kubernetes集群 CA認(rèn)證

一、設(shè)備kube-apiserver的CA正式相關(guān)的文件和啟動(dòng)參數(shù)

openssl genrsa -out ca.key 2048

openssl req x509 -new nodes -key ca.key -subj "/CN=yourcompany.com" -days 5000 -out ca.crt

opensll genrsa -out server.key 2048

二、準(zhǔn)備master_ssl.conf文件 該文件用于x509 v3版本的證書

[req]

req_extensions = v3_req

distinguished_name = req_distinguished_name

[req_distinguished_name]

[v3_req]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = kubernetes

DNS.2 = kubernetes.default

DNS.3 = kubernetes.default.svc

DNS.4 = kubernetes.default.svc.cluster.local

DNS.5 = k8s-master (服務(wù)器的hostname)

IP.1 = 169.169.0.1 (svc的cluster ip)

IP.2 = 192.168.01. (node的IP)

三、基于maste_ssl.conf 創(chuàng)建server.csr和server.crt文件 在生成server.csr是 -subj的參數(shù)中“/CN”指定的文件是master的主機(jī)名

openssl req -new -key server.key -subj "/CN=k8s-master" -config master_ssl.conf -out server.csr

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.conf -out server.crt

全部執(zhí)行完后會(huì)生產(chǎn)6個(gè)文件：ca.crt ca.key ca.srl server.crt server.csr server.key

四、把生產(chǎn)的6個(gè)文件cp到一個(gè)目錄中，然后設(shè)置kube-apiserver的三個(gè)啟動(dòng)參數(shù)

--client-ca-file=ca.crt --tls-cert-file=server.key --tls-private-key-file=server.crt

五、關(guān)閉非安全端口--insecure-port=0 --secure-port=6443 重啟kube-apiserver

六、設(shè)置kube-controller-manager的客戶端證書、私鑰、啟動(dòng)參數(shù)

openssl genrsa -out cs_client.key 2048

openssl req -new -key cs_client.key -subj "/CN=k8s-node-1" -out cs_client.csr

openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key --CAcreateserial -days 5000 -out cs_client.crt