每个Kubernetes群集都有一个群集根证书颁发机构(CA)。通常由集群组件使用CA来验证API服务器的证书,由API服务器验证kubelet客户端证书等。为了支持这种情况,将CA证书捆绑包分发给集群中的每个节点并且作为秘密附加地分发到默认的服务帐户。或者,您的工作负载可以使用此CA来建立信任。
一、准备
1、openssl工具
二、自建kubernetes CA #所有配置文件里的注释信息需要删除,包括空格
1、准备openssl.conf
[req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local DNS.5 = localhost DNS.6 = node2 DNS.7 = node3 IP.1 = 192.168.1.122 #IP1:kubernetes server IP IP.2 = 192.168.1.122 #IP2:Master IP IP.3 = 192.168.1.123 IP.4 = 192.168.1.123 IP.5 = 10.233.0.1 IP.6 = 127.0.0.1
2、准备make-ssl.sh 证书生成脚本
#!/bin/bash #MASTERS是所有Master节点,有多少填多少 MASTERS="node1 node2" #HOSTS代表所有节点,有多少填多少 HOSTS="node1 node2 node3 node4" set -o errexit set -o pipefail usage() { cat << EOF Create self signed certificates Usage : $(basename $0) -f <config> [-d <ssldir>] -h | --help : Show this message -f | --config : Openssl configuration file -d | --ssldir : Directory where the certificates will be installed Environmental variables MASTERS and HOSTS should be set to generate keys for each host. ex : MASTERS=node1 HOSTS="node1 node2" $(basename $0) -f openssl.conf -d /srv/ssl EOF } # Options parsing while (($#)); do case "$1" in -h | --help) usage; exit 0;; -f | --config) CONFIG=${2}; shift 2;; -d | --ssldir) SSLDIR="${2}"; shift 2;; *) usage echo "ERROR : Unknown option" exit 3 ;; esac done if [ -z ${CONFIG} ]; then echo "ERROR: the openssl configuration file is missing. option -f" exit 1 fi if [ -z ${SSLDIR} ]; then SSLDIR="/etc/kubernetes/certs" fi tmpdir=$(mktemp -d /tmp/kubernetes_cacert.XXXXXX) trap 'rm -rf "${tmpdir}"' EXIT cd "${tmpdir}" mkdir -p "${SSLDIR}" # Root CA if [ -e "$SSLDIR/ca-key.pem" ]; then # Reuse existing CA cp $SSLDIR/{ca.pem,ca-key.pem} . else openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1 openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1 fi gen_key_and_cert() { local name=$1 local subject=$2 openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1 openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1 openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 3650 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1 } # Admins if [ -n "$MASTERS" ]; then # kube-apiserver # Generate only if we don't have existing ca and apiserver certs if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then gen_key_and_cert "apiserver" "/CN=kube-apiserver" cat ca.pem >> apiserver.pem fi # If any host requires new certs, just regenerate scheduler and controller-manager master certs # kube-scheduler gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler" # kube-controller-manager gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager" for host in $MASTERS; do cn="${host%%.*}" # admin gen_key_and_cert "admin-${host}" "/CN=kube-admin-${cn}/O=system:masters" done fi # Nodes if [ -n "$HOSTS" ]; then for host in $HOSTS; do cn="${host%%.*}" gen_key_and_cert "node-${host}" "/CN=system:node:${cn,,}/O=system:nodes" done fi # system:node-proxier if [ -n "$HOSTS" ]; then for host in $HOSTS; do # kube-proxy gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy/O=system:node-proxier" done fi # Install certs mv *.pem ${SSLDIR}/
3、生成证书
wang@wang:~/certs$ bash make-ssl.sh -f /home/wang/certs/openssl.conf -d /home/wang/certs/ wang@wang:~/certs$ ls admin-node2-key.pem ca-key.pem kube-proxy-node2-key.pem kube-scheduler-key.pem node-node2.pem admin-node2.pem ca.pem kube-proxy-node2.pem kube-scheduler.pem node-node3-key.pem admin-node3-key.pem kube-controller-manager-key.pem kube-proxy-node3-key.pem make-ssl.sh node-node3.pem admin-node3.pem kube-controller-manager.pem kube-proxy-node3.pem node-node1-key.pem node-node4-key.pem apiserver-key.pem kube-proxy-node1-key.pem kube-proxy-node4-key.pem node-node1.pem node-node4.pem apiserver.pem kube-proxy-node1.pem kube-proxy-node4.pem node-node2-key.pem openssl.conf wang@wang:~/certs$
4、分发证书
按照节点名分发证书,api-server,controller-manager,scheduler 发给Master
属主:kube:
属组:kube-cert
mode:0600