kubernetes實踐之二:建立TLS證書和金鑰

百聯達發表於2018-03-13
一:前言
每個Kubernetes叢集都有一個叢集根證書頒發機構(CA)。 叢集中的組件通常使?CA來驗證API SERVER的證書,由API伺服器驗證kubelet客戶端證書等。為了支援這一特點,CA證書包被分發到叢集中的每個節點,並作為一個sercret附加分發到預設service account上。

生成的 CA 證書和秘鑰檔案如下:
ca-key.pem
ca.pem
kubernetes-key.pem
kubernetes.pem
kube-proxy.pem
kube-proxy-key.pem
admin.pem
admin-key.pem
使用證書的元件如下:
etcd:使用 ca.pem、kubernetes-key.pem、kubernetes.pem;
kube-apiserver:使用 ca.pem、kubernetes-key.pem、kubernetes.pem;
kubelet:使用 ca.pem;
kube-proxy:使用 ca.pem、kube-proxy-key.pem、kubeproxy.pem;
kubectl:使用 ca.pem、admin-key.pem、admin.pem;
kube-controller-manager:使用 ca-key.pem、ca.pem

kubernetes叢集節點部署結構:
10.116.137.196   k8s_master
10.116.82.28      k8s_node1
10.116.36.57      k8s_node2

二:安裝CFSSL


點選(此處)摺疊或開啟

  1. wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
  2. chmod +x cfssl_linux-amd64
  3. mv cfssl_linux-amd64 /usr/local/bin/cfssl
  4. wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
  5. chmod +x cfssljson_linux-amd64
  6. mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
  7. wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
  8. chmod +x cfssl-certinfo_linux-amd64
  9. mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
  10. export PATH=/usr/local/bin:$PATH

三:建立 CA (Certificate Authority)
mkdir /root/ssl
cd /root/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json

config.json

點選(此處)摺疊或開啟

  1. {
  2.     "signing": {
  3.         "default": {
  4.             "expiry": "168h"
  5.         },
  6.         "profiles": {
  7.             "www": {
  8.                 "expiry": "8760h",
  9.                 "usages": [
  10.                     "signing",
  11.                     "key encipherment",
  12.                     "server auth"
  13.                 ]
  14.             },
  15.             "client": {
  16.                 "expiry": "8760h",
  17.                 "usages": [
  18.                     "signing",
  19.                     "key encipherment",
  20.                     "client auth"
  21.                 ]
  22.             }
  23.         }
  24.     }
  25. }

csr.json

點選(此處)摺疊或開啟

  1. {
  2.     "CN": "example.net",
  3.     "hosts": [
  4.         "example.net",
  5.         ""
  6.     ],
  7.     "key": {
  8.         "algo": "ecdsa",
  9.         "size": 256
  10.     },
  11.     "names": [
  12.         {
  13.             "C": "US",
  14.             "L": "CA",
  15.             "ST": "San Francisco"
  16.         }
  17.     ]
  18. }
# 根據config.json檔案的格式建立如下的ca-config.json檔案
# 過期時間設定成了 87600h
ca-config.json

點選(此處)摺疊或開啟

  1. {
  2. "signing": {
  3.   "default": {
  4.     "expiry": "87600h"
  5.    },
  6.   "profiles": {
  7.      "kubernetes": {
  8.        "usages": [
  9.           "signing",
  10.           "key encipherment",
  11.           "server auth",
  12.           "client auth"
  13.         ],
  14.         "expiry": "87600h"
  15.        }
  16.     }
  17.   }
  18. }
ca-csr.json

點選(此處)摺疊或開啟

  1. {
  2.     "CN": "kubernetes",
  3.     "key": {
  4.         "algo": "rsa",
  5.         "size": 2048
  6.     },
  7.     "names": [
  8.         {
  9.             "C": "CN",
  10.             "L": "BeiJing",
  11.             "ST": "BeiJing",
  12.             "O": "k8s",
  13.             "OU": "System"
  14.         }
  15.     ]
  16. }
生成 CA 證書和私鑰
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

四:建立 kubernetes 證書
kubernetes-csr.json

點選(此處)摺疊或開啟

  1. {
  2.     "CN": "kubernetes",
  3.     "hosts": [
  4.         "127.0.0.1",
  5.         "10.116.137.196",
  6.         "10.116.82.28",
  7.         "10.116.36.57",
  8.         "10.254.0.1",
  9.         "kubernetes",
  10.         "kubernetes.default",
  11.         "kubernetes.default.svc",
  12.         "kubernetes.default.svc.cluster",
  13.         "kubernetes.default.svc.cluster.local"
  14.     ],
  15.     "key": {
  16.     "algo":"rsa",
  17.     "size":2048
  18.     },
  19.     "names": [
  20.         {
  21.             "C": "CN",
  22.             "L": "BeiJing",
  23.             "ST": "BeiJing",
  24.             "O": "k8s",
  25.             "OU": "System"
  26.         }
  27.     ]
  28. }
生成 kubernetes 證書和私鑰
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

五: 建立 admin 證書
admin-csr.json

點選(此處)摺疊或開啟

  1. {
  2.     "CN": "admin",
  3.     "hosts": [],
  4.     "key": {
  5.     "algo":"rsa",
  6.     "size":2048
  7.     },
  8.     "names": [
  9.         {
  10.             "C": "CN",
  11.             "L": "BeiJing",
  12.             "ST": "BeiJing",
  13.             "O": "system:masters",
  14.             "OU": "System"
  15.         }
  16.     ]
  17. }
生成 admin 證書和私鑰
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

六: 建立 kube-proxy 證書
kube-proxy-csr.json

點選(此處)摺疊或開啟

  1. {
  2.     "CN": "system:kube-proxy",
  3.     "hosts": [],
  4.     "key": {
  5.     "algo":"rsa",
  6.     "size":2048
  7.     },
  8.     "names": [
  9.         {
  10.             "C": "CN",
  11.             "L": "BeiJing",
  12.             "ST": "BeiJing",
  13.             "O": "k8s",
  14.             "OU": "System"
  15.         }
  16.     ]
  17. }
生成 kube-proxy 客戶端證書和私鑰
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

七:校驗證書
舉例:cfssl-certinfo -cert kubernetes.pem

八:分發證書

將生成的證書和秘鑰檔案(字尾名為 .pem )複製到所有機器的
/etc/kubernetes/ssl 目錄下備用;
mkdir -p /etc/kubernetes/ssl
cp *.pem /etc/kubernetes/ssl


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/28624388/viewspace-2151773/,如需轉載,請註明出處,否則將追究法律責任。

相關文章