Kubernetes学习笔记(一):Kubernetes-1.7.x 创建TLS证书和秘钥
安装CFSSL
# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl # wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson # wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo # chmod +x /usr/local/bin/cfssl*
创建CA(Certificate Authority)
# 创建CA配置文件 # cfssl print-defaults config > ca-config.json # cat ca-config.json {"signing": {"default": {"expiry": "87600h"},"profiles": {"kubernetes": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "87600h"}}} }# 创建CA证书签名请求 # cfssl print-defaults csr > ca-csr.json # cat ca-csr.json {"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] } # cfssl gencert -initca ca-csr.json | cfssljson -bare ca
创建kube-apiserver证书
# 创建kube-apiserver证书签名请求 # 注意:默认kube-apiserver证书没有权限访问API接口, 会提示: Unauthorized # 注意:如果kube-apiserver证书访问API接口, 需要设置: ["O": "system:masters"] # cfssl print-defaults csr > kubernetes-csr.json # cat kube-apiserver-csr.json {"CN": "kubernetes","hosts": ["127.0.0.1","10.254.0.1","192.168.100.110","192.168.100.111","192.168.100.112","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] }# 生成kubernetes证书和私钥 # cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
创建kube-controller-manager证书
# 创建kube-controller-manager证书签名请求 # cfssl print-defaults csr > kube-controller-manager-csr.json # cat kube-controller-manager-csr.json {"CN": "system:kube-controller-manager","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:kube-controller-manager","OU": "System"}] }# 生成admin证书和私钥 # cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
创建kube-scheduler证书
# 创建kube-scheduler证书签名请求 # cfssl print-defaults csr > admin-csr.json # cat kube-scheduler-csr.json {"CN": "system:kube-scheduler","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:kube-scheduler","OU": "System"}] }# 生成admin证书和私钥 # cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
创建kubelet证书
# 创建kubelet证书签名请求 # cat > kubelet-csr.json << EOF {"CN": "kubelet","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:masters","OU": "System"}] } EOF# 生成kubelet证书和私钥 cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kubelet-csr.json | cfssljson -bare kubelet
创建kube-proxy证书
# 创建kube-proxy证书签名请求 # cfssl print-defaults csr > kube-proxy-csr.json # cat kube-proxy-csr.json {"CN": "system:kube-proxy","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "system:node-proxier","OU": "System"}] }# 生成kube-proxy客户端证书和私钥 # cfssl gencert -ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
证书校验
# cfssl-certinfo -cert kube-apiserver.pem {"subject": {"common_name": "kubernetes","country": "CN","organization": "system:masters","organizational_unit": "System","locality": "BeiJing","province": "BeiJing","names": ["CN","BeiJing","BeiJing","system:masters","System","kubernetes"]},"issuer": {"common_name": "kubernetes","country": "CN","organization": "k8s","organizational_unit": "System","locality": "BeiJing","province": "BeiJing","names": ["CN","BeiJing","BeiJing","k8s","System","kubernetes"]},"serial_number": "533666226632105718421042600083075622217402341392","sans": ["kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","127.0.0.1","10.10.0.1","192.168.100.110","192.168.100.111","192.168.100.112"],"not_before": "2017-07-31T08:57:00Z","not_after": "2018-07-31T08:57:00Z","sigalg": "SHA256WithRSA","authority_key_id": "6B:68:CF:57:62:6B:60:7E:F3:2C:AC:1A:20:6F:27:6A:EA:84:98:A8","subject_key_id": "3C:6C:67:14:69:F8:42:2A:5C:3C:28:65:B6:A3:95:80:49:A6:6:C","pem": "-----BEGIN CERTIFICATE-----\nMIIEkDCCA3igAwIBAgIUXXpr1pOjvLUxQVv+JMKjwgvQ2BAwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MDczMTA4NTcwMFoXDTE4MDczMTA4NTcwMFowcDELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxFzAV\nBgNVBAoTDnN5c3RlbTptYXN0ZXJzMQ8wDQYDVQQLEwZTeXN0ZW0xEzARBgNVBAMT\nCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIxzDb\nQP5zp8k8ydDrZPfV8KDkWWDnFvNhE2R0XUeD8d3A/MCjqTZh+ugtDZanzWx4HoYb\nTEnYJZbpKnVb99gQ+laIHLOs6pwl+ADC7k6DStUv4wSBZkHzHTMxjmAxdwemyVEL\nAJfZonchEIb9ouMwLTVSLjjr63DVbg0cRDaEQ+PQFcPenMCzisQniytut6z8wJX0\nbB6Qsb8RrVLusIUy/GjwWor11GV0FrScujKDnH37rN0Xj5cMe3Zd0jj4Jv641fLs\nkIpipXSXFkFTSB2ApdOT61bO4A1qoQlxni8/nJqVri4NKW6AAsq4cAisxYD7N/uU\n2ih2+FIkKqohpXe1AgMBAAGjggErMIIBJzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l\nBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE\nFDxsZxRp+EIqXDwoZbajlYBJpgYMMB8GA1UdIwQYMBaAFGtoz1dia2B+8yysGiBv\nJ2rqhJioMIGnBgNVHREEgZ8wgZyCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVm\nYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0\nLnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9j\nYWyHBH8AAAGHBAoKAAGHBMCoZG6HBMCoZG+HBMCoZHAwDQYJKoZIhvcNAQELBQAD\nggEBADNlsPPPhcx3HpjztYmE7vtH6d+8kB8bhML+fWMD17xOnE1xM5mi62tcP8vf\nbQ9v6Q4L6EKXyruvkkSiQsdoQLF5rj3PBqF1vxw8StLY04YSP1Jn11ftl9akAbvh\nUJPXTzIRPfqzkrvQwwZS3clYly3mQNgEv60Rrnc1gvRxyWFu0lOpbldoZUamYOYJ\nV2w+dPmLM8kdy5pIg5dndNBUi9oSqCOpCMaFeJgKLmSmTWHLhzUoXwOvSrrBsaK4\n/57/fXF5bkTaBwwG7O2QAvzwJFKzGsjkQiAcgZCy7FhRgprQYeg6gTIn5RvpmydC\nkaZmIrJkdAN7RXJZ4fbUxu+whkc=\n-----END CERTIFICATE-----\n" }
分发证书
# 将kubernetes证书拷贝到安装目录 # mkdir -p /etc/kubernetes/ssl && cp /tmp/ssl/*.pem /etc/kubernetes/ssl
转载于:https://blog.51cto.com/hypocritical/1909516
Kubernetes学习笔记(一):Kubernetes-1.7.x 创建TLS证书和秘钥相关推荐
- Kubernetes学习笔记(一)
2019独角兽企业重金招聘Python工程师标准>>> Kubernetes学习笔记(一) 博客分类: Kubernetes 导语 2015年4月,传闻已久的Borg论文伴随Kube ...
