我们将使用 CloudFlare's PKI 工具 cfssl 来配置 PKI Infrastructure,然后使用它去创建 Certificate Authority(CA), 并为 etcd、kube-apiserver、kubelet 以及 kube-proxy 创建 TLS 证书。
本节创建用于生成其他 TLS 证书的 Certificate Authority。
新建 CA 配置文件
cat > ca-config.json <<EOF{"signing": {"default": {"expiry": "8760h"},"profiles": {"kubernetes": {"usages": ["signing", "key encipherment", "server auth", "client auth"],"expiry": "8760h"}}}}EOF
新建 CA 凭证签发请求文件:
cat > ca-csr.json <<EOF{"CN": "Kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "Kubernetes","OU": "CA","ST": "Oregon"}]}EOF
生成 CA 凭证和私钥:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
结果将生成以下两个文件:
ca-key.pemca.pem
本节将创建用于 Kubernetes 组件的 client 与 server 凭证,以及一个用于 Kubernetes admin 用户的 client 凭证。
创建 admin
client 凭证签发请求文件:
cat > admin-csr.json <<EOF{"CN": "admin","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "system:masters","OU": "Kubernetes The Hard Way","ST": "Oregon"}]}EOF
创建 admin
client 凭证和私钥:
cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \admin-csr.json | cfssljson -bare admin
结果将生成以下两个文件
admin-key.pemadmin.pem
Kubernetes 使用 special-purpose authorization mode(被称作 Node Authorizer)授权来自 Kubelet 的 API 请求。为了通过 Node Authorizer 的授权, Kubelet 必须使用一个署名为 system:node:<nodeName>
的凭证来证明它属于 system:nodes
用户组。本节将会给每台 worker 节点创建符合 Node Authorizer 要求的凭证。
给每台 worker 节点创建凭证和私钥:
for instance in worker-0 worker-1 worker-2; docat > ${instance}-csr.json <<EOF{"CN": "system:node:${instance}","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "system:nodes","OU": "Kubernetes The Hard Way","ST": "Oregon"}]}EOFEXTERNAL_IP=$(gcloud compute instances describe ${instance} \--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')INTERNAL_IP=$(gcloud compute instances describe ${instance} \--format 'value(networkInterfaces[0].networkIP)')cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \-profile=kubernetes \${instance}-csr.json | cfssljson -bare ${instance}done
结果将产生以下几个文件:
worker-0-key.pemworker-0.pemworker-1-key.pemworker-1.pemworker-2-key.pemworker-2.pem
cat > kube-controller-manager-csr.json <<EOF{"CN": "system:kube-controller-manager","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "system:kube-controller-manager","OU": "Kubernetes The Hard Way","ST": "Oregon"}]}EOFcfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
结果将产生以下几个文件:
kube-controller-manager-key.pemkube-controller-manager.pem
cat > kube-proxy-csr.json <<EOF{"CN": "system:kube-proxy","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "system:node-proxier","OU": "Kubernetes The Hard Way","ST": "Oregon"}]}EOFcfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kube-proxy-csr.json | cfssljson -bare kube-proxy
结果将产生以下两个文件:
kube-proxy-key.pemkube-proxy.pem
cat > kube-scheduler-csr.json <<EOF{"CN": "system:kube-scheduler","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "system:kube-scheduler","OU": "Kubernetes The Hard Way","ST": "Oregon"}]}EOFcfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kube-scheduler-csr.json | cfssljson -bare kube-scheduler
结果将产生以下两个文件:
kube-scheduler-key.pemkube-scheduler.pem
为了保证客户端与 Kubernetes API 的认证,Kubernetes API Server 凭证 中必需包含 kubernetes-the-hard-way
的静态 IP 地址。
首先查询 kubernetes-the-hard-way
的静态 IP 地址:
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \--region $(gcloud config get-value compute/region) \--format 'value(address)')KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
创建 Kubernetes API Server 凭证签发请求文件:
cat > kubernetes-csr.json <<EOF{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "Kubernetes","OU": "Kubernetes The Hard Way","ST": "Oregon"}]}EOF
创建 Kubernetes API Server 凭证与私钥:
cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \-profile=kubernetes \kubernetes-csr.json | cfssljson -bare kubernetes
结果产生以下两个文件:
kubernetes-key.pemkubernetes.pem
cat > service-account-csr.json <<EOF{"CN": "service-accounts","key": {"algo": "rsa","size": 2048},"names": [{"C": "US","L": "Portland","O": "Kubernetes","OU": "Kubernetes The Hard Way","ST": "Oregon"}]}EOFcfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \service-account-csr.json | cfssljson -bare service-account
结果将生成以下两个文件
service-account-key.pemservice-account.pem
将客户端凭证以及私钥复制到每个工作节点上:
for instance in worker-0 worker-1 worker-2; dogcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/done
将服务器凭证以及私钥复制到每个控制节点上:
for instance in controller-0 controller-1 controller-2; dogcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \service-account-key.pem service-account.pem ${instance}:~/done
kube-proxy
、kube-controller-manager
、kube-scheduler
和kubelet
客户端凭证将会在下一节中用来创建客户端签发请求文件。