K8S部署步骤：2-创建ca证书与秘钥

kubernetes系统各组件需要使用TLS(SSL)证书对通信进行加密，本文档使用CloudFlare的PKI工具集cfssl 来生成Certificate Authority (CA) 证书和秘钥文件，CA是自签名的证书，用来签名后续创建的其它TLS证书。

在所有节点安装cfssl

$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ chmod +x cfssl_linux-amd64
$ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl

$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ chmod +x cfssljson_linux-amd64
$ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson

$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl-certinfo_linux-amd64
$ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo

创建 CA (Certificate Authority)

创建ca配置文件：

$ cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
EOF

$ ll ca-config.json
# -rw-r--r--. 1 root root 290 Oct 24 17:51 ca-config.json

• ca-config.json：可以定义多个profiles，分别指定不同的过期时间、使用场景等参数；后续在签名证书时使用某个profile；
• signing：表示该证书可用于签名其它证书；生成的ca.pem证书中CA=TRUE；
• server auth：表示client可以用该CA对server提供的证书进行验证；
• client auth：表示server可以用该CA对client提供的证书进行验证；

创建CA证书签名请求：

$ cat > ca-csr.json << EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

$ ll ca-csr.json
# -rw-r--r--. 1 root root 208 Oct 24 17:55 ca-csr.json

• CN-Common Name：kube-apiserver从证书中提取该字段作为请求的用户名 (User Name)；浏览器使用该字段验证网站是否合法；
• O-Organization：kube-apiserver从证书中提取该字段作为请求用户所属的组 (Group)；

生成CA证书和私钥：

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
$ ls ca*
# ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

校验证书

使用openssl命令

$ openssl x509 -noout -text -in ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1d:26:0f:c5:69:c0:87:0b:1c:36:e4:37:0b:f2:ce:38:55:f0:3a:db
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
        Validity
            Not Before: Oct 18 01:38:00 2017 GMT
            Not After : Oct 17 01:38:00 2022 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:df:71:0d:f4:91:21:c0:32:54:a1:4f:49:cd:56:
                    45:19:45:11:26:04:5f:bb:dd:1f:57:ac:63:54:4f:
                    ca:0e:09:95:80:50:b7:3e:2f:bf:69:03:90:7a:d5:
                    cb:9c:fd:c3:3d:9c:36:da:69:ef:56:57:b0:1d:2c:
                    5e:99:6e:fc:42:92:89:48:54:b8:ba:d4:32:0c:28:
                    b7:23:d3:cd:0c:cc:1a:66:f9:ba:2a:62:ac:a7:2b:
                    54:04:ce:bc:15:04:64:d3:4a:3a:d0:9a:f5:f1:75:
                    d5:13:57:b8:c8:50:5e:3e:56:16:63:45:c9:7c:ae:
                    7e:17:89:08:db:ce:37:fe:94:5f:c7:f6:32:33:16:
                    2f:7f:98:01:6c:01:89:c0:9b:2d:50:66:ef:ec:03:
                    97:72:95:ac:62:18:50:75:97:05:e4:61:ba:5f:87:
                    e6:48:84:f7:c2:2d:f3:02:7b:01:fe:19:76:bf:46:
                    1a:2f:de:40:10:59:55:c3:a0:05:c4:4c:23:f6:8b:
                    2c:21:a2:0e:08:ec:10:06:f3:44:be:24:db:0e:81:
                    76:49:8c:f2:6e:c1:e8:dc:ee:8c:f3:7b:f3:3e:40:
                    87:14:7f:49:31:db:24:37:7e:aa:8a:c6:77:36:92:
                    ef:25:43:33:2c:e1:d7:ea:80:12:fe:61:b4:65:65:
                    3f:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:2
            X509v3 Subject Key Identifier:
                E4:AB:40:DA:C3:9D:D3:07:DC:9B:DC:16:FD:39:DD:CF:47:4A:9D:75
            X509v3 Authority Key Identifier:
                keyid:E4:AB:40:DA:C3:9D:D3:07:DC:9B:DC:16:FD:39:DD:CF:47:4A:9D:75
    Signature Algorithm: sha256WithRSAEncryption
         05:f2:ab:d3:de:fb:65:3e:99:4b:c3:73:e5:84:46:21:5c:cb:
         61:1b:6e:f1:10:3f:38:54:4f:fd:24:6e:8b:91:50:61:42:3b:
         18:80:00:c8:d0:42:67:03:71:4a:ad:0f:67:88:a3:1f:ca:de:
         a1:77:dc:48:cf:1f:d1:96:2b:19:f7:ca:85:b0:1f:5d:cf:4f:
         e7:99:1a:ff:e0:4d:b8:99:9a:95:3c:e5:df:fa:33:38:b8:5b:
         0a:24:51:c7:9e:26:2f:47:cd:90:7a:03:69:b1:41:3f:fd:18:
         61:13:88:f1:44:2e:03:ce:c5:58:49:62:c0:53:30:4d:e4:53:
         48:6e:4d:76:e1:d6:dd:fd:30:70:63:e9:63:93:38:e8:86:d9:
         1e:a5:9f:83:ea:ed:cf:be:81:6e:fc:66:c3:21:38:a9:41:43:
         f0:db:67:c1:2d:a4:da:a3:f1:2e:29:93:91:d5:06:38:27:49:
         c2:a5:49:28:3e:09:ca:b6:2d:7e:d3:7c:10:3d:f4:df:24:bb:
         d0:1d:ce:14:2f:0d:49:9c:a6:4e:4c:64:19:ec:a6:e3:8b:af:
         15:2a:51:52:0b:f4:90:f8:78:dc:01:1a:fd:26:c0:65:8d:2f:
         b5:ed:40:2b:92:e3:01:cb:fc:16:15:ac:de:21:fd:be:c2:07:
         4e:0f:c4:bc

• 确认Issuer字段的内容和ca-csr.json一致；
• 确认Subject字段的内容和ca-csr.json一致；

使用cfssl-certinfo命令

$ cfssl-certinfo -cert ca.pem
{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "issuer": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "serial_number": "166409534531919369270509605570031666091447565019",
  "not_before": "2017-10-18T01:38:00Z",
  "not_after": "2022-10-17T01:38:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "E4:AB:40:DA:C3:9D:D3:7:DC:9B:DC:16:FD:39:DD:CF:47:4A:9D:75",
  "subject_key_id": "E4:AB:40:DA:C3:9D:D3:7:DC:9B:DC:16:FD:39:DD:CF:47:4A:9D:75",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIDvjCCAqagAwIBAgIUHSYPxWnAhwscNuQ3C/LOOFXwOtswDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MTAxODAxMzgwMFoXDTIyMTAxNzAxMzgwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33EN9JEhwDJUoU9JzVZF\nGUURJgRfu90fV6xjVE/KDgmVgFC3Pi+/aQOQetXLnP3DPZw22mnvVlewHSxemW78\nQpKJSFS4utQyDCi3I9PNDMwaZvm6KmKspytUBM68FQRk00o60Jr18XXVE1e4yFBe\nPlYWY0XJfK5+F4kI2843/pRfx/YyMxYvf5gBbAGJwJstUGbv7AOXcpWsYhhQdZcF\n5GG6X4fmSIT3wi3zAnsB/hl2v0YaL95AEFlVw6AFxEwj9ossIaIOCOwQBvNEviTb\nDoF2SYzybsHo3O6M83vzPkCHFH9JMdskN36qisZ3NpLvJUMzLOHX6oAS/mG0ZWU/\npQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAd\nBgNVHQ4EFgQU5KtA2sOd0wfcm9wW/Tndz0dKnXUwHwYDVR0jBBgwFoAU5KtA2sOd\n0wfcm9wW/Tndz0dKnXUwDQYJKoZIhvcNAQELBQADggEBAAXyq9Pe+2U+mUvDc+WE\nRiFcy2EbbvEQPzhUT/0kbouRUGFCOxiAAMjQQmcDcUqtD2eIox/K3qF33EjPH9GW\nKxn3yoWwH13PT+eZGv/gTbiZmpU85d/6Mzi4WwokUceeJi9HzZB6A2mxQT/9GGET\niPFELgPOxVhJYsBTME3kU0huTXbh1t39MHBj6WOTOOiG2R6ln4Pq7c++gW78ZsMh\nOKlBQ/DbZ8EtpNqj8S4pk5HVBjgnScKlSSg+Ccq2LX7TfBA99N8ku9AdzhQvDUmc\npk5MZBnspuOLrxUqUVIL9JD4eNwBGv0mwGWNL7XtQCuS4wHL/BYVrN4h/b7CB04P\nxLw=\n-----END CERTIFICATE-----\n"
}

分发证书

将生成的CA证书、秘钥文件、配置文件拷贝到所有机器的/etc/kubernetes/ssl目录下

$ sudo mkdir -p /etc/kubernetes/ssl
$ sudo cp ca* /etc/kubernetes/ssl