2.2.1 签发证书环境
签发环境选择在 pg60-200.k8s.host.com 虚机上部署
2.2.2 安装 cfssl 工具集
- shell> wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
- shell> wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-JSON
- shell> wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
- shell> chmod +x /usr/bin/cfssl*
2.2.3 创建 CA 证书配置文件
- shell> mkdir -p /root/certs/
- shell> cat> /root/certs/ca-config.JSON <<EOF
- {
- "signing": {
- "default": {
- "expiry": "175200h"
- },
- "profiles": {
- "server": {
- "expiry": "175200h",
- "usages": [
- "signing",
- "key encipherment",
- "server auth"
- ]
- },
- "client": {
- "expiry": "175200h",
- "usages": [
- "signing",
- "key encipherment",
- "client auth"
- ]
- },
- "peer": {
- "expiry": "175200h",
- "usages": [
- "signing",
- "key encipherment",
- "server auth",
- "client auth"
- ]
- }
- }
- }
- }
- EOF
证书类型
client certificate: 客户端使用, 用于服务端认证客户端, 例如 etcdctl,etcd proxy,fleetctl,docker 客户端
server certificate: 服务端使用, 客户端以此验证服务端身份, 例如 docker 服务端, kebe-apiserver
peer certificate: 双向证书, 用于 etcd 集群成员间通信
2.2.4 创建生成 CA 证书签名请求 (csr) 的 JSON 配置文件
- shell> cat> /root/certs/ca-csr.JSON <<EOF
- {
- "CN": "kubernetes-ca",
- "hosts": [
- ],
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "CN",
- "ST": "BeiJing",
- "L": "BeiJing",
- "O": "91donkey",
- "OU": "ops"
- }
- ],
- "ca": {
- "expiry": "175200h"
- }
- }
- EOF
CN:Common Name, 浏览器使用该字段验证网站是否合法, 一般写的是域名.
C:Country, 国家
ST:State, 州, 省
L:Locality, 地区, 城市
O:Organization Name, 组织名称, 公司名称
OU:Organization Unit Name, 组织单位名称, 公司部门
2.2.5 生成 CA 证书和私钥
- shell> cd /root/certs/
- shell> cfssl gencert -initca ca-csr.JSON | cfssl-JSON -bare ca
- 2020/05/07 17:02:13 [INFO] generating a new CA key and certificate from CSR
- 2020/05/07 17:02:13 [INFO] generate received request
- 2020/05/07 17:02:13 [INFO] received CSR
- 2020/05/07 17:02:13 [INFO] generating key: rsa-2048
- 2020/05/07 17:02:14 [INFO] encoded CSR
- 2020/05/07 17:02:14 [INFO] signed certificate with serial number 237666177909094359140132770488308941288355378409
- shell> ls ca*
- ca-config.JSON ca.csr ca-csr.JSON ca-key.pem ca.pem
2.2.6 分发证书文件
- # 注意在 Master 和 Node 节点都需要创建 /etc/kubernetes/pki 目录
- # shell> mkdir -p /etc/kubernetes/pki/
- shell> scp ca*.pem [email protected]${
- master_ip
- }:/etc/kubernetes/pki/
- shell> scp ca*.pem [email protected]${
- node_ip
- }:/etc/kubernetes/pki/
来源: http://www.bubuko.com/infodetail-3602426.html