kubernetes---基于ca签名的双向数字证书认证方式

以下资料来自《Kubernetes 权威指南》

配置master上kube-apiserver , kube-controller-manager和kube-scheduler

生成相关文件

openssl genrsa -out ca.key 2048             genrsa生成rsa私钥
openssl req -x509 -new -nodes -key ca.key -subj "/CN=kube-master" -days 5000 -out ca.crt
openssl genrsa -out server.key 2048

vim master_ssl.cnf

[req]
req_extensions=v3_req
distinguished_name=req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=@alt_names
[alt_names]
DNS.1=kubernetes
DNS.2=kubernetes:default
DNS.3=kubernetes:default.svc
DNS.4=kubernetes:default.svc.cluster.local
DNS.5=kube-master
IP.1=169.169.0.1
IP.2=192.168.56.3

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt

将生成的ca.crt, ca.key, ca.srl, server.crt, server.csr, server.key复制到一个目录中如/var/run/kubernetes
然后设置kube-apiserver的启动参数，添加

--client-ca-file=/var/run/kubernetes/ca.crt
--tls-private-key-file=/var/run/kubernetes/server.key
--tls-cert-file=/var/run/kubernetes/server.crt

同时可以关掉非安全端口8080，设置安全端口6443，之后原有的kubectl无法使用

--insecure-port=0
--secure-port=6443

重启kube-apiserver

设置kube-controller-manager的客户端证书、私钥和启动参数

openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj “/CN=kube-master” -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000

同样将生成的cs*文件移动到/var/run/kubernetes目录下
vim /etc/kubernetes/kubeconfig

apiVersion: v1
kind: Config
users:
- name: controllermanager
  user:
    client-certificate: /var/run/kubernetes/cs_client.crt
    client-key: /var/run/kubernetes/cs_client.key
clusters:
- name: local
  cluster:
    certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
    cluster: local
    user: controllermanager
  name: my-context
current-context: my-context

设置kube-controller-manager服务的启动参数，添加

--master=https://192.168.56.3:6443
--service-account-private-key-file=/var/run/kubernetes/server.key
--root-ca-file=/var/run/kubernetes/ca.crt
--kubeconfig=/etc/kubernetes/kubeconfig

设置kube-scheduler启动参数

--master=https://127.0.0.1:6443 --kubeconfig=/etc/kubernetes/kubeconfig

设置每台node上的kubelet的客户端证书、私钥和启动参数

将kube-apiserver的ca.crt , ca.key复制到node上，然后一次生成key , csr , crt文件

openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=kube-master" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000

然后将这些文件移动到/var/run/kubernetes下
vim /etc/kubernetes/kubeconfig

apiVersion: v1
kind: Config
users:
- name: kubelet
  user:
    client-certificate: /var/run/kubernetes/kubelet_client.crt
    client-key: /var/run/kubernetes/kubelet_client.key
clusters:
- name: local
  cluster:
    certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
    cluster: local
    user: kubelet
  name: my-context
current-context: my-context

设置kubelet的启动参数并重启

--api-servers=https://kube-master:6443
--kubeconfig=/etc/kubernetes/kubeconfig

设置kube-proxy的启动参数并重启

--master=https://kube-master:6443
--kubeconfig=/etc/kubernetes/kubeconfig

至此一个基于CA的双向数字证书认证的kubernetes集群环境就搭建完成了。
设置kubectl客户端使用安全方式访问apiserver

kubectl --server=https://kube-master:6443 --certificate-authority=/var/run/kubernetes/ca.crt --client-certificate=/var/run/kubernetes/cs_client.crt --client-key=/var/run/kubernetes/cs_client.key get nodes

每次这样指定很麻烦，我们可以使用别名，或者开启apiserver的8080端口,好像可以使用kubectl config，但未能成功执行