配置创建证书

我们将使用 CloudFlare's PKI 工具 cfssl 来配置 PKI Infrastructure，然后使用它去创建 Certificate Authority（CA）， 并为 etcd、kube-apiserver、kubelet 以及 kube-proxy 创建 TLS 证书。
Certificate Authority
本节创建用于生成其他 TLS 证书的 Certificate Authority。
新建 CA 配置文件
1
cat > ca-config.json <<EOF
2
{
3
  "signing": {
4
    "default": {
5
      "expiry": "8760h"
6
    },
7
    "profiles": {
8
      "kubernetes": {
9
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
10
        "expiry": "8760h"
11
      }
12
    }
13
  }
14
}
15
EOF
Copied!
新建 CA 凭证签发请求文件:
1
cat > ca-csr.json <<EOF
2
{
3
  "CN": "Kubernetes",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "L": "Portland",
12
      "O": "Kubernetes",
13
      "OU": "CA",
14
      "ST": "Oregon"
15
    }
16
  ]
17
}
18
EOF
Copied!
生成 CA 凭证和私钥:
1
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
Copied!
结果将生成以下两个文件：
1
ca-key.pem
2
ca.pem
Copied!
client 与 server 凭证
本节将创建用于 Kubernetes 组件的 client 与 server 凭证，以及一个用于 Kubernetes admin 用户的 client 凭证。
Admin 客户端凭证
创建 admin client 凭证签发请求文件:
1
cat > admin-csr.json <<EOF
2
{
3
  "CN": "admin",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "L": "Portland",
12
      "O": "system:masters",
13
      "OU": "Kubernetes The Hard Way",
14
      "ST": "Oregon"
15
    }
16
  ]
17
}
18
EOF
Copied!
创建 admin client 凭证和私钥:
1
cfssl gencert \
2
  -ca=ca.pem \
3
  -ca-key=ca-key.pem \
4
  -config=ca-config.json \
5
  -profile=kubernetes \
6
  admin-csr.json | cfssljson -bare admin
Copied!
结果将生成以下两个文件
1
admin-key.pem
2
admin.pem
Copied!
Kubelet 客户端凭证
Kubernetes 使用 special-purpose authorization mode（被称作 Node Authorizer）授权来自 Kubelet 的 API 请求。为了通过 Node Authorizer 的授权, Kubelet 必须使用一个署名为 system:node:<nodeName> 的凭证来证明它属于 system:nodes 用户组。本节将会给每台 worker 节点创建符合 Node Authorizer 要求的凭证。
给每台 worker 节点创建凭证和私钥：
1
for instance in worker-0 worker-1 worker-2; do
2
cat > ${instance}-csr.json <<EOF
3
{
4
  "CN": "system:node:${instance}",
5
  "key": {
6
    "algo": "rsa",
7
    "size": 2048
8
  },
9
  "names": [
10
    {
11
      "C": "US",
12
      "L": "Portland",
13
      "O": "system:nodes",
14
      "OU": "Kubernetes The Hard Way",
15
      "ST": "Oregon"
16
    }
17
  ]
18
}
19
EOF
20
​
21
EXTERNAL_IP=$(gcloud compute instances describe ${instance} \
22
  --format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
23
​
24
INTERNAL_IP=$(gcloud compute instances describe ${instance} \
25
  --format 'value(networkInterfaces[0].networkIP)')
26
​
27
cfssl gencert \
28
  -ca=ca.pem \
29
  -ca-key=ca-key.pem \
30
  -config=ca-config.json \
31
  -hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \
32
  -profile=kubernetes \
33
  ${instance}-csr.json | cfssljson -bare ${instance}
34
done
Copied!
结果将产生以下几个文件：
1
worker-0-key.pem
2
worker-0.pem
3
worker-1-key.pem
4
worker-1.pem
5
worker-2-key.pem
6
worker-2.pem
Copied!
Kube-controller-manager 客户端凭证
1
cat > kube-controller-manager-csr.json <<EOF
2
{
3
  "CN": "system:kube-controller-manager",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "L": "Portland",
12
      "O": "system:kube-controller-manager",
13
      "OU": "Kubernetes The Hard Way",
14
      "ST": "Oregon"
15
    }
16
  ]
17
}
18
EOF
19
​
20
cfssl gencert \
21
  -ca=ca.pem \
22
  -ca-key=ca-key.pem \
23
  -config=ca-config.json \
24
  -profile=kubernetes \
25
  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
Copied!
结果将产生以下几个文件：
1
kube-controller-manager-key.pem
2
kube-controller-manager.pem
