kube-apiserver的CA证书
1 2 3 4
| openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=<master_hostname>" \ -days 5000 -out ca.crt openssl genrsa -out server.key 2048
|
master_ssl.cnf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local DNS.5 = <master_hostname> IP.1 = <master_ip> IP.3 = <kubectl get svc | grep kubernetes | awk '{print $3}'>集群IP
|
基于master_ssl.conf创建server.csr和server.crt文件
1 2 3 4
| openssl req -new -key server.key -subj "/CN=<master_hostname>" -config \ master_ssl.cnf -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt
|
kube-apiserver启动参数
1 2 3 4 5
| --client-ca-file=<ca_dir>/ca.crt --tls-private-key-file=<ca_dir>/server.key --tls-cert-file=<ca_dir>/server.crt --insecure-port=0 --secure-port=6443
|
kube-controller-manager证书
1 2 3 4
| openssl genrsa -out cs_client.key 2048 openssl req -new -key ca.key -subj "/CN=<master_hostname>" -out cs_client.csr openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out cs_client.crt -days 5000
|
controller-manager.kubeconfig
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| apiVersion: v1 kind: Config users: - name: controllermanager user: client-certificate: <ca_dir>/cs_client.crt client-key: <ca_dir>/cs_client.key clusters: - name: local cluster: certificate-authority: <ca_dir>/ca.crt server: https://<apiserver_ip>:6443 contexts: - context: cluster: local user: controllermanager name: my-context current-context: my-context
|
kube-controller-manger服务的启动参数
1 2 3
| --service-account-key-file=<ca_dir>/server.key --root-ca-file=<ca_dir>/ca.crt --kubeconfig=controller-manager.kubeconfig
|
kube-scheduler
启动参数
1
| --kubeconfig=controller-manager.kubeconfig
|
kubelet证书
1 2 3 4 5
| openssl genrsa -out kubelet_client.key 2048 openssl req -new -key kubelet_client.key -subj "/CN=<node_hostname>" -out \ kubele_client.csr openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out kubelet_client.cet -days 5000
|
kubelet.kubeconfig
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| apiVersion: v1 kind: Config users: - name: kubelet user: client-certificate: <ca_dir>/kubelet_client.crt client-key: <ca_dir>/kubelet_client.key clusters: - name: local cluster: certificate-authority: <ca_dir>/ca.crt server: https://<api_server>:6443 contexts: - context: cluster: local user: kubelet name: my-context current-context: my-context
|
kubelet服务启动参数
1
| --kubeconfig=kubelet.kubeconfig
|
kube-proxy
1
| --kubeconfig=kubelet.kubeconfig
|
kubectl
安全访问apiserver
1 2 3 4
| kubectl --server=https://<apiserver>:6443 \ --certificate-authority=<ca_dir>/ca.crt \ --client-certificate=<ca_dir>/cs_client.crt \ --clinet-key=<ca_dir>/cs_client.key
|