Shulou(Shulou.com)06/02 Report--

Preface kubernetes cluster installation and configuration process, will use a variety of certificates, in order to enhance cluster security, but will trick a lot of beginners. If you deploy the cluster manually in the early stage, if you want to understand how the cluster components work together, you will report a lot of bizarre errors, many of which are caused by certificate configuration errors. It is recommended to read the logs of master nodes and debugging service nodes when reporting errors. Basically can find useful error log, K8s printed error log, the direction of the error is reliable. In order to avoid trampling, the individual briefly combs the certificate information used in the cluster configuration process. The details are as follows: cluster uses certificate etcd: use ca.pem, server-key.pem, server.pem;kube-apiserver: use ca.pem, server-key.pem, server.pem;kubelet: use ca.pem Kube-proxy: use ca.pem, kube-proxy-key.pem, kube-proxy.pem;kubectl: use ca.pem, admin-key.pem, admin.pem;kube-controller-manager: use ca-key.pem, ca.pem Note:

Certificate generation operations can be performed on the master node host, and the certificate only needs to be created once. Then copy the certificate to the newly added node

It can be configured separately according to the different certificates used by different services.

Other class certificate files token.csv this file is a user description file in the basic format of Token, user name, UID, and user group; this file is loaded by apiserver when apiserver is started, and then the user is created in the cluster; then he can be authorized to bootstrap.kubeconfig with RBAC. The file contains the Token of the user in token.csv, as well as the apiserver CA certificate. This file is loaded when kubelet is started for the first time, and the apiserver CA certificate is used to establish TLS communication with apiserver, and the user Token is used as the identity to initiate a CSR request to generate a certificate like apiserver. Brief introduction to the process of installing cfssl

CFSSL is an open source PKI/TLS tool from CloudFlare. CFSSL includes a command line tool and a HTTP API service for signing, verifying, and bundling TLS certificates.

It is written in the GE language.

CFSSL includes: a set of tools for generating custom TLS PKI; cfssl program, which is a command line tool for CFSSL; multirootca program is a certificate authority server that can use multiple signing keys; mkbundle program is used to build a certificate pool; cfssljson program is used to obtain JSON output from cfssl and multirootca procedures and write certificates, keys, CSR and bundle to disk; PKI provides trusted network identity with the help of digital certificates and public key encryption technology. In general, a certificate is a file that contains the following identity information: the information of the certificate organization, the public key certificate issuing organization, the authority granted by the information certificate issuing organization. Such as the validity period of the certificate, the applicable hostname, Use, etc., download wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 and install chmod + x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64mv cfssl_linux-amd64 / usr/local/bin/cfsslmv cfssljson_linux- using the digital signature created by the certificate issuing organization's private key Amd64 / usr/local/bin/cfssljsonmv cfssl-certinfo_linux-amd64 / usr/bin/cfssl-certinfo certificate generation process to demonstrate the production of server ca certificate cat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.