kubernetes中证书生成

kubernetes中证书生成

为了安全起见,建议在kubernetes中使用安全证书。在之前的文章中,而是统一在集群搭建中制造,并没有单独介绍证书的生成。本文将介绍kubernetes中证书生成。一下文章将需要生成如下证书:

  • 根证书公钥与私钥:ca.pemca-key.pem

  • API Server公钥与私钥:apiserver.pemapiserver-key.pem

  • 集群管理员公钥与私钥:admin.pemadmin-key.pem

  • 从节点公钥与私钥:worker.pemworker-key.pem

根证书生成

# Generate the root CA.
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"

apiserver证书生成

master中需要根证书公钥(root CA public key, ca-key.pem)、根证书(ca.pem);apiserver证书:apiserver.pem与其私钥apiserver-key.pem

1、创建openssl.cnf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = ${K8S_SERVICE_IP}
IP.2 = ${MASTER_IPV4}

使用有API被访问的Master的IP地址替换${MASTER_IPV4},使用自己规划作为kubernetes service IP端的首IP替换${K8S_SERVICE_IP}如:一般以10.100.0.0/16作为service的服务IP端,则此处以10.100.0.1替换${K8S_SERVICE_IP}

如果在高可用配置中部署多个Master节点,需要添加更多的TLS subjectAltNames (SANs)。每个证书合适的SANs配置依赖于从节点与kubectl用户是怎样与Master节点通讯的:直接通过IP地址、通过负载均衡、或者通过解析DNS名称。

DNS.5 = ${MASTER_DNS_NAME}
IP.3 = ${MASTER_IP}
IP.4 = ${MASTER_LOADBALANCER_IP}

从节点将通过${MASTER_DNS_NAME}访问到Loadbalancer。

  • 生成apiserver 证书对
# Generate the API server keypair.
openssl genrsa -out apiserver-key.pem 2048
openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config openssl.cnf
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile openssl.cnf
  • 一般生成的根证书(ca-key.pem, ca.pem)与apiserver证书(apiserver-key.pem,apiserver.pem)放置在Master节点的/etc/kubernetes/ssl/路径下

  • apiserver的配置中需要指定如下参数:

--service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem \
--tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem \
--tls-cert-file=/etc/kubernetes/ssl/apiserver.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
  • controller-manager的配置中需要指定如下参数:
--service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \

集群管理员证书生成

此证书用于kubectl,设置方式如下:

$ openssl genrsa -out admin-key.pem 2048
$ openssl req -new -key admin-key.pem -out admin.csr -subj "/CN=kube-admin"
$ openssl x509 -req -in admin.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin.pem -days 365
# 配置一个名为default的集群,并指定服务地址与根证书
kubectl config set-cluster default --server=https://172.17.4.101:443 --certificate-authority=${PWD}/ssl/ca.pem

# 设置一个管理用户为admin,并配置访问证书
kubectl config set-credentials admin --certificate-authority=${PWD}/ssl/ca.pem --client-key=${PWD}/ssl/admin-key.pem --client-certificate=${PWD}/ssl/admin.pem

# 设置一个名为default使用default集群与admin用户的上下文,
kubectl config set-context default --cluster=default --user=admin

# 启用default为默认上下文
kubectl config use-context default

从节点证书生成

将需要证书的节点IP放入到环境变量

# Export this worker's IP address.
export WORKER_IP=
# Generate keys.
openssl genrsa -out worker-key.pem 2048
openssl req -new -key worker-key.pem -out worker.csr -subj "/CN=worker-key" -config worker-openssl.cnf
openssl x509 -req -in worker.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out worker.pem -days 365 -extensions v3_req -extfile worker-openssl.cnf

其中worker-openssl.cnf内容如下:

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = $ENV::WORKER_IP

从节点上配置kubelet所使用的配置文件worker-kubeconfig.yaml指定证书:

apiVersion: v1
kind: Config
clusters:
- name: local
  cluster:
    server: https://:443
    certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
  user:
    client-certificate: /etc/kubernetes/ssl/worker.pem
    client-key: /etc/kubernetes/ssl/worker-key.pem
contexts:
- context:
    cluster: local
    user: kubelet
  name: kubelet-context
current-context: kubelet-context

通过配置kubelet的如下参数使用证书:

--kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \
--tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem \
--tls-cert-file=/etc/kubernetes/ssl/worker.pem \

你可能感兴趣的:(kubernetes)