openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=cluster.local" -days 10000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=77.77.0.1" -out server.csr
echo "subjectAltName=IP:77.77.0.1" > extfile.cnf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out server.crt -days 10000
openssl x509 -noout -text -in ./server.crt
openssl verify -CAfile ca.crt server.crt
参考文档 https://kubernetes.github.io/docs/admin/authentication/#openssl
--service-account-private-key-file provided to the controller manager is used to sign service account tokens. The corresponding public key must be provided to the api server with --service-account-key-file, which uses it to verify tokens.
As a convenience, you can provide a private key to both, and the public key portion of it will be used by the api server to verify token signatures.
As a further convenience, the api server's private key for it's serving certificate is used to verify service account tokens if you don't specify --service-account-key-file
--tls-cert-file and --tls-private-key-file are used to provide the serving cert and key to the api server. If you don't specify these, the api server will make a self-signed cert/key-pair and store it at apiserver.crt/apiserver.key
https://github.com/kubernetes/kubernetes/issues/22351#event-913006676