- kubernetes学习笔记 (二):k8s初体验
本文采用本地k8s v1.10.3版本开发,如果还没有搭建可参照 kubernetes学习笔记 (一):搭建本地k8s开发环境进行搭建 搭建本地Docker镜像仓库 docker pull docke ...
- Kubernetes学习笔记之Calico CNI Plugin源码解析(一)
女主宣言 今天小编为大家分享Kubernets Calico CNI Plugin的源码学习笔记,希望对正在学习k8s相关部分的同学有所帮助: PS:丰富的一线技术.多元化的表现形式,尽在" ...
- Kubernetes学习笔记-未整理
Kubernetes学习笔记 标签:Kubernetes 学习笔记 原文:https://github.com/wtysos11/NoteBook/blob/master/微服务/Kubernetes ...
- Kubernetes学习笔记
Kubernetes学习笔记 1.简介 用于自动部署.扩缩和管理容器化应用程序的开源系统,支持自动化部署.大规模可伸缩. 2.架构 2.1.Control Plane 对集群做出全局决策 Contro ...
- Kubernetes学习笔记【2年以前的笔记】
Kubernetes学习笔记 知识储备 熟悉linux基础命令 熟悉docker的基本原理和操作 了解ssl证书工作原理 了解负载均衡工作原理(L4/L7) 了解分布式概念 了解域名解析原理 了解网络 ...
- 【学习笔记】Kubernetes 问题诊断
[学习笔记]Kubernetes 问题诊断 需求来源 Liveness 与 Readiness 初识 Liveness 与 Readiness 使用方式 探测方式 探测结果 Pod Probe Spe ...
- oracle修改asm参数文件,学习笔记:Oracle RAC参数文件管理 修改创建asm中的spfile文件...
天萃荷净 Oracle rac创建修改asm中的spfile文件内容 create spfile to asm --查看sid SQL> show parameter instance_name ...
- Windows Workflow HOL学习笔记(十二):创建状态基工作流
W indows Workflow HOL学习笔记(十二):创建状态基工作流 本文内容来自Microsoft Hands-on Labs for Windows Workflow Foundation ...
最新文章
- 密度聚类OPTICS算法
- OpenGL indirect material间接材料的实例
- jQuery.Event的一些用法
- Express框架使用以及数据库公共操作类整理(Win7下的NodeJs)
- sublime 设置自动更新_Win10关闭自动更新的三种方法
- 中兴c语言 面试题,中兴手机嵌入式开发面试题汇总(1)
- [sklearn机器学习]线性回归模型
- python for ArcGIS 绘制重庆市板块地图
- 国内信息安全行业常见法律法规介绍及个人理解
- Unity设置相机正交相机和透视相机的动态切换
- QQ游戏大厅产品体验报告
- 蓝桥杯C++深度优先搜索(dfs)之组队,迷宫,走方格
- CCID多线程界面-python
- 《Linux高性能服务器编程》阅读笔记 之(二)IP 协议详解
- iphone与android传文件,安卓与苹果手机之间互传文件的方法教程
- oracle修复工具下载,Oracle数据库恢复工具DataNumen Oracle Recovery
- IDempiere 富文本编辑器优化
- Eslint +Vue配置
- JS图片360度全景预览插件
- 2021-08-11 svg基础标签
热门文章
- 【PostgreSQL-9.6.3】如何得到psql中命令的实际执行SQL
- 【Oracle】非RMAN恢复数据文件、控制文件
- .NET Core控制台程序发布后没有exe解决方案
- nginx之206异常
- scrapy爬虫学习系列七:scrapy常见问题解决方案
- 【解决】缺少libstdc++.so.6库的原因及解决的方法
- 标签中的onclick调用js方法传递多个参数的解决方案
- uni-app真机调试报错request:fail abort解决方法
- IDEA引MAVEN项目jar包依赖导入问题解决
- java.net.NoRouteToHostException: No route to host解决方法