Shulou(Shulou.com)06/02 Report--

In the actual kubernetes application scenario, the access between the components in the cluster is through TLS two-way authentication security access, that is, https access, so it is necessary to create certificates for each component of kubernetes during deployment, because no https secure access will lead to unsecure communication and access between nodes in the cluster. Illegal users can illegally operate on cluster resources through client operations, resulting in cluster service exceptions and even cluster downtime. For example: illegally manipulate the data stored in etcd, so it is necessary for the cluster to enable two-way authentication of https access.

1 preparation 1.1 variable definition and description of each component using certificate environment variable # certificate and key storage path SSL_BIN_PATH=/usr/local/cfsslCA_DIR=/etc/k8s/ssl# external network and internal network apiserver vip access address VIP_KUBEAPI_OUTSIDE=192.168.20.100VIP_KUBEAPI_INSIDE=10.10.10.100# master cluster node component listening address MASTER1_IP=10.10.10.22MASTER2_IP=10.10.10.23MASTER3 _ IP=10.10.10.24# etcd cluster node listening address ETCD1_IP=10.10.10.22ETCD2_IP=10.10.10.23ETCD3_IP=10.10.10.24# kubernetes default service address CLUSTER_KUBERNETES_SVC_IP=10.254.0.1 certificate authentication domain name DOMAIN=mo9.com certificate usage instructions kube-apiserver component: use ca.pem, Kubernetes.pem, kubernetes-key.pem, etcd public and private key certificates, metric public and private keys and other certificates Kube-controller-manager components use certificates such as ca-key.pem, ca.pem, kuber-controller-manager public and private keys; kube-scheduler components: use ca.pem, kube-scheduler.pem, kube-scheduler-key.pem and other certificates; kube-proxy components: use ca.pem, kube-proxy-key.pem, kube-proxy.pem, etc. Certificates; kubelet components: use ca.pem certificates; kubectl components: use ca.pem, admin-key.pem, admin.pem, etc. Certificates Etcd components: use ca.pem, etcd-key.pem, etcd.pem and other certificates; flannel components: use ca.pem, flannel.pem, flannel-key.pem and other certificates; remarks:

This installation document generates certificate files for all components. In practice, you can choose some components to share a certificate or not to open https access. For example, etcd and flannel share apiserver component certificates or do not enable https access. Controller-manager,scheduler can also be accessed based on http.

1.2Create related directories mkdir-p $SSL_BIN_PATHmkdir-p $CA_DIR1.3 install cfssl toolset

In most cases, kubernetes clusters are built in their own VPCs, such as public cloud vpc regions, self-built data centers, and so on. Since all related components of K8s require TLS two-way authentication, and most legal certificate authorities provide ssl one-way authentication certificates, you must build CA root certificates and generate corresponding public and private key root certificates. You can create CA certificates through openssl or cfssl. Here, take cfssl as an example:

Mkdir-p $SSL_BIN_PATH/bin > / dev/null 2 > & 1wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64-P $SS_BINL_PATH/bin/ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64-P $SSL_BIN__PATH/bin/ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64-P $SSL_BIN_PATH/bin/cd $SSL_BIN_PATH/bin/mv Cfssl_linux-amd64 cfssl & & mv cfssljson_linux-amd64 cfssljsonmv cfssl-certinfo_linux-amd64 cfssl-certinfochmod + x * & & ln-sf $SSL_BIN_PATH/bin/cfssl* / usr/local/bin/2. Create related certificate 2.1Create root certificate (CA)

The CA certificate is shared by all nodes in the cluster, so you only need to create a CA certificate, which signs all subsequent certificates.

Create a CA profile

The CA configuration file is used to configure the root certificate usage scenario (profile) and specific parameters (usage, expiration time, server authentication, client authentication, encryption, etc.). Later, you need to specify a specific scenario when signing other certificates.

Cat > $CA_DIR/ca-config.json

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.