目标
功能关系
创建ca
创建ca配置文件:ca-config.json
创建ca证书签名请求文件:ca-csr.json
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shandong",
"L": "JiNan",
"O": "Kubernetes",
"OU": "CA"
}
]
}
创建ca证书,私钥,证书请求文件
Shell># cfssl gencert -initca ca-csr.json | cfssljson -bare ca
API server证书
目的: 给apiservice使用
创建证书签名文件:kubernetes-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"10.10.1.20",
"10.10.1.21",
"10.10.1.22",
"10.10.1.23",
"10.254.0.1",
"master.k8s.com",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "JiNan",
"O": "Kubernetes",
"ST": "Shandong"
}
]
}
kubelet 证书
目标: 给kubelet 与apiserver 连接式做身份认证使用。
说明:
创建列表文件,名称为node.list
#hostname@ipaddrs(ip1,ip2,ip3)
Node1.k8s.com@10.10.1.31
Node2.k8s.com@10.10.1.32
Node3.k8s.com@10.10.1.33,10.10.1.34
创建脚本 node.sh
#!/bin/bash
HostName=(`cat nodes.list | grep -v '#' | awk -F '@' '{print $1}'`)
HostNUM="${#HostName[*]}"
#echo $HostNUM
ips=(`cat nodes.list | grep -v '#' | awk -F '@' '{print $2}'`)
for ((i=0; i < $HostNUM; i++)) ; do
instance=${HostName[$i]}
cat > ${instance}-csr.json <<EOF
{
"CN": "system:node:${instance}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "JiNan",
"O": "system:nodes",
"OU": "Kubernetes",
"ST": "Shandong"
}
]
}
EOF
NODE_IP=${ips[$i]}
echo ${instance}
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${instance},${NODE_IP},'127.0.0.1' \
-profile=kubernetes \
${instance}-csr.json | cfssljson -bare ${instance}
#make kubeconfig file
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://master.k8s.com \
--client-certificate=${instance}.pem \
--client-key=${instance}-key.pem \
--embed-certs=true \
--kubeconfig=${instance}.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:node:${instance} \
--kubeconfig=${instance}.kubeconfig
kubectl config use-context default --kubeconfig=${instance}.kubeconfig
done
kube-proxy 证书
创建证书签名文件:kube-proxy-csr.json
Shell>#cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
管理员证书
创建证书签名文件:admin-csr.json
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "JiNan",
"O": "system:masters",
"OU": "Kubernetes",
"ST": "Shandong"
}
]
}
生成管理员证书
Shell>#cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
dashboard证书
创建证书签名文件:dashboard-csr.json
生成dashboard证书
Shell>#cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \