为确保安全,kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证。
CA (Certificate Authority) 是自签名的根证书,用来签名后续创建的其它证书。
CA 证书是集群所有节点共享的,只需要创建一次,后续用它签名其它所有证书。
本文档使用 CloudFlare 的 PKI 工具集 cfssl创建所有证书。
注意:如果没有特殊指明,本文档的所有操作均在 qist 节点上执行。
mkdir -p /opt/k8s/bin
wget
https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64
mv cfssl_1.4.1_linux_amd64 /opt/k8s/bin/cfssl
wget
https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_am
d64
mv cfssljson_1.4.1_linux_amd64 /opt/k8s/bin/cfssljson
wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfsslcertinfo_1.4.1_linux_amd64
mv cfssl-certinfo_1.4.1_linux_amd64 /opt/k8s/bin/cfssl-certinfo
chmod +x /opt/k8s/bin/*
export PATH=/opt/k8s/bin:$PATH
CA 配置文件用于配置根证书的使用场景 (profile) 和具体参数 (usage,过期时间、服务端认证、客户端认证、加密等):
mkdir -p /opt/k8s/cfssl/{etcd,k8s}
mkdir -p /opt/k8s/cfssl/pki/{etcd,k8s}
# 创建工作目录
mkdir -p /opt/k8s/work
cd /opt/k8s/work
cat > /opt/k8s/cfssl/ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
EOF
cd /opt/k8s/work
cat > /opt/k8s/cfssl/etcd/etcd-ca-csr.json <<EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "Qist"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF
cd /opt/k8s/work
cat > /opt/k8s/cfssl/k8s/k8s-ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "Qist"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF
注意:
下表可帮助您创建证书请求。
Name | 姓名 | 描述 | 示例 |
---|---|---|---|
Country Name | 国家名称 | 代表国家的两个字母 ISO 缩写。 | CN(中国) |
State or Province Name | 州或省 | 组织所在州或省的名称。此名称不可使用缩写。 | ZJ(浙江) |
Locality Name | 所在地名称 | 组织所在城市的名称。 | HZ(杭州) |
Organization Name | 组织名称 | 组织的法定全称。请勿缩写组织名称。 | 百度、腾讯、网易 |
Organizational Unit Name | 组织部门 | 可选,用于提供额外的组织信息。 | 开发、测试、市场营销 |
Common Name | 公用名 | 别名记录的完全限定域名。如果两者不能精确匹配,那么您会收到一条证书名称检测警告。 | www.yourdomain.com |
Email Address | 电子邮件地址 | 服务器管理员的电子邮件地址 | someone@yourdomain.com |
cd /opt/k8s/work
cfssl gencert -initca /opt/k8s/cfssl/etcd/etcd-ca-csr.json | \
cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-ca
ls -la /opt/k8s/cfssl/pki/etcd/*-ca*
root@Qist ~# ls /opt/k8s/cfssl/pki/etcd/*-ca*
/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem /opt/k8s/cfssl/pki/etcd/etcd-ca.csr
/opt/k8s/cfssl/pki/etcd/etcd-ca.pem
cd /opt/k8s/work
cfssl gencert -initca /opt/k8s/cfssl/k8s/k8s-ca-csr.json | \
cfssljson -bare /opt/k8s/cfssl/pki/k8s/k8s-ca
root@Qist ~# ls /opt/k8s/cfssl/pki/k8s/*-ca*
/opt/k8s/cfssl/pki/k8s/k8s-ca-key.pem /opt/k8s/cfssl/pki/k8s/k8s-ca.csr
/opt/k8s/cfssl/pki/k8s/k8s-ca.pem
cd /opt/k8s/work
scp -r /opt/k8s/cfssl/pki/etcd/etcd-ca* root@192.168.2.175:/apps/etcd/ssl
scp -r /opt/k8s/cfssl/pki/etcd/etcd-ca* root@192.168.2.176:/apps/etcd/ssl
scp -r /opt/k8s/cfssl/pki/etcd/etcd-ca* root@192.168.2.177:/apps/etcd/ssl
# k8s 连接etcd 使用ca 证书
scp -r /opt/k8s/cfssl/pki/etcd/etcd-ca.pem root@192.168.2.175:/apps/k8s/ssl/etcd/
scp -r /opt/k8s/cfssl/pki/etcd/etcd-ca.pem root@192.168.2.176:/apps/k8s/ssl/etcd/
scp -r /opt/k8s/cfssl/pki/etcd/etcd-ca.pem root@192.168.2.177:/apps/k8s/ssl/etcd/
# K8S 集群ca 证书
scp -r /opt/k8s/cfssl/pki/k8s/k8s-ca* root@192.168.2.175:/apps/k8s/ssl/k8s
scp -r /opt/k8s/cfssl/pki/k8s/k8s-ca* root@192.168.2.176:/apps/k8s/ssl/k8s
scp -r /opt/k8s/cfssl/pki/k8s/k8s-ca* root@192.168.2.177:/apps/k8s/ssl/k8s
cd /opt/k8s/work wget https://dl.k8s.io/v1.23.3/kubernetes-client-linux-amd64.tar.gz # 自行解决翻墙下载问题
tar -xzvf kubernetes-client-linux-amd64.tar.gz
分发到所有使用 kubectl 工具的节点:
cd /opt/k8s/work
cp -pdr kubernetes/client/bin/kubectl /bin/
root@Qist opt# which kubectl
/usr/bin/kubectl
root@Qist opt# /usr/bin/kubectl version
Client Version: version.Info{Major:"1", Minor:"23",GitVersion:"v1.23.3",
GitCommit:"816c97ab8cff8a1c72eccca1026f7820e93e0d25", GitTreeState:"clean",
BuildDate:"2022-01-25T21:25:17Z", GoVersion:"go1.17.6", Compiler:"gc",
Platform:"linux/amd64"}
kubectl 使用 https 协议与 kube-apiserver 进行安全通信,kube-apiserver 对 kubectl 请求包含的证书进行认证和授权。
kubectl 后续用于集群管理,所以这里创建具有最高权限的 admin 证书。
创建证书签名请求:
cd /opt/k8s/work
cat > /opt/k8s/cfssl/k8s/k8s-apiserver-admin.json << EOF
{
"CN": "admin",
"hosts": [""],
"key": { "algo": "rsa",
"size": 2048
},
"names": [
{ "C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "system:masters",
"OU": "Kubernetes-manual"
}
]
}
EOF
O: system:masters :kube-apiserver 收到使用该证书的客户端请求后,为请求添加组(Group)认证标识 system:masters ;
预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予操作集群所需的最高权限;
该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;
期待下次的分享,别忘了三连支持博主呀~
我是 念舒_C.ying ,期待你的关注~💪💪💪