zoukankan      html  css  js  c++  java
  • Kubernetes 认证

    openssl genrsa -out ca.key 2048
    openssl req -x509 -new -nodes -key ca.key -subj "/CN=cluster.local" -days 10000 -out ca.crt
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -subj "/CN=77.77.0.1" -out server.csr
    echo "subjectAltName=IP:77.77.0.1" > extfile.cnf
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out server.crt -days 10000

    openssl x509 -noout -text -in ./server.crt

    openssl verify -CAfile ca.crt server.crt

    参考文档 https://kubernetes.github.io/docs/admin/authentication/#openssl

    --service-account-private-key-file provided to the controller manager is used to sign service account tokens. The corresponding public key must be provided to the api server with --service-account-key-file, which uses it to verify tokens.

    As a convenience, you can provide a private key to both, and the public key portion of it will be used by the api server to verify token signatures.

    As a further convenience, the api server's private key for it's serving certificate is used to verify service account tokens if you don't specify --service-account-key-file

    --tls-cert-file and --tls-private-key-file are used to provide the serving cert and key to the api server. If you don't specify these, the api server will make a self-signed cert/key-pair and store it at apiserver.crt/apiserver.key

    https://github.com/kubernetes/kubernetes/issues/22351#event-913006676

  • 相关阅读:
    函数二 10
    函数初识 09
    文件操作 08
    数据类型的补充 day07
    小数据池 深浅copy 集合
    python Mysql 多条件查询
    ElasticSearch Python 基本操作
    用PyInstaller把Python代码打包成单个独立的exe可执行文件
    python 编译EXE文件
    Git 创建新分支检查分支
  • 原文地址:https://www.cnblogs.com/zhangeamon/p/6272445.html
Copyright © 2011-2022 走看看