A certificate Kubernetes
1.1 TLS
Kubernetes various components of the system requires the use of encryption and TLS certificates for its communication authorization and authentication, it is recommended before deploying to Mr. associated with TLS certificates.
1.2 CA certificate creation mode
Various components of the system requires the use kubernetes TLS certificate to encrypt communications, typically produced by self certificate tool:
- openssl
- cfssl
- easyrsa
1.3 Kubernetes Component Certificate
Deployment kubernetes Components Recommended TLS mutual authentication, certificate-related major components involved are:
- etcd Certificate: TLS certificate encrypted communication between the cluster etcd used.
- kube-apiserver certificate: Certificate kube-apiserver arranged assembly.
- kube-controller-manager certificates: kube-apiserver communication and for authentication.
- kube-scheduler certificates: kube-apiserver communication and for authentication.
- [kubelet certificate Alternatively, nonessential]: certificate for communication and kube-apiserver authentication, if authentication using TLS Bootstarp embodiment, the configuration is not necessary.
- [kube-proxy certificate Alternatively, nonessential]: certificate for communication and kube-apiserver authentication, if authentication using TLS Bootstarp embodiment, the configuration is not necessary.
Two openssl certificate generation
2.1 openssl to create a certificate
. 1 [the root Master @ ~] # # MASTER_IP = 172.24.8.71 defined MASTER_IP 2 [the root Master @ ~] # # mkdir CERT recommend creating separate storage directories certificate . 3 [the root Master @ ~] # CD CERT . 4 [the root @ Master CERT ] # openssl genrsa -out ca.key 2048 # to generate a 2048 bit in ca.key . 5 [the root @ Master CERT] -x509 the REQ # OpenSSL -new -nodes the -key in ca.key -subj "/ MASTER_IP the CN = $ {} "-days 10000 -out ca.crt # ca.key in ca.crt generate a (valid time using the provisioning certificate -days) according . 6 [the root @ Master CERT] # # OpenSSL genrsa--out server.key-2048 generate a 2048 bit the server.key . 7 [the root @ Master CERT] OpenSSL REQ # -new the -key server.key -subj "/ MASTER_IP the CN = {} $" # -out-in server.csr generated according to a server.key-in server.csr . 8 [root@master cert]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 #根据 ca.key、ca.crt 和 server.csr 生成 server.crt 9 [root@master cert]# openssl x509 -noout -text -in ./server.crt
Three cfssl generate a certificate
3.1 cfssl create a certificate
1 [root@master ~]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl #下载cfssl软件 2 [root@master ~]# chmod u+x /usr/local/bin/cfssl 3 [root@master ~]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson #下载json模板 4 [root@master ~]# chmod u+x /usr/local/bin/cfssljson 5 [root@master ~]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo 6 [root@master ~]# chmod u+x /usr/local/bin/cfssl-certinfo 7 [root@master ~]# mkdir cert 8 [root@master ~]# cd cert/ 9[root @ Master CERT] # cfssl Print-Defaults config> config.json 10 [root @ Master CERT] # cfssl Print-Defaults csr> csr.json # Create a template configuration json file 11 [root @ Master CERT] # cp config. json ca-config.json # copy of the CA profile 12 is [the root @ Master CERT] # VI config.json CA- 13 is { 14 "Signing": { 15 "default": { 16 "expiry": "168h " . 17 }, 18 is " Profiles ": { . 19 " Kubernetes ": { 20 is " expiry ":" 8760h ", 21 is " usages": [ 22 "signing", 23 "key encipherment", 24 "server auth" 25 "client auth" 26 ] 27 } 28 } 29 } 30 }
Fields explained:
config.json: Profiles can define multiple, specify different expiration time, and other parameters scene; subsequent use in a profile signed certificate;
- signing: indicates that the certificate can be used to sign other certificates; ca.pem certificate generated CA = TRUE;
- server auth: represents a client certificate can be verified by the CA server to provide;
- client auth: represents the server can be verified with the CA certificate for client provides.
