Kubernetes学習ノート(一):Kubernetes-1.7.x TLS証明書と鍵の作成
18752 ワード
インストールCFSSL
# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
# chmod +x /usr/local/bin/cfssl*
CA(Certificate Authority)
# CA
# cfssl print-defaults config > ca-config.json
# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
# CA
# cfssl print-defaults csr > ca-csr.json
# cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
kube-apiserver
# kube-apiserver
# : kube-apiserver API , : Unauthorized
# : kube-apiserver API , : ["O": "system:masters"]
# cfssl print-defaults csr > kubernetes-csr.json
# cat kube-apiserver-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"10.254.0.1",
"192.168.100.110",
"192.168.100.111",
"192.168.100.112",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
# kubernetes
# cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
kube-controller-manager
# kube-controller-manager
# cfssl print-defaults csr > kube-controller-manager-csr.json
# cat kube-controller-manager-csr.json
{
"CN": "system:kube-controller-manager",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-controller-manager",
"OU": "System"
}
]
}
# admin
# cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
kube-scheduler
# kube-scheduler
# cfssl print-defaults csr > admin-csr.json
# cat kube-scheduler-csr.json
{
"CN": "system:kube-scheduler",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-scheduler",
"OU": "System"
}
]
}
# admin
# cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
kubelet # kubelet
# cat > kubelet-csr.json <
kube-proxy
# kube-proxy
# cfssl print-defaults csr > kube-proxy-csr.json
# cat kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:node-proxier",
"OU": "System"
}
]
}
# kube-proxy
# cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
# cfssl-certinfo -cert kube-apiserver.pem
{
"subject": {
"common_name": "kubernetes",
"country": "CN",
"organization": "system:masters",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"system:masters",
"System",
"kubernetes"
]
},
"issuer": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"serial_number": "533666226632105718421042600083075622217402341392",
"sans": [
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"127.0.0.1",
"10.10.0.1",
"192.168.100.110",
"192.168.100.111",
"192.168.100.112"
],
"not_before": "2017-07-31T08:57:00Z",
"not_after": "2018-07-31T08:57:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "6B:68:CF:57:62:6B:60:7E:F3:2C:AC:1A:20:6F:27:6A:EA:84:98:A8",
"subject_key_id": "3C:6C:67:14:69:F8:42:2A:5C:3C:28:65:B6:A3:95:80:49:A6:6:C",
"pem": "-----BEGIN CERTIFICATE-----
MIIEkDCCA3igAwIBAgIUXXpr1pOjvLUxQVv+JMKjwgvQ2BAwDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr
dWJlcm5ldGVzMB4XDTE3MDczMTA4NTcwMFoXDTE4MDczMTA4NTcwMFowcDELMAkG
A1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxFzAV
BgNVBAoTDnN5c3RlbTptYXN0ZXJzMQ8wDQYDVQQLEwZTeXN0ZW0xEzARBgNVBAMT
Cmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIxzDb
QP5zp8k8ydDrZPfV8KDkWWDnFvNhE2R0XUeD8d3A/MCjqTZh+ugtDZanzWx4HoYb
TEnYJZbpKnVb99gQ+laIHLOs6pwl+ADC7k6DStUv4wSBZkHzHTMxjmAxdwemyVEL
AJfZonchEIb9ouMwLTVSLjjr63DVbg0cRDaEQ+PQFcPenMCzisQniytut6z8wJX0
bB6Qsb8RrVLusIUy/GjwWor11GV0FrScujKDnH37rN0Xj5cMe3Zd0jj4Jv641fLs
kIpipXSXFkFTSB2ApdOT61bO4A1qoQlxni8/nJqVri4NKW6AAsq4cAisxYD7N/uU
2ih2+FIkKqohpXe1AgMBAAGjggErMIIBJzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FDxsZxRp+EIqXDwoZbajlYBJpgYMMB8GA1UdIwQYMBaAFGtoz1dia2B+8yysGiBv
J2rqhJioMIGnBgNVHREEgZ8wgZyCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVm
YXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0
LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9j
YWyHBH8AAAGHBAoKAAGHBMCoZG6HBMCoZG+HBMCoZHAwDQYJKoZIhvcNAQELBQAD
ggEBADNlsPPPhcx3HpjztYmE7vtH6d+8kB8bhML+fWMD17xOnE1xM5mi62tcP8vf
bQ9v6Q4L6EKXyruvkkSiQsdoQLF5rj3PBqF1vxw8StLY04YSP1Jn11ftl9akAbvh
UJPXTzIRPfqzkrvQwwZS3clYly3mQNgEv60Rrnc1gvRxyWFu0lOpbldoZUamYOYJ
V2w+dPmLM8kdy5pIg5dndNBUi9oSqCOpCMaFeJgKLmSmTWHLhzUoXwOvSrrBsaK4
/57/fXF5bkTaBwwG7O2QAvzwJFKzGsjkQiAcgZCy7FhRgprQYeg6gTIn5RvpmydC
kaZmIrJkdAN7RXJZ4fbUxu+whkc=
-----END CERTIFICATE-----
"
}
# kubernetes
# mkdir -p /etc/kubernetes/ssl && cp /tmp/ssl/*.pem /etc/kubernetes/ssl