二进制部署K8S集群（十四）之关于K8S证书

目录

• 一.关于K8S证书
  • • 1.1 关于cfssl工具
    • 1.2 关于kubeconfig文件
      • • 1.2.1查看证书详细信息
        • 1.2.2将转换的数据再转化为证书原型
    • 1.3 集群证书架构
      • • 1.3.1 k8s集群架构
        • 1.3.2 证书总结
        • 1.3.3 证书架构

一.关于K8S证书

1.1 关于cfssl工具

• cfssl：证书签发的主要工具
• cfssl-json:将cfssl生成的证书（json格式）变为文件承载式证书
• cfssl-centinfo：验证证书的信息 cfssl-certinfo -cert apiserver.pem

1.2 关于kubeconfig文件

• 这是一个K8s用户的配置文件
• 它里面含有证书信息
• 证书过期或更换，需要同步替换的文件

1.2.1查看证书详细信息

[root@hdss7-200 certs]# cfssl-certinfo -cert /opt/certs/ca.pem

1.2.2将转换的数据再转化为证书原型

[root@hdss7-21 conf]# tail -1 /opt/kubernetes/server/bin/conf/kube-proxy.kubeconfig 
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb2duTEZ3eEd5dURTd3RkSi9nODNPWHlmN25TQ1o5clNHS0dxZzNOTXI0ZlZOUmN6CkRhWlozSDJyWTA2dlJHTXFiNndNb0lYeG5JZjdRUWppdktzYmh3WGJZY2tJOTdEQ3VVTC9IcEJ6MjIweVFsRUwKOUNsb1ZGVlRoNW9FYkdzWDdXRnR1TDlUM0dWRTlFampBVC94UUZXd1ZxZityeUVCVjdZVjVsQUpxajZyN3JRVwo4NHRvK3VIMytrbzEyKy9hMHdralFpaW5wZ2NHNkFQbzFqMk0vVC9USHVrcVdUaWF0VzhsclV3ZHA5WW93K21TCi9xMVRnVmNDSFdzYzRld01SUjlsRnRhMm1xVmVXSmhwNWFnSE1sTGJwVlQ0aFUxb1VIV2hla3NEZkhYZVp4Q3UKcGd3dEdtNDRmMDVDWVA2UENwU3Q1d0ZqeUFSTmo3SHlNOUdnZndJREFRQUJBb0lCQUdGN2FNM1YyZVVGdW1YegpaUlZPREJndWpIekZaUXFiejFkNE12L2Y1cHVYS1VKR1ViVjloWVFycW1jVkdFWVpMcGQrTng1L1ZtcW9PQlRaCkJxY2dmWEFPcXZ1NkdRWUNOak9FUmIwYWhFalcrYXlCMjZJcEl4WFJPMjVSenlWMmpDK0lOSjAzcFhqckI3KzYKOWE1enpHeTY0RnBSdU51ZERKUzYrNVBTUk81QXpwdCs1Yjg4eEIvZXVOQmpldzdxYVFzNmgyUkhkbUd5cExCUQp5T0MrYzc4L1FVbDh2THo4NURGTU8zYkVwNm42eThWb3g3d2I4WWVXUG42cHVBWEhpZnpJZlg5VS8xZjh1OWNuClRrS2dvdzdtTVkyVTc1U3pYY3BUM3ZBaTlzMUtrWFdjK1FpcXJZbEo5VXZvNXdraEN2dENKQXFYNDBvYk1uVDgKekV0Mzlya0NnWUVBd3RIb3YxemtuUGVrUXVlUGI1MFcxL0pDUk95RlRUem1iYm0zUW1nSWdRSU5wek15Wkp1cApzaG00VGNWOXZPREpCN0duaTdKS1BFQ1BITVBxeXk4S1VvbStOd3JpQytOdXJjazJKUGUyMENXRnJQdHhyeGo5CncvY241SGJFRW5VR0tPY3drVy9EZ21kSXV3U2pNOGFOdlB5V0I1ZmhzdmRSaVFlQW91SVV0YlVDZ1lFQTFPeDUKL1ZkYXRaN2hLaG85ZG4wL3ZuTlZXTjJMVm5TVENRS2hmampxdXloOXdOVkxIZWVFdTUrWnpUc2hWaUdoMzJ0TQpyUlhQRkJabkJRWHIrMWhPbTcwWE5hdXY1c2F4UmJzMTg2WithZ1JFbmtsVlpOb1laWENsODErTDlnVkFsejlWCkJEK3VYWk4xRStRQ2NMdGl2OXY2YndrcGU1L2Z5d2ZDV1ZMREhlTUNnWUVBa3IxdTFPeVFHWmNCdDQ4WTM5WHYKeGRub2htZXNoQi9SNUdYVkhnU2tHeC9EenVObUdwZVErdUFhalNHcThxQlJheVVwOExQcTdIVW9GbCtQTTFtTQpLZDBzVStNem5nYkJiODYxcEtTY295MFFBZG9tcDk5b0RMblY1MlI1alBsdUdWTUJweG9LcGVkTHhlblpUMzlICmRVaS9iSnErMm9Fa2ZkVVQxQnY3dzEwQ2dZQXE4QVVwc1pQNVRERGI3SzY0Vmtta2ZsMlhyaFdMT2JicytqclcKMldOOG1vM0JkVUhRcGY5K1ZwRU5jZjhtLzJGRlRMNEpxWHc0OE11Vmw3d2UwNUFHbC9zMk40a2hZTEFlLzhIQgpnTEc5YjE3bkRLTEwwNjlYeFgreHRITGxDZW9jbGdqdThtaVhOa1ZGM1pVZ1pxbGpSMWtaU3greWJtc1M1bDJxCjVhV3pRUUtCZ0I2SGJkcWRGQVoyVXpuK1pYcUpoRUxNaDZmNjQvNlBKMGNNdnpOSTJsZFJ0VWhEN2NaZmFJanUKRHpYQ0VVTHBWOTQ3YzdEY1lPQW84WFhTMkJ2WHJkeDRUMytKMTU4ME1aYUFEWUFPTmlHVTM4VTVtOERMbXVacQoySnJzaDI2c1V0Tjc3aDVZSko3S1p2UjNNSmlERGJaSG9oSHBTZlp1eDlVa0JzcWJ1dTdpCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
[root@hdss7-21 conf]# echo "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb2duTEZ3eEd5dURTd3RkSi9nODNPWHlmN25TQ1o5clNHS0dxZzNOTXI0ZlZOUmN6CkRhWlozSDJyWTA2dlJHTXFiNndNb0lYeG5JZjdRUWppdktzYmh3WGJZY2tJOTdEQ3VVTC9IcEJ6MjIweVFsRUwKOUNsb1ZGVlRoNW9FYkdzWDdXRnR1TDlUM0dWRTlFampBVC94UUZXd1ZxZityeUVCVjdZVjVsQUpxajZyN3JRVwo4NHRvK3VIMytrbzEyKy9hMHdralFpaW5wZ2NHNkFQbzFqMk0vVC9USHVrcVdUaWF0VzhsclV3ZHA5WW93K21TCi9xMVRnVmNDSFdzYzRld01SUjlsRnRhMm1xVmVXSmhwNWFnSE1sTGJwVlQ0aFUxb1VIV2hla3NEZkhYZVp4Q3UKcGd3dEdtNDRmMDVDWVA2UENwU3Q1d0ZqeUFSTmo3SHlNOUdnZndJREFRQUJBb0lCQUdGN2FNM1YyZVVGdW1YegpaUlZPREJndWpIekZaUXFiejFkNE12L2Y1cHVYS1VKR1ViVjloWVFycW1jVkdFWVpMcGQrTng1L1ZtcW9PQlRaCkJxY2dmWEFPcXZ1NkdRWUNOak9FUmIwYWhFalcrYXlCMjZJcEl4WFJPMjVSenlWMmpDK0lOSjAzcFhqckI3KzYKOWE1enpHeTY0RnBSdU51ZERKUzYrNVBTUk81QXpwdCs1Yjg4eEIvZXVOQmpldzdxYVFzNmgyUkhkbUd5cExCUQp5T0MrYzc4L1FVbDh2THo4NURGTU8zYkVwNm42eThWb3g3d2I4WWVXUG42cHVBWEhpZnpJZlg5VS8xZjh1OWNuClRrS2dvdzdtTVkyVTc1U3pYY3BUM3ZBaTlzMUtrWFdjK1FpcXJZbEo5VXZvNXdraEN2dENKQXFYNDBvYk1uVDgKekV0Mzlya0NnWUVBd3RIb3YxemtuUGVrUXVlUGI1MFcxL0pDUk95RlRUem1iYm0zUW1nSWdRSU5wek15Wkp1cApzaG00VGNWOXZPREpCN0duaTdKS1BFQ1BITVBxeXk4S1VvbStOd3JpQytOdXJjazJKUGUyMENXRnJQdHhyeGo5CncvY241SGJFRW5VR0tPY3drVy9EZ21kSXV3U2pNOGFOdlB5V0I1ZmhzdmRSaVFlQW91SVV0YlVDZ1lFQTFPeDUKL1ZkYXRaN2hLaG85ZG4wL3ZuTlZXTjJMVm5TVENRS2hmampxdXloOXdOVkxIZWVFdTUrWnpUc2hWaUdoMzJ0TQpyUlhQRkJabkJRWHIrMWhPbTcwWE5hdXY1c2F4UmJzMTg2WithZ1JFbmtsVlpOb1laWENsODErTDlnVkFsejlWCkJEK3VYWk4xRStRQ2NMdGl2OXY2YndrcGU1L2Z5d2ZDV1ZMREhlTUNnWUVBa3IxdTFPeVFHWmNCdDQ4WTM5WHYKeGRub2htZXNoQi9SNUdYVkhnU2tHeC9EenVObUdwZVErdUFhalNHcThxQlJheVVwOExQcTdIVW9GbCtQTTFtTQpLZDBzVStNem5nYkJiODYxcEtTY295MFFBZG9tcDk5b0RMblY1MlI1alBsdUdWTUJweG9LcGVkTHhlblpUMzlICmRVaS9iSnErMm9Fa2ZkVVQxQnY3dzEwQ2dZQXE4QVVwc1pQNVRERGI3SzY0Vmtta2ZsMlhyaFdMT2JicytqclcKMldOOG1vM0JkVUhRcGY5K1ZwRU5jZjhtLzJGRlRMNEpxWHc0OE11Vmw3d2UwNUFHbC9zMk40a2hZTEFlLzhIQgpnTEc5YjE3bkRLTEwwNjlYeFgreHRITGxDZW9jbGdqdThtaVhOa1ZGM1pVZ1pxbGpSMWtaU3greWJtc1M1bDJxCjVhV3pRUUtCZ0I2SGJkcWRGQVoyVXpuK1pYcUpoRUxNaDZmNjQvNlBKMGNNdnpOSTJsZFJ0VWhEN2NaZmFJanUKRHpYQ0VVTHBWOTQ3YzdEY1lPQW84WFhTMkJ2WHJkeDRUMytKMTU4ME1aYUFEWUFPTmlHVTM4VTVtOERMbXVacQoySnJzaDI2c1V0Tjc3aDVZSko3S1p2UjNNSmlERGJaSG9oSHBTZlp1eDlVa0JzcWJ1dTdpCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" | base64 -d
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAognLFwxGyuDSwtdJ/g83OXyf7nSCZ9rSGKGqg3NMr4fVNRcz
DaZZ3H2rY06vRGMqb6wMoIXxnIf7QQjivKsbhwXbYckI97DCuUL/HpBz220yQlEL
