Four. CA certificate and key
There are two methods for secure access to the kubernetes cluster: "CA signature-based bidirectional digital certificate authentication" and "BASE or TOKEN-based simple authentication". "CA signature-based bidirectional digital certificate authentication" is recommended for production environments.
This document uses CloudFlare's PKI toolset, cfssl, to generate Certificate Authority (CA) certificate and key files. CA is a self-signed certificate used to sign other TLS certificates that are subsequently created.
Take kubenode1 as an example, kubenode2 & kubenode3 make appropriate small adjustments.
1. Install CFSSL
[root@kubenode1 ~]# mkdir -p /usr/local/cfssl [root@kubenode1 ~]# cd /usr/local/cfssl/ # cfssl [root@kubenode1 cfssl]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@kubenode1 cfssl]# mv cfssl_linux-amd64 cfssl [root@kubenode1 cfssl]# chmod +x cfssl # cfssl-certinfo [root@kubenode1 cfssl]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@kubenode1 cfssl]# mv cfssl-certinfo_linux-amd64 cfssl-certinfo [root@kubenode1 cfssl]# chmod +x cfssl-certinfo # cfssljson [root@kubenode1 cfssl]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@kubenode1 cfssl]# mv cfssljson_linux-amd64 cfssljson [root@kubenode1 cfssl]# chmod +x cfssljson
2. Generate CA template
# The kubenode1 node is complete [root@kubenode1 ~] # cd /usr/local/cfssl/ #Production CA configuration file template [root@kubenode1 cfssl] # cfssl print-defaults config > config.json #Produce CA certificate signing request file template [root@kubenode1 cfssl] # cfssl print-defaults csr > csr.json
3. CA configuration file
# The kubenode1 node can be completed. The following CA certificates, signatures, etc. can be distributed to kubenode2&kubenode3 through scp; # ca-config.json: 1 profiles, specify different expiration times, usage scenarios and other parameters, and use them in different scenarios as needed Different profile signing certificates; this is modified based on the generated template; # "signing": indicates that the certificate can be used to sign other certificates, and CA=TRUE in the generated ca.pem certificate; # "server auth": the client can use this CA Verify the certificate provided by the server; # "client auth": the server can use the CA to verify the certificate provided by the client; # Note the difference between each module or line with or without "," [root@kubenode1 cfssl] # cp config.json ca-config.json [root@kubenode1 cfssl] # vim ca-config.json { " signing " : { " default " : { " expiry ": "8760h" }, "profiles": { "kubernetes": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
4. CA certificate signing request
# "CN": Common Name, kube-apiserver extracts this field from the certificate as the requested username (User Name); the browser uses this field to verify whether the website is legal; # "O": Organization, kube-apiserver extracts this field from the certificate Extract this field as the group to which the requesting user belongs [root@kubenode1 cfssl] # cp csr.json ca-csr.json [root@kubenode1 cfssl] # vim ca-csr.json { " CN " : " kubernetes " , " key " : { " algo " : " rsa " , " size " : 2048 }, "names": [ { "C": "CN", "ST": "ChengDu", "L": "ChengDu", "O": "k8s", "OU": "cloudteam" } ] }
5. Generate CA certificate and key
[root@kubenode1 cfssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca [root@kubenode1 cfssl]# ls ca*
#Simple view [root@kubenode1 cfssl] # cfssl-certinfo -cert ca.pem
6. Distribute the CA certificate
#Distribute the generated CA certificate, key, configuration file, etc. to all machines; # ca-key.pem and ca.pem are important [root@kubenode1 ~] # mkdir -p /etc/kubernetes/ssl [root@kubenode1 ~ ] # cp /usr/local/cfssl/ca* /etc/kubernetes/ssl/ [root@kubenode1 ~] # scp /usr/local/cfssl/ca* [email protected]:/etc/kubernetes/ssl/ [ root@kubenode1 ~] # scp /usr/local/cfssl/ca* [email protected]:/etc/kubernetes/ssl/