k8s基於CA簽名的雙向數字證書認證(三)


1、設置kube-apiserver的CA證書相關的文件和啟動參數
 
1)創建CA證書和私鑰相關的文件
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=lile.com" -days 5000 -out ca.crt
openssl genrsa -out server.key 2048

 

2)master_ssl.cnf文件
[req]
req_extensions=v3_req
distinguished_name=req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=@alt_names
[alt_names]
DNS.1=kubernetes
DNS.2=kubernetes:default
DNS.3=kubernetes:default.svc
DNS.4=kubernetes:default.svc.cluster.local
DNS.5=ip-172-29-1-113
IP.1=169.169.0.1
IP.2=172.29.1.113

 

DNS.5:主機名
IP.1:集群IP,--service-cluster-ip-range=169.169.0.0/16,這里設置的取第一個
IP.2:主機IP
 
openssl req -new -key server.key -subj "/CN=ip-172-29-1-113" -config master_ssl.cnf -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt

 

3)在apiserver的配置文件中加上以下參數,並把8080端口參數去掉
KUBE_CA="--client-ca-file=/var/run/kubernetes/ca.crt"
KUBE_PRIVATE_KEY="--tls-private-key-file=/var/run/kubernetes/server.key"
KUBE_CERT_FILE="--tls-cert-file=/var/run/kubernetes/server.crt"
KUBE_INSECURE="--insecure-port=0"
KUBE_SECURE_PORT="--secure-port=443"

 

--client-ca-file:代表CA根證書文件
--tls-cert-file:服務端私鑰文件
--tls-private-key-file:服務端證書文件
 
2、設置kube-controller-manager的客戶端證書、私鑰和啟動參數
1)
openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj "/CN=k8s-node" -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -out cs_client.crt

 

 
2)創建kubeconfig文件
 
vim /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
users:
- name: controllermanager
  user:
    client-certificate: /var/run/kubernetes/cs_client.crt
    client-key: /var/run/kubernetes/cs_client.key
clusters:
- name: local
  cluster:
    certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
    cluster: local
    user: controllermanager
  name: my-context
current-context: my-context

 

 
3)修改啟動參數
KUBE_PRIVATE_KEY="--service-account-private-key-file=/var/run/kubernetes/server.key"
KUBE_CA_FILE="--root-ca-file=/var/run/kubernetes/ca/crt"
KUBE_CONFIG="--kubeconfig=/etc/kubernetes/kubeconfig"

 

3、設置kube-schedule啟動參數
 
KUBE_MASTER="--master=http://172.29.1.113:443"
KUBE_CONFIG="--kubeconfig=/etc/kubernetes/kubeconfig"

 

 
4、設置Node節點上的Kubelet客戶端
 
1)拷貝master上的ca.crt和ca.key到node節點上
openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=k8s-node" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -out kubelet_client.crt

 

2)創建kubeconfig文件
 
vim /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
users:
- name: kubelet
  user:
    client-certificate: /var/run/kubernetes/kubelet_client.crt
    client-key: /var/run/kubernetes/kubelet_client.key
clusters:
- name: local
  cluster:
    server: https://172.29.1.113:443
    certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
    cluster: local
    user: kubelet
  name: my-context
current-context: my-context

 

3)修改kubelet的啟動參數(api_servers的地址 也要改)
 
KUBE_CONFIG="--kubeconfig=/etc/kubernetes/kubeconfig"

 

5、修改kube-proxy的啟動參數
 
KUBE_MASTER="--master=http://172.29.1.113:443"
KUBE_CONFIG="--kubeconfig=/etc/kubernetes/kubeconfig"

 

6、測試訪問
kubectl --server=https://172.29.1.113:443 --certificate-authority=/var/run/kubernetes/ca.crt --client-certificate=/var/run/kubernetes/cs_client.crt  --client-key=/var/run/kubernetes/cs_client.key get nodes

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM