1. 自签证书颁发机构(CA)

cd ~/TLS/k8s/

添加证书配置

cat > ca-config.json<< EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
     },
      "profiles": {
      "kubernetes": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}
EOF

ca-k8s证书文件

cat > ca-csr.json<< EOF
{
    "CN": "kubernetes",
    "key": {
      "algo": "rsa",
      "size": 2048
  },    
  "names": [
      {
        "C": "CN",
        "L": "Beijing",
        "ST": "Beijing",
        "O": "k8s",
        "OU": "System"
       }
   ]    
}

EOF

生成证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

返回

2020/12/10 10:30:39 [INFO] generating a new CA key and certificate from CSR
2020/12/10 10:30:39 [INFO] generate received request
2020/12/10 10:30:39 [INFO] received CSR
2020/12/10 10:30:39 [INFO] generating key: rsa-2048
2020/12/10 10:30:39 [INFO] encoded CSR
2020/12/10 10:30:39 [INFO] signed certificate with serial number 508765048193684533254237079649547252392799853230

 

2. 使用自签 CA 签发 kube-apiserver HTTPS 证书

添加api证书文件配置模板

#把你现有集群的主机ip写在下面
cat > server-csr.json<< EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.1.20",
      "192.168.1.21",
      "192.168.1.22",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
],
"key": {
  "algo": "rsa",
  "size": 2048
},
"names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

基于模板生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

返回

2020/12/10 10:33:12 [INFO] generate received request
2020/12/10 10:33:12 [INFO] received CSR
2020/12/10 10:33:12 [INFO] generating key: rsa-2048
2020/12/10 10:33:12 [INFO] encoded CSR
2020/12/10 10:33:12 [INFO] signed certificate with serial number 632900405188531087137693603849237688048281011443
2020/12/10 10:33:12 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

3.查看证书文件

[root@k8s-master01 k8s]# ls server*.pem
server-key.pem  server.pem

 

# linux # docker # k8s # centos
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes