k8s部署-1.自签TLS证书

Post author:xfxia
Post published:2023年9月5日
Post category:其他

组件	使用的证书
etcd	ca.pem，server.pem，server-key.pem
kube-apiserver	ca.pem，server.pem，server-key.pem
kubelet	ca.pem，ca-key.pem
kube-proxy	ca.pem，kube-proxy.pem，kube-proxy-key.pem
kubectl	ca.pem，admin.pem，admin-key.pem

一、安装证书生成工具cfssl

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

chmod +x cfssl_linux-amd64  cfssljson_linux-amd64  cfssl-certinfo_linux-amd64

mv  cfssl_linux-amd64 /usr/local/bin/cfssl

mv  cfssljson_linux-amd64  /usr/local/bin/cfssljson

mv  cfssl-certinfo_linux-amd64  /usr/local/bin/cfssl-certinfo

二、生成ca证书

创建ssl目录

mkdir -p /tools/ssl
cd /tools/ssl

创建ca-csr.json文件

{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

执行生成ca-csr ssl文件命令

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

三、生成server证书

要先创建ca-config.json文件

{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "kubernetes": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

创建server-csr.json文件

{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "192.168.112.134",
      "192.168.112.135",
      "192.168.112.136",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

执行生成server-csr ssl文件命令

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

四、生成admin证书

先创建ca-config.json文件

再创建admin-csr.json文件

{
    "CN": "admin",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai",
            "O": "system:masters",
            "OU": "System"
        }
    ]
}

执行生成admin-csr ssl文件命令

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

五、生成kube-proxy证书

先创建ca-config.json文件

再创建kube-proxy-csr.json文件

{
    "CN": "system:kube-proxy",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

执行生成kube-proxy-csr ssl文件命令

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

一、安装证书生成工具cfssl

二、生成ca证书

三、生成server证书

四、生成admin证书

五、生成kube-proxy证书

你可能也喜欢