k8s认证

1. 证书介绍

服务端保留公钥和私钥，客户端使用root CA认证服务端的公钥

一共有多少证书：
*Etcd：

1. Etcd对外提供服务，要有一套etcd server证书
2. Etcd各节点之间进行通信，要有一套etcd peer证书
3. Kube-APIserver访问Etcd，要有一套etcd client证书

kubernetes：

1. Kube-apiserver对外提供服务，要有一套kube-apiserver server证书
2. kube-scheduler、kube-controller-manager、kube-proxy、kubelet和其他可能用到的组件，需要访问kube-APIserver，要有一套kube-apiserver client证书
3. kube-controller-manager要生成服务的service account，要有一对用来签署service account的证书(CA证书)
4. kubelet对外提供服务，要有一套kubelet server证书
5. kube-apiserver需要访问kubelet，要有一套kubelet client证书

2. openssl制作证书

所需证书如下：

制作api-server client证书：

# ${tmpdir}为生成的临时文件夹
# tmpdir=$(mktemp -d)

# 生成证书私钥
openssl genrsa -out ${tmpdir}/server-key.pem 2048

# 生成csr签名文件，CN设定为域名/机器名/或者IP名称
openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config

# 根据csr签名文件创建csr
kubectl create -f *.yaml

# approve and fetch the signed certificate
kubectl certificate approve ${csrName}

# 生成server-cert.pem证书文件
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem

# 使用server-key.pem和server-cert.pem进行认证
server-key.pem
server-cert.pem

制作脚本如下：

#!/bin/bash

set -e
set -x

usage() {
    cat <> ${tmpdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF

openssl genrsa -out ${tmpdir}/server-key.pem 2048
openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf

# clean-up any previously created CSR for our service. Ignore errors if not present.
kubectl delete csr ${csrName} 2>/dev/null || true

# create  server cert/key CSR and  send to k8s API
cat <&2
    exit 1
fi
echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem


# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
        --from-file=key.pem=${tmpdir}/server-key.pem \
        --from-file=cert.pem=${tmpdir}/server-cert.pem \
        --dry-run -o yaml |
    kubectl -n ${namespace} apply -f -