zoukankan      html  css  js  c++  java

  • kubernetes(K8S)创建自签TLS证书

    TLS证书用于进行通信使用,组件需要证书关系如下:

    组件 需要使用的证书
    etcd ca.pem server.pem server-key.pem
    flannel ca.pem server.pem server-key.pem
    kube-apiserver ca.pem server.pem server-key.pem
    kubelet ca.pem ca-key.pem
    kube-proxy ca.pem kube-proxy.pem kube-proxy-key.pem
    kubectl ca.pem admin.pem admin-key.pem

    安装证书生成证书工具cfssl

    均在master节点执行。

    # wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
# chmod +x cfssl*
# cp cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
# cp cfssljson_linux-amd64 /usr/local/bin/cfssljson
# cp cfssl_linux-amd64 /usr/local/bin/cfssl

    创建生成证书脚本

    # more cert.sh 
#生成ca-config.json证书
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

#生成ca-csr.json文件
cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

#生成ca-key.pem ca.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

#生成server-csr.json文件
cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "172.17.0.218",
      "172.17.0.219",
      "172.17.0.219",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

#生成server.pem,server-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------

#生成admin-csr.json文件
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

#最后生成admin证书---admin-key.pem ,admin.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#-----------------------

#生成代理
cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

#生成代理证书kube-proxy-key.pem , kube-proxy.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
# sh cert.sh
//查看生成的证书
# ls | grep pem
admin-key.pem
admin.pem
ca-key.pem
ca.pem
kube-proxy-key.pem
kube-proxy.pem
server-key.pem
server.pem

    至此,kubernetes(K8S)创建自签TLS证书完成。

    转载请添加出处:https://www.cnblogs.com/aresxin
  • 相关阅读:
    项目模版(C#),已配置好 Log4net 、AjaxPro 和 AjaxToolKit
    ActionScript 3.0 学习笔记二
    vs 2003项目的打开
    HttpFileCollection 多文件上传的实现以及需要注意的事项
    ActionScript 3.0 学习笔记一
    使用 iframe 实现 web 的推送技术
    媒体集有2个媒体簇,但是只提供了1个
    AjaxPro 的配置和使用
    xp 下安装 spl server express 没有sql server服务
    类中的 static 字段
  • 原文地址:https://www.cnblogs.com/aresxin/p/K8S-TLS.html
Copyright © 2011-2022 走看看