哪些组件需要证书?

组件	需要使用的证书
etcd	ca.pem server.pem server-key.pem
flannel	ca.pem server.pem server-key.pem
kube-apiserver	ca.pem server.pem server-key.pem
kubelet	ca.pem ca-key.pem
kube-proxy	ca.pem kube-proxy.pem kube-proxy-key.pem
kubectl	ca.pem admin.pem admin-key.pem

安装证书生成证书工具cfssl:

master节点创建存放证书的目录

[root@master ~]# mkdir ssl
[root@master ~]# cd ssl/
[root@master ssl]#

下载生成证书工具


[root@master ssl]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@master ssl]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@master ssl]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@master ssl]# chmod +x cfssl*
[root@master ssl]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@master ssl]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@master ssl]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
#查看是否能用
[root@master ssl]# cfssl --help

生成证书文件直接用脚本cert.sh,注意server-csr.json修改成自己节点ip：127.0.0.1，10.10.10.1这2个ip不用修改其他ip修改成自己节点ip即可。

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "192.168.10.60",
      "192.168.10.61",
      "192.168.10.62",
      "10.10.10.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#-----------------------

cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

生成证书

[root@master ssl]# chmod +x cert.sh
[root@master ssl]# sh cert.sh
#保留.pem文件删除其他文件
[root@master ssl]# ls |grep -v pem |xargs -i rm {}
[root@master ssl]# ls
admin-key.pem  ca-key.pem  kube-proxy-key.pem  server-key.pem
admin.pem      ca.pem      kube-proxy.pem      server.pem

2、k8s集群手动部署笔记之自签TLS证书

哪些组件需要证书?

安装证书生成证书工具cfssl:

master节点创建存放证书的目录

下载生成证书工具

生成证书文件直接用脚本cert.sh,注意server-csr.json修改成自己节点ip：127.0.0.1，10.10.10.1这2个ip不用修改其他ip修改成自己节点ip即可。

生成证书

猜你喜欢