9CloVFVTh5oEbGsX7WFtuL9T3GVE9EjjAT/xQFWwVqf+ryEBV7YV5lAJqj6r7rQW
84to+uH3+ko12+/a0wkjQiinpgcG6APo1j2M/T/THukqWTiatW8lrUwdp9Yow+mS
/q1TgVcCHWsc4ewMRR9lFta2mqVeWJhp5agHMlLbpVT4hU1oUHWheksDfHXeZxCu
pgwtGm44f05CYP6PCpSt5wFjyARNj7HyM9GgfwIDAQABAoIBAGF7aM3V2eUFumXz
ZRVODBgujHzFZQqbz1d4Mv/f5puXKUJGUbV9hYQrqmcVGEYZLpd+Nx5/VmqoOBTZ
BqcgfXAOqvu6GQYCNjOERb0ahEjW+ayB26IpIxXRO25RzyV2jC+INJ03pXjrB7+6
9a5zzGy64FpRuNudDJS6+5PSRO5Azpt+5b88xB/euNBjew7qaQs6h2RHdmGypLBQ
yOC+c78/QUl8vLz85DFMO3bEp6n6y8Vox7wb8YeWPn6puAXHifzIfX9U/1f8u9cn
TkKgow7mMY2U75SzXcpT3vAi9s1KkXWc+QiqrYlJ9Uvo5wkhCvtCJAqX40obMnT8
zEt39rkCgYEAwtHov1zknPekQuePb50W1/JCROyFTTzmbbm3QmgIgQINpzMyZJup
shm4TcV9vODJB7Gni7JKPECPHMPqyy8KUom+NwriC+Nurck2JPe20CWFrPtxrxj9
w/cn5HbEEnUGKOcwkW/DgmdIuwSjM8aNvPyWB5fhsvdRiQeAouIUtbUCgYEA1Ox5
/VdatZ7hKho9dn0/vnNVWN2LVnSTCQKhfjjquyh9wNVLHeeEu5+ZzTshViGh32tM
rRXPFBZnBQXr+1hOm70XNauv5saxRbs186Z+agREnklVZNoYZXCl81+L9gVAlz9V
BD+uXZN1E+QCcLtiv9v6bwkpe5/fywfCWVLDHeMCgYEAkr1u1OyQGZcBt48Y39Xv
xdnohmeshB/R5GXVHgSkGx/DzuNmGpeQ+uAajSGq8qBRayUp8LPq7HUoFl+PM1mM
Kd0sU+MzngbBb861pKScoy0QAdomp99oDLnV52R5jPluGVMBpxoKpedLxenZT39H
dUi/bJq+2oEkfdUT1Bv7w10CgYAq8AUpsZP5TDDb7K64Vkmkfl2XrhWLObbs+jrW
2WN8mo3BdUHQpf9+VpENcf8m/2FFTL4JqXw48MuVl7we05AGl/s2N4khYLAe/8HB
gLG9b17nDKLL069XxX+xtHLlCeoclgju8miXNkVF3ZUgZqljR1kZSx+ybmsS5l2q
5aWzQQKBgB6HbdqdFAZ2Uzn+ZXqJhELMh6f64/6PJ0cMvzNI2ldRtUhD7cZfaIju
DzXCEULpV947c7DcYOAo8XXS2BvXrdx4T3+J1580MZaADYAONiGU38U5m8DLmuZq
2Jrsh26sUtN77h5YJJ7KZvR3MJiDDbZHohHpSfZux9UkBsqbuu7i
-----END RSA PRIVATE KEY-----
[root@hdss7-21 certs]# cat /opt/kubernetes/server/bin/certs/kube-proxy-client-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAognLFwxGyuDSwtdJ/g83OXyf7nSCZ9rSGKGqg3NMr4fVNRcz
DaZZ3H2rY06vRGMqb6wMoIXxnIf7QQjivKsbhwXbYckI97DCuUL/HpBz220yQlEL
9CloVFVTh5oEbGsX7WFtuL9T3GVE9EjjAT/xQFWwVqf+ryEBV7YV5lAJqj6r7rQW
84to+uH3+ko12+/a0wkjQiinpgcG6APo1j2M/T/THukqWTiatW8lrUwdp9Yow+mS
/q1TgVcCHWsc4ewMRR9lFta2mqVeWJhp5agHMlLbpVT4hU1oUHWheksDfHXeZxCu
pgwtGm44f05CYP6PCpSt5wFjyARNj7HyM9GgfwIDAQABAoIBAGF7aM3V2eUFumXz
ZRVODBgujHzFZQqbz1d4Mv/f5puXKUJGUbV9hYQrqmcVGEYZLpd+Nx5/VmqoOBTZ
BqcgfXAOqvu6GQYCNjOERb0ahEjW+ayB26IpIxXRO25RzyV2jC+INJ03pXjrB7+6
9a5zzGy64FpRuNudDJS6+5PSRO5Azpt+5b88xB/euNBjew7qaQs6h2RHdmGypLBQ
yOC+c78/QUl8vLz85DFMO3bEp6n6y8Vox7wb8YeWPn6puAXHifzIfX9U/1f8u9cn
TkKgow7mMY2U75SzXcpT3vAi9s1KkXWc+QiqrYlJ9Uvo5wkhCvtCJAqX40obMnT8
zEt39rkCgYEAwtHov1zknPekQuePb50W1/JCROyFTTzmbbm3QmgIgQINpzMyZJup
shm4TcV9vODJB7Gni7JKPECPHMPqyy8KUom+NwriC+Nurck2JPe20CWFrPtxrxj9
w/cn5HbEEnUGKOcwkW/DgmdIuwSjM8aNvPyWB5fhsvdRiQeAouIUtbUCgYEA1Ox5
/VdatZ7hKho9dn0/vnNVWN2LVnSTCQKhfjjquyh9wNVLHeeEu5+ZzTshViGh32tM
rRXPFBZnBQXr+1hOm70XNauv5saxRbs186Z+agREnklVZNoYZXCl81+L9gVAlz9V
BD+uXZN1E+QCcLtiv9v6bwkpe5/fywfCWVLDHeMCgYEAkr1u1OyQGZcBt48Y39Xv
xdnohmeshB/R5GXVHgSkGx/DzuNmGpeQ+uAajSGq8qBRayUp8LPq7HUoFl+PM1mM
Kd0sU+MzngbBb861pKScoy0QAdomp99oDLnV52R5jPluGVMBpxoKpedLxenZT39H
dUi/bJq+2oEkfdUT1Bv7w10CgYAq8AUpsZP5TDDb7K64Vkmkfl2XrhWLObbs+jrW
2WN8mo3BdUHQpf9+VpENcf8m/2FFTL4JqXw48MuVl7we05AGl/s2N4khYLAe/8HB
gLG9b17nDKLL069XxX+xtHLlCeoclgju8miXNkVF3ZUgZqljR1kZSx+ybmsS5l2q
5aWzQQKBgB6HbdqdFAZ2Uzn+ZXqJhELMh6f64/6PJ0cMvzNI2ldRtUhD7cZfaIju
DzXCEULpV947c7DcYOAo8XXS2BvXrdx4T3+J1580MZaADYAONiGU38U5m8DLmuZq
2Jrsh26sUtN77h5YJJ7KZvR3MJiDDbZHohHpSfZux9UkBsqbuu7i
-----END RSA PRIVATE KEY-----

可以看到从config转换出来的证书和kube-proxy-client-key.pem的证书一样。

1.3 集群证书架构

1.3.1 k8s集群架构

1.3.2 证书总结

一套根证书生成五套证书，其中服务端证书三套，客户端证书两套，共计六套证书。
由于kube-proxy比较特殊，所以单独使用一套客户端证书。

1.3.3 证书架构

利用kubeconfig文件生成证书：https://blog.csdn.net/ll837448792/article/details/103658502
kubeadm安装证书路径：/etc/kubernetes/pki