kubernetes.集群构建-字签证证书

作者: 小短腿电工 | 来源:发表于2019-03-16 14:13 被阅读1次

第四节.集群部署

环境规划

图片.png

安装docker

生成自签证证书

图片.png

安装证书生成工具cfssl
- wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
- wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
- wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
- chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
- mv cfssl_linux-amd64 /usr/local/bin/cfssl
- mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
- mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
cfssl工具生成ca证书
- ca的json模板
  - [root@k8s-master ssl]# cat ca-config.json
    - {
    - "signing": {
    - "default": {
    - "expiry": "87600h"
    - },
    - "profiles": {
    - "kubernetes": {
    - "expiry": "8760h",
    - "usages": [
    - "signing",
    - "key encipherment",
    - "server auth",
    - "client auth"
    - ]
    - }
    - }
    - }
    - }
  - [root@k8s-master ssl]# cat ca-csr.json
    - {
    - "CN": "kubernetes",
    - "key": {
    - "algo": "rsa",
    - "size": 2048
    - },
    - "names": [
    - {
    - "C": "CN",
    - "L": "BeiJing",
    - "ST": "BeiJing",
    - "O": "k8s",
    - "OU": "System"
    - }
    - ]
    - }
  - 生成ca证书的命令
    - cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #需要有执行权限
- 生成server的ca证书
  - [root@k8s-master ssl]# cat server.csr.json
    - {
    - "CN": "kubernetes",
    - "hosts": [
    - "127.0.0.1",
    - "192.168.137.130",
    - "192.168.137.131",
    - "192.168.137.132",
    - "kubernetes.default",
    - "kubernetes.default.svc",
    - "kubernetes.default.svc.cluster",
    - "kubernetes.default.svc.cluster.local"
    - ],
    - "key": {
    - "algo": "rsa",
    - "size": 2048
    - },
    - "names": [
    - {
    - "C": "CN",
    - "L": "beijing",
    - "ST": "beijing",
    - "O": "k8s",
    - "OU": "System"
    - }
    - ]
    - }
  - 生成server的ca证书的命令
    - [root@k8s-master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server.csr.json | cfssljson -bare server
- 生成admin的ca证书
  - [root@k8s-master ssl]# cat adimn-csr.json
    - {
    - "CN": "example.net",
    - "hosts": [
    - "example.net",
    - "www.example.net"
    - ],
    - "key": {
    - "algo": "ecdsa",
    - "size": 256
    - },
    - "names": [
    - {
    - "C": "US",
    - "L": "CA",
    - "ST": "San Francisco"
    - }
    - ]
    - }
  - 生成admin的ca证书命令
    - cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes adimn-csr.json | cfssljson -bare admin
  - 生成kube-proxy的ca证书
    - [root@k8s-master ssl]# cat kube-proxy-csr.json
      - {
      - "CN": "system:kube-proxy",
      - "hosts": [
      - ],
      - "key": {
      - "algo": "rsa",
      - "size": 2048
      - },
      - "names": [
      - {
      - "C": "CN",
      - "L": "beijing",
      - "ST": "beijing",
      - "O": "k8s",
      - "OU": "System"
      - }
      - ]
      - }
    - 生成kube-proxy的ca证书命令
      - cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

网友评论

本文标题：kubernetes.集群构建-字签证证书

本文链接：https://www.haomeiwen.com/subject/wbfsmqtx.html

延伸阅读

深度阅读

您也可以注册成为美文阅读网的作者，发表您的原创作品、分享您的心情！

kubernetes.集群构建-字签证证书

第四节.集群部署

环境规划

安装docker

生成自签证证书

相关文章

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读

Linux

我用 Linux

Linux学习之路