http://blog.csdn.net/shenshouer/article/details/53035948
Certificate generation in kubernetes
For security, it is recommended to use security certificates in kubernetes. In the previous article, it was unified in the cluster construction, and the generation of the certificate was not introduced separately. This article will introduce certificate generation in kubernetes. The following articles will need to generate the following certificates:
-
Root certificate public key and private key:
ca.pemwithca-key.pem -
API Server public and private keys:
apiserver.pemwithapiserver-key.pem -
Cluster administrator public and private keys:
admin.pemwithadmin-key.pem -
Slave node public key and private key:
worker.pemwithworker-key.pem
Root certificate generation
# Generate the root CA.
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"- 1
- 2
- 3
- 1
- 2
- 3
apiserver certificate generation
The master requires the root certificate public key (root CA public key, ca-key.pem), root certificate ( ca.pem); apiserver certificate: apiserver.pemand its private key apiserver-key.pem.
1. Create openssl.cnf:
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = ${K8S_SERVICE_IP}
IP.2 = ${MASTER_IPV4}- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
Replace it with the IP address of the Master whose API is accessed, and replace ${MASTER_IPV4}it with the first IP of the kubernetes service IP that you plan to use. For ${K8S_SERVICE_IP}example, generally use it 10.100.0.0/16as the service IP of the service, then 10.100.0.1replace here${K8S_SERVICE_IP}
If you deploy multiple Master nodes in a high availability configuration, you need to add more TLS subjectAltNames (SANs). The proper configuration of SANs for each certificate depends on kubectlhow slave nodes and users communicate with the master node: directly through IP addresses, through load balancing, or through DNS name resolution.
DNS.5 = ${MASTER_DNS_NAME}
IP.3 = ${MASTER_IP}
IP.4 = ${MASTER_LOADBALANCER_IP}- 1
- 2
- 3
- 1
- 2
- 3
The slave node will ${MASTER_DNS_NAME}access the Loadbalancer through.
- Generate apiserver certificate pair
# Generate the API server keypair.
openssl genrsa -out apiserver-key.pem 2048
openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config openssl.cnf
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile openssl.cnf- 1
- 2
- 3
- 4
- 1
- 2
- 3
- 4
-
一般生成的根证书(
ca-key.pem,ca.pem)与apiserver证书(apiserver-key.pem,apiserver.pem)放置在Master节点的/etc/kubernetes/ssl/路径下 -
apiserver的配置中需要指定如下参数:
--service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem \
--tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem \
--tls-cert-file=/etc/kubernetes/ssl/apiserver.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \- 1
- 2
- 3
- 4
- 1
- 2
- 3
- 4
- controller-manager的配置中需要指定如下参数:
--service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \- 1
- 2
- 3
- 4
- 1
- 2
- 3
- 4
集群管理员证书生成
此证书用于kubectl,设置方式如下:
$ openssl genrsa -out admin-key.pem 2048
$ openssl req -new -key admin-key.pem -out admin.csr -subj "/CN=kube-admin"
$ openssl x509 -req -in admin.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin.pem -days 365- 1
- 2
- 3
- 1
- 2
- 3
# 配置一个名为default的集群,并指定服务地址与根证书
kubectl config set-cluster default --server=https://172.17.4.101:443 --certificate-authority=${PWD}/ssl/ca.pem
# 设置一个管理用户为admin,并配置访问证书
kubectl config set-credentials admin --certificate-authority=${PWD}/ssl/ca.pem --client-key=${PWD}/ssl/admin-key.pem --client-certificate=${PWD}/ssl/admin.pem
# 设置一个名为default使用default集群与admin用户的上下文,
kubectl config set-context default --cluster=default --user=admin
# 启用default为默认上下文
kubectl config use-context default- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
从节点证书生成
将需要证书的节点IP放入到环境变量
# Export this worker's IP address.
export WORKER_IP=<WORKER_IPV4>- 1
- 2
- 1
- 2
# Generate keys.
openssl genrsa -out worker-key.pem 2048
openssl req -new -key worker-key.pem -out worker.csr -subj "/CN=worker-key" -config worker-openssl.cnf
openssl x509 -req -in worker.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out worker.pem -days 365 -extensions v3_req -extfile worker-openssl.cnf- 1
- 2
- 3
- 4
- 1
- 2
- 3
- 4
其中worker-openssl.cnf内容如下:
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = $ENV::WORKER_IP- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
从节点上配置kubelet所使用的配置文件worker-kubeconfig.yaml指定证书:
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
server: https://<KUBERNETES_MASTER>:443
certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/worker.pem
client-key: /etc/kubernetes/ssl/worker-key.pem
contexts:
- context:
cluster: local
user: kubelet
name: kubelet-context
current-context: kubelet-context- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
通过配置kubelet的如下参数使用证书:
--kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \
--tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem \
--tls-cert-file=/etc/kubernetes/ssl/worker.pem \- 1
- 2
- 3
- 1
- 2
- 3