1 [root@master cert]# cp csr.json ca-csr.json #复制一份作为CA的配置文件 2 [root@master cert]# vi ca-csr.json 3 { 4 "CN": "kubernetes", 5 "key": { 6 "algo": "rsa", 7 "size": 2048 8 }, 9 "names": [ 10 { 11 "C": "CN", 12 "ST": "Shanghai", 13 "L": "Shanghai", 14 "O": "k8s", 15 "OU": "System" 16 } 17 ] 18 }
Fields explained:
- CN: Common Name, kube-apiserver extract the field from the certificate as the user name (User Name) request; browser to use this field to verify the site is legitimate;
- C:country;
- ST:state;
- L:city;
- O: Organization, kube-apiserver request extracts the field as the user's group (Group) from the certificate;
- OU:organization unit。
1 [root @ Master CERT] # cfssl the gencert -initca CA-csr.json | cfssljson -bare CA # CA key generation (ca-key.pem) and certificates (ca.pem)
Tip: After generating a certificate, Kubernetes cluster requires mutual TLS authentication, you can ca-key.pem and ca.pem copied to all the machines you want to deploy the / etc / kubernetes / ssl directory.
Four easyrsa generate a certificate
4.1 easyrsa create a certificate
1 [root@master ~]# mkdir cert 2 [root@master ~]# curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz #下载easyrsa软件 3 [root@master ~]# tar xzf easy-rsa.tar.gz 4 [root@master ~]# cd easy-rsa-master/easyrsa3 5 [root@master easyrsa3]# ./easyrsa init-pki 6 [root@master easyrsa3]# MASTER_IP=172.24.8.71 #定义MASTER_IP 7 [root@master easyrsa3]# ./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass #生成 CA
Explanation:
--batch: setting an automatic mode;
--req-cn: Set the default CN
. 1 [@ Master easyrsa3 the root] # ./easyrsa --subject-Alt-name = "the IP: MASTER_IP $ {}" Build-Server Server Full-NoPass # key to generate the server certificate, and
Explanation:
build-server-full [filename]: generate a key pair for the client and server signatures locally.
1 [root @ Master easyrsa3] # cp pki / pki ca.crt / Issued / server.crt pki / Private / server.key / root / CERT / # copy the relevant certificate
Tip: generating a certificate, Kubernetes clusters may be configured by using the certificate:
-
--client-to-file = / root / definitely / ca.crt
- --tls-cert-file=/root/cert/server.crt
- --tls-private-key-file=/root/cert/server.key
Five certificates and related configuration items
5.1 API Server Certificate
API Server certificate configuration for the following two options:
- --tls-cert-file string
File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
- --tls-private-key-file string
File containing the default x509 private key matching --tls-cert-file.
5.2 Client CA Certificate
- --client-ca-file string
If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
该配置明确了 Clent 连接 API Server 时,API Server 应当确保其证书源自哪个 CA 签发;如果其证书不是由该 CA 签发,则拒绝请求;事实上,这个 CA 不必与 HTTPS 端点所使用的证书 CA 相同;同时这里的 Client 是一个泛指的,可以是 kubectl,也可能是你自己开发的应用
5.3 请求头证书
API Server 支持多种认证方式的,其中一种就是使用 HTTP 头中的指定字段来进行认证,相关配置如下:
- --requestheader-allowed-names stringSlice
List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
- --requestheader-client-ca-file string
Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests.
5.4 kubelet证书
对于 Kubelet 组件,API Server 单独提供了证书配置选项,从而指定 API Server 与 Kubelet 通讯所使用的证书以及其签署的 CA。同时这个 CA 可以完全独立与上述其他CA。同时 Kubelet 组件也提供了反向设置的相关选项:
# API Server
- --kubelet-certificate-authority string
Path to a cert file for the certificate authority.
- --kubelet-client-certificate string
Path to a client cert file for TLS.
- --kubelet-client-key string
Path to a client key file for TLS.
# Kubelet
- --client-ca-file string
If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
- --tls-cert-file string
File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to --cert-dir.
- --tls-private-key-file string
File containing x509 private key matching --tls-cert-file.
5.5 Service Account 证书
在 API Server 配置中,对于 Service Account 同样有两个证书配置:
- --service-account-key-file stringArray
File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. If unspecified, --tls-private-key-file is used. Must be specified when --service-account-signing-key is provided
- --service-account-signing-key-file string
Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. (Requires the 'TokenRequest' feature gate.)
这两个配置描述了对 Service Account 进行签名验证时所使用的证书;不过需要注意的是这里并没有明确要求证书 CA,所以这两个证书的 CA 理论上也是可以完全独立的。
Kubernetes相关证书及配置项参考:
https://mritd.me/2018/08/26/kubernetes-certificate-configuration/
提示:以上证书创建示例参考:https://notes.doublemine.me/2018-03-26-Kubernetes%E9%9B%86%E7%BE%A4%E4%B9%8B%E8%B7%AF%E4%B9%8BTLS%E8%AF%81%E4%B9%A6%E9%85%8D%E7%BD%AE.html