Shulou(Shulou.com)06/02 Report--

CFSSL is an open source PKI/TLS tool from CloudFlare. CFSSL includes a command line tool and a HTTP API service for signing, verifying, and bundling TLS certificates. It is written in the GE language.

Github address: https://github.com/cloudflare/cfssl

Official website address: https://pkg.cfssl.org/

Reference address: liuzhengwei521

Curl-s-L-o / bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64curl-s-L-o / bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64curl-s-L-o / bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod + x / bin/cfssl* cluster related certificate types

Client certificate: used for server authentication clients, such as etcdctl, etcd proxy, fleetctl, docker clients

Server certificate: used by the server to verify the identity of the server, such as docker server, kube-apiserver

Peer certificate: two-way certificate for communication between etcd cluster members

Certificates can be divided into three categories according to the authentication object: server certificate server cert, client certificate client cert, peer certificate peer cert (indicating both server cert and client cert). The types of certificates required in the kubernetes cluster are as follows:

The etcd node needs to identify the server cert that it serves, and the client cert also needs to interact with other nodes of the etcd cluster. Of course, you can specify two certificates respectively, or you can use a peer certificate master node that needs to identify the server cert of the apiserver service, and also needs client cert to connect to the etcd cluster. Here, a peer certificate kubectl calico kube-proxy only needs client cert, so the hosts field in the certificate request can be empty kubelet certificate is special, not manually generated. It is requested to apiserver by the node node TLS BootStrap and automatically signed by the controller-manager of the master node. It contains a client cert and a server cert to create the CA configuration file.

Configure the certificate generation policy to specify what type of certificate CA can issue

Vim / opt/ssl/k8sca/ca-config.json {"signing": {"default": {"expiry": "87600h"}, "profiles": {"kubernetes": {"usages": ["signing", "key encipherment", "server auth", "client auth"] "expiry": "87600h"} create CA certificate signature request vim / opt/ssl/k8sca/ ca-csr.json {"CN": "kubernetes", "key": {"algo": "rsa", "size": 2048}, "names": [{"C": "CN", "L": "BeiJing", "O": "Ctyun" "ST": "BeiJing", "OU": "ops"}]} generate CA and private key

Generate the necessary files ca-key.pem (private key) and ca.pem (certificate) for CA, as well as ca.csr (certificate signing request) for cross-signing or re-signing.

$cd / opt/ssl/k8sca/$ cfssl gencert-initca ca-csr.json | cfssljson-bare ca$ lsca-config.json ca.csr ca-csr.json ca-key.pem ca.pem

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.