创建TLS证书和密钥
安装CFSSL
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
创建CA
创建CA配置文件
mkdir /root/ssl
cd /root/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
# 根据config.json文件的格式创建如下的ca-config.json文件
# 过期时间设置成了 87600h
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
创建CA证书签名请求
创建 ca-csr.json 文件,内容如下:
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "k8s",
"OU": "System"
}
],
"ca": {
"expiry": "87600h"
}
}
EOF
生成CA证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
创建kubernetes证书
- 创建kubernetes证书签名请求文件
创建 kubernetes 证书签名请求文件 kubernetes-csr.json
cat > kubernetes-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.255.194",
"192.168.255.195",
"192.168.255.196",
"192.168.255.190",
"192.168.255.191",
"192.168.255.192",
"192.168.255.200",
"192.168.255.201",
"192.168.255.202",
"192.168.255.199",
"192.168.255.198",
"192.168.255.197",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "k8s",
"OU": "System"
}
]
}
EOF
- 生成 kubernetes 证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
ls kubernetes*
创建Admin证书
- 创建Admin证书签名请求文件
cat > admin-csr.json << EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
- 生成admin证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
ls admin*
创建kube-proxy证书
- 创建kube-proxy证书签名请求文件
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "k8s",
"OU": "System"
}
]
}
EOF
- 生成kube-proxy客户端证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
校验证书
- 使用opsnssl命令验证:
openssl x509 -noout -text -in kubernetes.pem - 使用cfssl-certinfo命令:
cfssl-certinfo -cert kubernetes.pem
分发证书
到现在我们已经生成的证书文件有:
[root@master script]# ls /etc/kubernetes/ssl/
admin-key.pem admin.pem ca-key.pem ca.pem kube-proxy-key.pem kube-proxy.pem kubernetes-key.pem kubernetes.pem
接下来将生成的证书和秘钥文件(后缀名为.pem)拷贝到对应机器的 /etc/kubernetes/ssl 目录下备用;
各组件所需要证书文件如下:
| 组件 | 所需证书文件 |
|---|---|
| etcd | ca.pem、kubernetes-key.pem、kubernetes.pem |
| apiserver | ca.pem、kubernetes-key.pem、kubernetes.pem |
| master | admin-key.pem、admin.pem 、ca-key.pem、 ca.pem |
| node | ca.pem、kube-proxy-key.pem、kube-proxy.pem |
etcd 节点上共用kubernetes的证书文件
复制对应证书到各组件节点上
mkdir -p /etc/kubernetes/ssl
cp *.pem /etc/kubernetes/ssl
参考: jimmysong博客