apiserver组件启动需要tls证书 可以签发peer证书 也可签发server证书
这里签发server证书
PS: hosts字段为apiserver 部署的节点信息
[root@rstx-53 certs]# vi apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"10.254.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"192.168.1.200",
"192.168.1.203",
"192.168.1.204",
"192.168.1.205"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
验证
[root@rstx-53 certs]# ls apiserver*
apiserver.csr apiserver-csr.json apiserver-key.pem apiserver.pem
[root@rstx-53 certs]# cfssl-certinfo -cert=/opt/certs/apiserver.pem
{
"subject": {
"common_name": "k8s-apiserver",
"country": "CN",
"organization": "od",
"organizational_unit": "ops",
"locality": "beijing",
"province": "beijing",
"names": [
"CN",
"beijing",
"beijing",
"od",
"ops",
"k8s-apiserver"
]
},
"issuer": {
"common_name": "RSTX",
"country": "CN",
"organization": "od",
"organizational_unit": "ops",
"locality": "beijing",
"province": "beijing",
"names": [
"CN",
"beijing",
"beijing",
"od",
"ops",
"RSTX"
]
},
"serial_number": "593416458441048481251251171309394845676924141124",
"sans": [
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"127.0.0.1",
"10.254.0.1",
"192.168.1.200",
"192.168.1.203",
"192.168.1.204",
"192.168.1.205"
]
}