五、为api server自签证书

1、创建CA配置json文件

[root@k8s-master01 k8s]# cat ca-csr.json 
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "HuBei",
            "ST": "WuHan",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

[root@k8s-master01 k8s]# cat ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "876000h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "876000h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}

2、创建apiserver证书的所需配置文件

[root@k8s-master01 k8s]# cat kube-proxy-csr.json 
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "HuBei",
      "ST": "WuHan",
      "O": "k8s",
      "OU": "System"
    }
  ]
}


[root@k8s-master01 k8s]# cat server-csr.json 
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local",
      "10.16.8.150",
      "10.16.8.151",
      "10.16.8.156",
      "10.16.8.155",
      "10.16.8.164"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "HuBei",
            "ST": "WuHan",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

注：host中的最后几个IP为需要连接apiserver的IP，一般为master集群的所有IP，和负载均衡LB的所有IP和VIP，本文中的IP
      "10.16.8.150",  master01
      "10.16.8.151",   master02
      "10.16.8.156",   LB
      "10.16.8.155",   备用IP
      "10.16.8.164"    备用IP

3、自建CA

[root@k8s-master01 k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

4、生成证书

[root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2019/11/04 16:59:08 [INFO] generate received request
2019/11/04 16:59:08 [INFO] received CSR
2019/11/04 16:59:08 [INFO] generating key: rsa-2048
2019/11/04 16:59:09 [INFO] encoded CSR
2019/11/04 16:59:09 [INFO] signed certificate with serial number 710468047565346200192196031945671979263159074343
2019/11/04 16:59:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").


[root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/11/04 16:59:23 [INFO] generate received request
2019/11/04 16:59:23 [INFO] received CSR
2019/11/04 16:59:23 [INFO] generating key: rsa-2048
2019/11/04 16:59:23 [INFO] encoded CSR
2019/11/04 16:59:23 [INFO] signed certificate with serial number 632011921807538541174903390077695048984832013926
2019/11/04 16:59:23 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

5、会生成以下证书

[root@k8s-master01 k8s]# ll *.pem
-rw------- 1 root root 1679 11月  4 16:58 ca-key.pem
-rw-r--r-- 1 root root 1346 11月  4 16:58 ca.pem
-rw------- 1 root root 1679 11月  4 16:59 kube-proxy-key.pem
-rw-r--r-- 1 root root 1395 11月  4 16:59 kube-proxy.pem
-rw------- 1 root root 1675 11月  4 16:59 server-key.pem
-rw-r--r-- 1 root root 1643 11月  4 16:59 server.pem