/{k8s,etcd}

三、生成自签证书ca-csr.json文件模板

cfssl print-defaults csr >/service/scripts/k8s/ca-csr.json
cfssl print-defaults config >/service/scripts/k8s/ca-config.json
cfssl print-defaults csr >/service/scripts/k8s/server-csr.json
cfssl print-defaults csr >/service/scripts/k8s/kube-proxy-csr.json

四、kubernetes生成的模板修改:

1、修改/service/scripts/k8s/ca-csr.json内容如下:

{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",   加密算法
        "size": 2048     加密长度
    },
    "names": [
        {
            "C": "CN",         
            "L": "Guizhou",    属性信息
            "ST": "Guizhou",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

2、修改/service/scripts/k8s/ca-config.json内容如下:

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",               证书的过期时间
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}

3、修改/service/scripts/k8s/server-csr.json内容如下

{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local",
      "192.168.3.60",
      "192.168.3.61",
      "192.168.3.62",
      "192.168.3.63",
      "192.168.3.64",
      "192.168.3.65",
      "192.168.3.66"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Guizhou",
            "ST": "Guizhou",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

4、修改/service/scripts/k8s/kube-proxy-csr.json文件为woke-node节点生成请求证书

{
    "CN": "system:kube-proxy",      K8s组用户权限
    "hosts": [],
    "key": {
        "algo": "rsa",              加密方式
        "size": 2048                加密长度
    }, 
    "names": [
        {
            "C": "CN",               属性信息
            "L": "Guizhou",
            "ST": "Guizhou",
            "O": "k8s",              组字段信息
            "OU": "System"           组字段信息
        }
    ]
}

注意:该证书属于kubelet认证通信,node节点使用。

 

6、为kubernetes生成公钥私钥授权CA证书

  • k8s初始化CA证书

cfssl gencert -initca /service/scripts/k8s/ca-csr.json | cfssljson -bare ca -cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  • k8s生成证书server证书

cfssl gencert -ca=/service/scripts/k8s/ca.pem -ca-key=/service/scripts/k8s/ca-key.pem -config=/service/scripts/k8s/ca-config.json -profile=kubernetes /service/scripts/k8s/server-csr.json | cfssljson -bare server
  • k8s为node节点生成证书

[root@k8s-master k8s]# cfssl gencert -ca=/service/scripts/k8s/ca.pem -ca-key=/service/scripts/k8s/ca-key.pem -config=/service/scripts/k8s/ca-config.json -profile=kubernetes /service/scripts/k8s/kube-proxy-csr.json | cfssljson -bare kube-proxy

 

 

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin
百度已收录
Linux

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: