我的书签
添加书签
移除书签创建 CA 证书和秘钥
kubernetes 系统各组件需要使用 TLS 证书对通信进行加密,本文档使用 CloudFlare 的 PKI 工具集 cfssl 来生成 Certificate Authority (CA) 证书和秘钥文件,CA 是自签名的证书,用来签名后续创建的其它 TLS 证书。
安装 CFSSL
$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64$ chmod +x cfssl_linux-amd64$ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64$ chmod +x cfssljson_linux-amd64$ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64$ chmod +x cfssl-certinfo_linux-amd64$ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo$ export PATH=/root/local/bin:$PATH$ mkdir ssl$ cd ssl$ cfssl print-defaults config > config.json$ cfssl print-defaults csr > csr.json$
创建 CA (Certificate Authority)
创建 CA 配置文件:
$ cat ca-config.json{"signing": {"default": {"expiry": "8760h"},"profiles": {"kubernetes": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "8760h"}}}}
ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中CA=TRUE;server auth:表示 client 可以用该 CA 对 server 提供的证书进行验证;client auth:表示 server 可以用该 CA 对 client 提供的证书进行验证;
创建 CA 证书签名请求:
$ cat ca-csr.json{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]}
- “CN”:
Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法; - “O”:
Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
生成 CA 证书和私钥:
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca$ ls ca*ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem$
分发证书
将生成的 CA 证书、秘钥文件、配置文件拷贝到所有机器的 /etc/kubernetes/ssl 目录下
$ sudo mkdir -p /etc/kubernetes/ssl$ sudo cp ca* /etc/kubernetes/ssl$
校验证书
以校验 kubernetes 证书(后续部署 master 节点时生成的)为例:
使用 openssl 命令
$ openssl x509 -noout -text -in kubernetes.pem...Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=KubernetesValidityNot Before: Apr 5 05:36:00 2017 GMTNot After : Apr 5 05:36:00 2018 GMTSubject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes...X509v3 extensions:X509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Server Authentication, TLS Web Client AuthenticationX509v3 Basic Constraints: criticalCA:FALSEX509v3 Subject Key Identifier:DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0X509v3 Authority Key Identifier:keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CDX509v3 Subject Alternative Name:DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1...
- 确认
Issuer字段的内容和ca-csr.json一致; - 确认
Subject字段的内容和kubernetes-csr.json一致; - 确认
X509v3 Subject Alternative Name字段的内容和kubernetes-csr.json一致; - 确认
X509v3 Key Usage、Extended Key Usage字段的内容和ca-config.json中kubernetesprofile 一致;
使用 cfssl-certinfo 命令
$ cfssl-certinfo -cert kubernetes.pem...{"subject": {"common_name": "kubernetes","country": "CN","organization": "k8s","organizational_unit": "System","locality": "BeiJing","province": "BeiJing","names": ["CN","BeiJing","BeiJing","k8s","System","kubernetes"]},"issuer": {"common_name": "Kubernetes","country": "CN","organization": "k8s","organizational_unit": "System","locality": "BeiJing","province": "BeiJing","names": ["CN","BeiJing","BeiJing","k8s","System","Kubernetes"]},"serial_number": "174360492872423263473151971632292895707129022309","sans": ["kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","127.0.0.1","10.64.3.7","10.64.3.8","10.66.3.86","10.254.0.1"],"not_before": "2017-04-05T05:36:00Z","not_after": "2018-04-05T05:36:00Z","sigalg": "SHA256WithRSA",...
参考
