kubernetes 提供了多种安全认证机制, 其中对于集群通讯间可采用 TLS(https) 双向认证机制,也可采用基于 Token 或用户名密码的单向 tls 认证。k8s一般在内网部署,采用私有 IP 地址进行通讯,权威CA只能签署域名证书,我们这里采用自建CA。

创建TLS证书和秘钥

步鄹1.下载安装SSL,下载cfssl工具:https://pkg.cfssl.org/.

wget  https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

chmod +x cfssl_linux-amd64

mv cfssl_linux-amd64 /usr/local/bin/cfssl


wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

chmod +x cfssljson_linux-amd64

mv cfssljson_linux-amd64  /usr/local/bin/cfssljson


wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

chmod +x cfssl-certinfo_linux-amd64

mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo


步鄹2.创建CA证书配置,生成CA证书和秘钥

etcd和kubernetes都需要生成证书

etcd证书存放目录:mkdir -p /etc/etcd/ssl

kubernetes证书存放目录:mkdir -p /etc/kubernetes/ssl

创建证书时临时存放:mkdir /root/ssl

文件有格式要求,首先我们先生成默认文件,然后根据config.json文件的格式创建ca-config.json文件,过期时间设置为87600h。

创建CA配置文件

cd /root/ssl

cfssl print-defaults config > config.json

vim config.json

{

    "signing": {

        "default": {

            "expiry": "87600h"

        },

        "profiles": {

            "kubernetes": {

                "expiry": "87600h",

                "usages": [

                    "signing",

                    "key encipherment",

                    "server auth",

                    "client auth"

                ]

            }

        }

    }

}

mv config.json  ca-config.json

ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;

signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE

server auth:表示client可以用该 CA 对server提供的证书进行验证;

client auth:表示server可以用该CA对client提供的证书进行验证;


创建CA证书签名请求

cfssl print-defaults csr > csr.json

vim csr.json

{

    "CN": "kubernetes",

    "key": {

        "algo": "rsa",

        "size": 2048

    },

    "names": [

        {

            "C": "CN",

            "L": "BeiJing",

            "ST": "BeiJing",

        "O": "k8s",

        "OU": "System"

        }

    ]

}

mv csr.json  ca-csr.json

“CN”:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;

“O”:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);


生成 CA 证书和私钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca



创建kubernetes证书

创建kubernetes证书签名请求

cp  ca-csr.json   kubernetes-csr.json

vim kubernetes-csr.json

{

    "CN": "kubernetes",

    "hosts": [

      "127.0.0.1",

      "172.20.0.112",

      "172.20.0.113",

      "172.20.0.114",

      "172.20.0.115",

      "10.254.0.1",

      "kubernetes",

      "kubernetes.default",

      "kubernetes.default.svc",

      "kubernetes.default.svc.cluster",

      "kubernetes.default.svc.cluster.local"

    ],

    "key": {

        "algo": "rsa",

        "size": 2048

    },

    "names": [

        {

            "C": "CN",

            "L": "BeiJing",

            "ST": "BeiJing",

            "O": "k8s",

            "OU": "System"

        }

    ]

}

如果 hosts 字段不为空则需要指定授权使用该证书的 IP 或域名列表,由于该证书后续被 etcd 集群和kubernetes master 集群使用,所以上面分别指定了 etcd 集群、kubernetes master 集群的主机 IP 和kubernetes 服务的服务 IP(一般是 kue-apiserver 指定的 service-cluster-ip-range 网段的第一个IP,如 10.254.0.1。


生成 kubernetes 证书和私钥

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes


忽略警告

创建admin证书

创建admin证书签名请求

cp ca-csr.json admin-csr.json

vim admin-csr.json

{

    "CN": "admin",

    "hosts": [],

    "key": {

        "algo": "rsa",

        "size": 2048

    },

    "names": [

        {

            "C": "CN",

            "L": "BeiJing",

            "ST": "BeiJing",

            "O": "system:masters",

            "OU": "System"

        }

    ]

}


后续 kube-apiserver 使用 RBAC 对客户端(如 kubeletkube-proxyPod)请求进行授权;

kube-apiserver 预定义了一些 RBAC 使用的 RoleBindings,如 cluster-admin 将 Groupsystem:masters与 Role cluster-admin 绑定,该 Role 授予了调用kube-apiserver 的所有 API的权限;

OU 指定该证书的 Group 为 system:masterskubelet 使用该证书访问 kube-apiserver时 ,由于证书被 CA 签名,所以认证通过,同时由于证书用户组为经过预授权的system:masters,所以被授予访问所有 API 的权限;


生成admin证书和秘钥

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin


创建kube-proxy证书

创建kube-proxy证书签名请求

{

    "CN": "system:kube-proxy",

    "hosts": [],

    "key": {

        "algo": "rsa",

        "size": 2048

    },

    "names": [

        {

            "C": "CN",

            "L": "BeiJing",

            "ST": "BeiJing",

        "O": "k8s",

        "OU": "System"

        }

    ]

}

CN 指定该证书的 User 为 system:kube-proxy

kube-apiserver 预定义的 RoleBinding cluster-admin 将User system:kube-proxy 与 Rolesystem:node-proxier 绑定,该 Role 授予了调用 kube-apiserver Proxy 相关 API 的权限;
生成kube-proxy客户端证书和私钥

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy


校验证书

以校验kubernetes.pem证书为例

方法一

openssl x509 -noout -text -in kubernetes.pem

方法二

cfssl-certinfo -cert kubernetes.pem


两个方法都可以校验,看输出内容和json定义的是否一致


Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes

        Validity

            Not Before: Jun 20 14:49:00 2018 GMT

            Not After : Jun 17 14:49:00 2028 GMT

        Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:d7:7f:10:2f:14:5e:e5:20:ee:ef:bd:92:60:3c:

                    50:12:32:c0:df:e2:dc:96:30:df:42:ba:04:91:76:

                    64:92:5a:9c:d1:90:92:3b:12:5b:9f:68:9f:97:88:

                    dc:e6:20:d4:13:14:db:70:e4:70:58:4b:82:14:cd:

                    e0:51:b1:09:c3:76:ed:6b:28:7b:96:15:58:e0:f6:

                    f4:ec:1c:a8:9f:f9:aa:8f:e8:0d:35:51:25:bf:c6:

                    e1:6d:3e:37:4c:d2:c4:88:94:84:41:c6:b0:60:80:

                    45:31:f4:78:ce:9a:16:59:17:9a:63:04:94:1f:3f:

                    3a:fd:e3:50:c0:c5:a9:99:99:f7:07:fa:84:32:09:

                    d2:04:6d:50:eb:42:8e:76:66:d6:ce:5b:c7:52:ad:

                    24:75:da:1f:97:d1:0d:4c:59:3a:e0:77:b1:21:81:

                    3b:7e:8a:36:db:02:32:e0:25:aa:03:a1:07:19:eb:

                    c7:90:57:d1:73:56:c8:75:3e:26:15:77:95:81:c9:

                    27:14:5b:13:91:a5:3a:8d:cf:2c:fe:24:4f:b4:cb:

                    41:f3:41:79:c9:12:6f:c1:3e:5f:e2:66:1e:db:db:

                    88:55:bb:f6:09:51:2a:ed:46:a6:f1:c6:27:66:1d:

                    18:26:58:52:75:56:33:79:ca:74:0e:f8:a7:0a:87:

                    8f:c3

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage: critical

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication

            X509v3 Basic Constraints: critical

                CA:FALSE

            X509v3 Subject Key Identifier:

                9B:E9:E0:CA:5F:55:3D:26:E1:99:77:73:2B:CB:B2:E1:EB:4B:D3:01

            X509v3 Authority Key Identifier:

                keyid:E6:1C:28:D3:34:B0:A2:F2:69:0B:AF:71:85:2A:4A:5E:1D:DA:90:F1

            X509v3 Subject Alternative Name:

                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:172.20.0.112, IP Address:172.20.0.113, IP Address:172.20.0.114, IP Address:172.20.0.115, IP Address:10.254.0.1


确认 Issuer 字段的内容和 ca-csr.json 一致;

确认 Subject 字段的内容和 kubernetes-csr.json 一致;

确认 X509v3 Subject Alternative Name 字段的内容和 kubernetes-csr.json 一致;

确认 X509v3 Key Usage、Extended Key Usage 字段的内容和 ca-config.json 中 kubernetesprofile 一致;


最后颁发证书

将生成的证书和秘钥文件(后缀名为.pem)拷贝到所有机器的 /etc/kubernetes/ssl 目录下备用;

从上面的顺序可以看出pem文件的创建都是以一个json文件为输入进行创建的,json文件最后对我们并不重要,只需要把pem文件分别scp拷贝的所有node的/etc/kubernetes/ssl文件夹即可。

mkdir -p /etc/kubernetes/ssl 

cp *.pem /etc/kubernetes/ssl

生成的 CA 证书和秘钥文件如下:

ca-key.pem

ca.pem

kubernetes-key.pem

kubernetes.pem

kube-proxy.pem

kube-proxy-key.pem

admin.pem

admin-key.pem

使用证书的组件如下:

etcd:使用 ca.pem、kubernetes-key.pem、kubernetes.pem;

kube-apiserver:使用 ca.pem、kubernetes-key.pem、kubernetes.pem;

kubelet:使用 ca.pem;

kube-proxy:使用 ca.pem、kube-proxy-key.pem、kube-proxy.pem;

kubectl:使用 ca.pem、admin-key.pem、admin.pem;

kube-controllerkube-scheduler 当前需要和 kube-apiserver 部署在同一台机器上且使用非安全端口通信,故不需要证书。