安装CFSSL

# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
# chmod +x /usr/local/bin/cfssl*

创建CA(Certificate Authority)

# 创建CA配置文件
# cfssl print-defaults config > ca-config.json
# cat ca-config.json
{"signing": {"default": {"expiry": "87600h"},"profiles": {"kubernetes": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "87600h"}}}
}# 创建CA证书签名请求
# cfssl print-defaults csr > ca-csr.json
# cat ca-csr.json
{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}
# cfssl gencert -initca ca-csr.json | cfssljson -bare ca

创建kube-apiserver证书

# 创建kube-apiserver证书签名请求
# 注意:默认kube-apiserver证书没有权限访问API接口, 会提示: Unauthorized
# 注意:如果kube-apiserver证书访问API接口, 需要设置: ["O": "system:masters"]
# cfssl print-defaults csr > kubernetes-csr.json
# cat kube-apiserver-csr.json
{"CN": "kubernetes","hosts": ["127.0.0.1","10.254.0.1","192.168.100.110","192.168.100.111","192.168.100.112","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}# 生成kubernetes证书和私钥
# cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver

创建kube-controller-manager证书

# 创建kube-controller-manager证书签名请求
# cfssl print-defaults csr > kube-controller-manager-csr.json
# cat kube-controller-manager-csr.json
{"CN": "system:kube-controller-manager","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:kube-controller-manager","OU": "System"}]
}# 生成admin证书和私钥
# cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

创建kube-scheduler证书

# 创建kube-scheduler证书签名请求
# cfssl print-defaults csr > admin-csr.json
# cat kube-scheduler-csr.json
{"CN": "system:kube-scheduler","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:kube-scheduler","OU": "System"}]
}# 生成admin证书和私钥
# cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler

创建kubelet证书

# 创建kubelet证书签名请求
# cat > kubelet-csr.json << EOF
{"CN": "kubelet","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:masters","OU": "System"}]
}
EOF# 生成kubelet证书和私钥
cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kubelet-csr.json | cfssljson -bare kubelet

创建kube-proxy证书

# 创建kube-proxy证书签名请求
# cfssl print-defaults csr > kube-proxy-csr.json
# cat kube-proxy-csr.json
{"CN": "system:kube-proxy","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:node-proxier","OU": "System"}]
}# 生成kube-proxy客户端证书和私钥
# cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

证书校验

# cfssl-certinfo -cert kube-apiserver.pem
{"subject": {"common_name": "kubernetes","country": "CN","organization": "system:masters","organizational_unit": "System","locality": "BeiJing","province": "BeiJing","names": ["CN","BeiJing","BeiJing","system:masters","System","kubernetes"]},"issuer": {"common_name": "kubernetes","country": "CN","organization": "k8s","organizational_unit": "System","locality": "BeiJing","province": "BeiJing","names": ["CN","BeiJing","BeiJing","k8s","System","kubernetes"]},"serial_number": "533666226632105718421042600083075622217402341392","sans": ["kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","127.0.0.1","10.10.0.1","192.168.100.110","192.168.100.111","192.168.100.112"],"not_before": "2017-07-31T08:57:00Z","not_after": "2018-07-31T08:57:00Z","sigalg": "SHA256WithRSA","authority_key_id": "6B:68:CF:57:62:6B:60:7E:F3:2C:AC:1A:20:6F:27:6A:EA:84:98:A8","subject_key_id": "3C:6C:67:14:69:F8:42:2A:5C:3C:28:65:B6:A3:95:80:49:A6:6:C","pem": "-----BEGIN CERTIFICATE-----\nMIIEkDCCA3igAwIBAgIUXXpr1pOjvLUxQVv+JMKjwgvQ2BAwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MDczMTA4NTcwMFoXDTE4MDczMTA4NTcwMFowcDELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxFzAV\nBgNVBAoTDnN5c3RlbTptYXN0ZXJzMQ8wDQYDVQQLEwZTeXN0ZW0xEzARBgNVBAMT\nCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIxzDb\nQP5zp8k8ydDrZPfV8KDkWWDnFvNhE2R0XUeD8d3A/MCjqTZh+ugtDZanzWx4HoYb\nTEnYJZbpKnVb99gQ+laIHLOs6pwl+ADC7k6DStUv4wSBZkHzHTMxjmAxdwemyVEL\nAJfZonchEIb9ouMwLTVSLjjr63DVbg0cRDaEQ+PQFcPenMCzisQniytut6z8wJX0\nbB6Qsb8RrVLusIUy/GjwWor11GV0FrScujKDnH37rN0Xj5cMe3Zd0jj4Jv641fLs\nkIpipXSXFkFTSB2ApdOT61bO4A1qoQlxni8/nJqVri4NKW6AAsq4cAisxYD7N/uU\n2ih2+FIkKqohpXe1AgMBAAGjggErMIIBJzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l\nBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE\nFDxsZxRp+EIqXDwoZbajlYBJpgYMMB8GA1UdIwQYMBaAFGtoz1dia2B+8yysGiBv\nJ2rqhJioMIGnBgNVHREEgZ8wgZyCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVm\nYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0\nLnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9j\nYWyHBH8AAAGHBAoKAAGHBMCoZG6HBMCoZG+HBMCoZHAwDQYJKoZIhvcNAQELBQAD\nggEBADNlsPPPhcx3HpjztYmE7vtH6d+8kB8bhML+fWMD17xOnE1xM5mi62tcP8vf\nbQ9v6Q4L6EKXyruvkkSiQsdoQLF5rj3PBqF1vxw8StLY04YSP1Jn11ftl9akAbvh\nUJPXTzIRPfqzkrvQwwZS3clYly3mQNgEv60Rrnc1gvRxyWFu0lOpbldoZUamYOYJ\nV2w+dPmLM8kdy5pIg5dndNBUi9oSqCOpCMaFeJgKLmSmTWHLhzUoXwOvSrrBsaK4\n/57/fXF5bkTaBwwG7O2QAvzwJFKzGsjkQiAcgZCy7FhRgprQYeg6gTIn5RvpmydC\nkaZmIrJkdAN7RXJZ4fbUxu+whkc=\n-----END CERTIFICATE-----\n"
}

分发证书

# 将kubernetes证书拷贝到安装目录
# mkdir -p /etc/kubernetes/ssl && cp /tmp/ssl/*.pem /etc/kubernetes/ssl

转载于:https://blog.51cto.com/hypocritical/1909516

Kubernetes学习笔记(一):Kubernetes-1.7.x 创建TLS证书和秘钥相关推荐

  1. Kubernetes学习笔记(一)

    2019独角兽企业重金招聘Python工程师标准>>> Kubernetes学习笔记(一) 博客分类: Kubernetes 导语 2015年4月,传闻已久的Borg论文伴随Kube ...

  2. kubernetes学习笔记 (二):k8s初体验

    本文采用本地k8s v1.10.3版本开发,如果还没有搭建可参照 kubernetes学习笔记 (一):搭建本地k8s开发环境进行搭建 搭建本地Docker镜像仓库 docker pull docke ...

  3. Kubernetes学习笔记之Calico CNI Plugin源码解析(一)

    女主宣言 今天小编为大家分享Kubernets Calico CNI Plugin的源码学习笔记,希望对正在学习k8s相关部分的同学有所帮助: PS:丰富的一线技术.多元化的表现形式,尽在" ...

  4. Kubernetes学习笔记-未整理

    Kubernetes学习笔记 标签:Kubernetes 学习笔记 原文:https://github.com/wtysos11/NoteBook/blob/master/微服务/Kubernetes ...

  5. Kubernetes学习笔记

    Kubernetes学习笔记 1.简介 用于自动部署.扩缩和管理容器化应用程序的开源系统,支持自动化部署.大规模可伸缩. 2.架构 2.1.Control Plane 对集群做出全局决策 Contro ...

  6. Kubernetes学习笔记【2年以前的笔记】

    Kubernetes学习笔记 知识储备 熟悉linux基础命令 熟悉docker的基本原理和操作 了解ssl证书工作原理 了解负载均衡工作原理(L4/L7) 了解分布式概念 了解域名解析原理 了解网络 ...

  7. 【学习笔记】Kubernetes 问题诊断

    [学习笔记]Kubernetes 问题诊断 需求来源 Liveness 与 Readiness 初识 Liveness 与 Readiness 使用方式 探测方式 探测结果 Pod Probe Spe ...

  8. oracle修改asm参数文件,学习笔记:Oracle RAC参数文件管理 修改创建asm中的spfile文件...

    天萃荷净 Oracle rac创建修改asm中的spfile文件内容 create spfile to asm --查看sid SQL> show parameter instance_name ...

  9. Windows Workflow HOL学习笔记(十二):创建状态基工作流

    W indows Workflow HOL学习笔记(十二):创建状态基工作流 本文内容来自Microsoft Hands-on Labs for Windows Workflow Foundation ...

最新文章

  1. 密度聚类OPTICS算法
  2. OpenGL indirect material间接材料的实例
  3. jQuery.Event的一些用法
  4. Express框架使用以及数据库公共操作类整理(Win7下的NodeJs)
  5. sublime 设置自动更新_Win10关闭自动更新的三种方法
  6. 中兴c语言 面试题,中兴手机嵌入式开发面试题汇总(1)
  7. [sklearn机器学习]线性回归模型
  8. python for ArcGIS 绘制重庆市板块地图
  9. 国内信息安全行业常见法律法规介绍及个人理解
  10. Unity设置相机正交相机和透视相机的动态切换
  11. QQ游戏大厅产品体验报告
  12. 蓝桥杯C++深度优先搜索(dfs)之组队,迷宫,走方格
  13. CCID多线程界面-python
  14. 《Linux高性能服务器编程》阅读笔记 之(二)IP 协议详解
  15. iphone与android传文件,安卓与苹果手机之间互传文件的方法教程
  16. oracle修复工具下载,Oracle数据库恢复工具DataNumen Oracle Recovery
  17. IDempiere 富文本编辑器优化
  18. Eslint +Vue配置
  19. JS图片360度全景预览插件
  20. 2021-08-11 svg基础标签

热门文章

  1. 【PostgreSQL-9.6.3】如何得到psql中命令的实际执行SQL
  2. 【Oracle】非RMAN恢复数据文件、控制文件
  3. .NET Core控制台程序发布后没有exe解决方案
  4. nginx之206异常
  5. scrapy爬虫学习系列七:scrapy常见问题解决方案
  6. 【解决】缺少libstdc++.so.6库的原因及解决的方法
  7. 标签中的onclick调用js方法传递多个参数的解决方案
  8. uni-app真机调试报错request:fail abort解决方法
  9. IDEA引MAVEN项目jar包依赖导入问题解决
  10. java.net.NoRouteToHostException: No route to host解决方法