k8s集群部署二(自签TLS证书) 顶
k8s的集群部署,不一定要使用证书,证书的作用是为了加密传输。所使用的加密方式是非对称加密RSA2048。
总共有3个证书工具:
首先在任意文件夹下建一个目录,比如ssl,下载这3个工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod 755 *
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
可以查看一下命令说明
# cfssl -help Usage: Available commands: sign version gencrl serve ocspdump info print-defaults certinfo ocspsign bundle genkey gencert ocsprefresh ocspserve selfsign scan revoke Top-level flags: -allow_verification_with_non_compliant_keys Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962. -loglevel int Log level (0 = DEBUG, 5 = FATAL) (default 1)
生成两个模板文件
cfssl print-defaults config > config.json
# cat config.json { "signing": { "default": { "expiry": "168h" }, "profiles": { "www": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "client auth" ] } } } }
包含签名,过期时间等等
cfssl print-defaults csr > csr.json
# cat csr.json { "CN": "example.net", "hosts": [ "example.net", "www.example.net" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "US", "L": "CA", "ST": "San Francisco" } ] }
包含域名,区域等等
当然这些只是模板文件,并不是我们真正使用的,我们真正使用的可以执行以下命令
cat > ca-config.json <<EOF { "signing": { "default": { "expiry":"87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
执行以后可以看到多了一个ca-config.json的文件
cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
执行以后多了一个ca-csr.json的文件
然后执行
# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2019/02/15 11:27:46 [INFO] generating a new CA key and certificate from CSR 2019/02/15 11:27:46 [INFO] generate received request 2019/02/15 11:27:46 [INFO] received CSR 2019/02/15 11:27:46 [INFO] generating key: rsa-2048 2019/02/15 11:27:46 [INFO] encoded CSR 2019/02/15 11:27:46 [INFO] signed certificate with serial number 522234478678554843943438612699648327400263717044
生成我们需要的两个证书ca-key.pem,ca.pem
继续执行
cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "10.10.10.1", "127.0.0.1", "172.18.98.47", "172.18.98.48", "172.18.98.46", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
其中172.18.98.47等为你自己的IP地址,三台服务器的。此时可以看到生成了一个server-csr.json
生成证书
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 2019/02/15 11:51:04 [INFO] generate received request 2019/02/15 11:51:04 [INFO] received CSR 2019/02/15 11:51:04 [INFO] generating key: rsa-2048 2019/02/15 11:51:04 [INFO] encoded CSR 2019/02/15 11:51:04 [INFO] signed certificate with serial number 13508754972361930848639963529220936364095728469 2019/02/15 11:51:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
此时多了两个文件server-key.pem和server.pem
继续执行
# cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "name": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "system:masters", "OU": "System" } ] } EOF
此时生成一个admin-csr.json
生成证书,这是一个权限的证书
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2019/02/15 13:49:36 [INFO] generate received request 2019/02/15 13:49:36 [INFO] received CSR 2019/02/15 13:49:36 [INFO] generating key: rsa-2048 2019/02/15 13:49:37 [INFO] encoded CSR 2019/02/15 13:49:37 [INFO] signed certificate with serial number 128010541049789040815911678632547332318067283580 2019/02/15 13:49:37 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
此时多了两个证书文件admin-key.pem和admin.pem
继续执行
# cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
此时生成一个kube-proxy-csr.json
生成证书
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy 2019/02/15 14:06:38 [INFO] generate received request 2019/02/15 14:06:38 [INFO] received CSR 2019/02/15 14:06:38 [INFO] generating key: rsa-2048 2019/02/15 14:06:39 [INFO] encoded CSR 2019/02/15 14:06:39 [INFO] signed certificate with serial number 563471985753033006864304507036823783228076641762 2019/02/15 14:06:39 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
此时生成了kube-proxy-key.pem和kube-proxy.pem
现在所有的证书就生成完了。
# ll | grep pem -rw------- 1 root root 1675 Feb 15 13:49 admin-key.pem -rw-r--r-- 1 root root 1277 Feb 15 13:49 admin.pem -rw------- 1 root root 1679 Feb 15 11:27 ca-key.pem -rw-r--r-- 1 root root 1359 Feb 15 11:27 ca.pem -rw------- 1 root root 1679 Feb 15 14:06 kube-proxy-key.pem -rw-r--r-- 1 root root 1403 Feb 15 14:06 kube-proxy.pem -rw------- 1 root root 1679 Feb 15 11:51 server-key.pem -rw-r--r-- 1 root root 1602 Feb 15 11:51 server.pem
可以把之前的执行命令写入一个可执行文件certificate.sh中,方便以后进行一次性执行。
# chmod 755 certificate.sh