Copied!
Kube-proxy 客户端凭证
1
cat > kube-proxy-csr.json <<EOF
2
{
3
  "CN": "system:kube-proxy",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "L": "Portland",
12
      "O": "system:node-proxier",
13
      "OU": "Kubernetes The Hard Way",
14
      "ST": "Oregon"
15
    }
16
  ]
17
}
18
EOF
19
​
20
cfssl gencert \
21
  -ca=ca.pem \
22
  -ca-key=ca-key.pem \
23
  -config=ca-config.json \
24
  -profile=kubernetes \
25
  kube-proxy-csr.json | cfssljson -bare kube-proxy
Copied!
结果将产生以下两个文件：
1
kube-proxy-key.pem
2
kube-proxy.pem
Copied!
kube-scheduler 证书
1
cat > kube-scheduler-csr.json <<EOF
2
{
3
  "CN": "system:kube-scheduler",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "L": "Portland",
12
      "O": "system:kube-scheduler",
13
      "OU": "Kubernetes The Hard Way",
14
      "ST": "Oregon"
15
    }
16
  ]
17
}
18
EOF
19
​
20
cfssl gencert \
21
  -ca=ca.pem \
22
  -ca-key=ca-key.pem \
23
  -config=ca-config.json \
24
  -profile=kubernetes \
25
  kube-scheduler-csr.json | cfssljson -bare kube-scheduler
Copied!
结果将产生以下两个文件：
1
kube-scheduler-key.pem
2
kube-scheduler.pem
Copied!
Kubernetes API Server 证书
为了保证客户端与 Kubernetes API 的认证，Kubernetes API Server 凭证 中必需包含 kubernetes-the-hard-way 的静态 IP 地址。
首先查询 kubernetes-the-hard-way 的静态 IP 地址:
1
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
2
  --region $(gcloud config get-value compute/region) \
3
  --format 'value(address)')
4
​
5
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
Copied!
创建 Kubernetes API Server 凭证签发请求文件:
1
cat > kubernetes-csr.json <<EOF
2
{
3
  "CN": "kubernetes",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "L": "Portland",
12
      "O": "Kubernetes",
13
      "OU": "Kubernetes The Hard Way",
14
      "ST": "Oregon"
15
    }
16
  ]
17
}
18
EOF
Copied!
创建 Kubernetes API Server 凭证与私钥:
1
cfssl gencert \
2
  -ca=ca.pem \
3
  -ca-key=ca-key.pem \
4
  -config=ca-config.json \
5
  -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
6
  -profile=kubernetes \
7
  kubernetes-csr.json | cfssljson -bare kubernetes
Copied!
结果产生以下两个文件:
1
kubernetes-key.pem
2
kubernetes.pem
Copied!
Service Account 证书
1
cat > service-account-csr.json <<EOF
2
{
3
  "CN": "service-accounts",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "L": "Portland",
12
      "O": "Kubernetes",
13
      "OU": "Kubernetes The Hard Way",
14
      "ST": "Oregon"
15
    }
16
  ]
17
}
18
EOF
19
​
20
cfssl gencert \
21
  -ca=ca.pem \
22
  -ca-key=ca-key.pem \
23
  -config=ca-config.json \
24
  -profile=kubernetes \
25
  service-account-csr.json | cfssljson -bare service-account
Copied!
结果将生成以下两个文件
1
service-account-key.pem
2
service-account.pem
Copied!
分发客户端和服务器证书
将客户端凭证以及私钥复制到每个工作节点上:
1
for instance in worker-0 worker-1 worker-2; do
2
  gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
3
done
Copied!
将服务器凭证以及私钥复制到每个控制节点上:
1
for instance in controller-0 controller-1 controller-2; do
2
  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
3
    service-account-key.pem service-account.pem ${instance}:~/
4
done
Copied!
kube-proxy、kube-controller-manager、kube-scheduler 和 kubelet 客户端凭证将会在下一节中用来创建客户端签发请求文件。
下一步：配置和生成 Kubernetes 配置文件。

以前

创建计算资源

下一个

配置生成配置

最近更新 1yr ago

复制链接

内容

Certificate Authority

client 与 server 凭证

Admin 客户端凭证

Kubelet 客户端凭证

Kube-controller-manager 客户端凭证

Kube-proxy 客户端凭证

kube-scheduler 证书

Kubernetes API Server 证书

Service Account 证书

分发客户端和服务器证书