Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to set up CA two-way digital certificate authentication in kubernetes. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Openssh

There are three main RSA algorithm instructions in opessl:

Instruction function genrsa generates and inputs a RSA private key rsa to handle the format conversion of RSA keys, etc. Rsautl uses RSA keys for encryption, decryption, signature and verification operations genrsa [args] [numbits] / / number of key digits It is recommended that keys generated by-des encrypt the generated key with DES in cbc mode / / above be encrypted in des mode-keys generated by des3 encrypt the generated key with DES in ede cbc mode (1024 bit key) / / are encrypted in des3 mode-seed encrypt PEM output with cbc seed / / the generated key still needs to be performed in seed mode-aes128 -aes192,-aes256 encrypt PEM output with cbc aes / / the key generated is encrypted using aes-camellia128,-camellia192 -the key generated by camellia256 encrypt PEM output with cbc camellia / / is encrypted using camellia.-the key file generated by out file output the key to 'file / / You can extract the public key-passout arg output file pass phrase source / / specify the secret password of the key file, enter-f4 use F4 (0x10001) for the E value / / from files, environment variables, terminals, etc., and select the value of exponent e, which is specified by default The e value is 65537-3 use 3 for the E value / / the value of the selection index e, and the default value is 65537. Using this option, the index is specified as 3-engine e use engine e, possibly a hardware device. / / specify three-party encryption library or hardware-rand file:file:... Load the file (or the files in the directory) into / / seed file the random number generator that generates random numbers

Req command: generate a certificate request using an existing private key

Openssl req [- inform PEM | DER] [- outform PEM | DER] [- in filename] [- passin arg] [- out filename] [- passout arg] [- text] [- pubkey] [- noout] [- verify] [- modulus] [- rand file (s)] [- newkey rsa:bits] [- newkey alg:file] [- nodes] [- key filename] [- keyform PEM | DER] [- keyout filename] [- keygen_engine] Id] [- [digest]] [- config filename] [- subj arg] [- multivalue-rdn] [- days n] [- set_serial n] [- asn1-kludge] [- no-asn1-kludge] [- newhdr] [- extensions section] [- reqexts section] [- utf8] [- nameopt] [- reqopt] [- subject] [- subj arg] [- batch] [- verbose] [- engine id ]-new: generate certificate request file-x509: generate self-signed certificate-key: specify existing key file to generate key request Only works with the generate certificate request option-new. -newkey:-newkey is mutually exclusive with-key.-newkey means that a key is automatically generated when a certificate request or self-signed certificate is generated, and then the key name is specified by the-keyout parameter. When the newkey option is specified, the rsa:bits description is specified later to generate the rsa key, and the number of bits is specified by the bits. If the options-key and-newkey are not specified, the key is automatically generated by default. -out:-out specifies the generated certificate request or self-signed certificate name-config: the default parameter is / etc/ssl/openssl.cnf on ubuntu. You can use-config to specify the configuration file of the special path-nodes: if you specify-newkey to generate the key automatically, then the-nodes option indicates that the generated key does not need to be encrypted, that is, you do not need to enter passphase. -batch: specify the non-interactive mode, read the configuration parameters of the config file directly, or use the default parameter values to abbreviate the related terms below

CSR-Certificate Signing Request, that is, a certificate signing request, which is not a certificate, but an application to obtain a signing certificate from an authoritative certificate authority. Its core content is a public key (with some other information, of course). When the application is generated, a private key is also generated, and the private key should be kept by yourself.

CRT-CRT should be the three letters of certificate, but it still means certificate.

Two-way signature digital certificate authentication creates CA certificate and private key related files: (1) generate client key That is, the client's public and private key pair / / generates the private key file # openssl genrsa-out ca.key 2048Generating RSA private key 2048 bit long modulus...+++...+++e is 65537 (0x10001) (2) generate a self-signed certificate: sign the certificate request file with your own private key Generate the certificate file openssl req-x509-new-nodes-key ca.key-subj "/ CN=master"-days 7000-out ca.crt (3) the private key of the kube-apiservice: openssl genrsa-out server.key 2048 (4) request the certificate through the configuration file generation signature:

Create a master-ssl.cnf configuration file to generate the document signature request file and certificate file:

[req] req_extensions = v3_reqdistinguished_name = req_distinguished_ name [req _ distinguished_name] [v3_req] basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @ alt_ name [alt _ name] DNS.1 = kubernetesDNS.2 = kubernetes.defaultDNS.3 = kubernetes.default.svcDNS.4 = kubernetes.default.svc.cluster.local# master hostnameDNS.5 = master# master IPIP.1 = 192.168.1.12 name kubernetes.default's ClusterIPIP.2 = 10.254.0.1

Check the cluster IP of kubernetes.default:

# kubectl get svc kubernetes-o yamlapiVersion: v1kind: Servicemetadata: creationTimestamp: 2019-01-10T08:31:18Z labels: component: apiserver provider: kubernetes name: kubernetes namespace: default resourceVersion: "18" selfLink: / api/v1/namespaces/default/services/kubernetes uid: 1a258e01-14b2-11e9-86b7-525400bea75cspec: clusterIP: 10.254.0.1 ports:-name: https port: 443protocol: TCP targetPort: 6443 sessionAffinity: ClientIP type: ClusterIPstatus: loadBalancer: {}

Create server.csr and server.crt files based on mstaer_ssl.cnf.

Create a certificate signing request file:

Openssl req-new-key server.key-subj "/ CN=master"-config master_ssl.cnf-out server.csr

Create a certificate file:

Openssl x509-req-in server.csr-CA ca.crt-CAkey ca.key-CAcreateserial-days 7000-extensions v3_req-extfile master_ssl.cnf-out server.crt

Generate server.crt and ca.srl below

Set the kube-apiserver startup parameter KUBE_API_ARGS= "- client-ca-file=/var/run/kubernetes/ca.crt-- tls-private-key-file=/var/run/kubernetes/server.key-- tls-cert-file=/var/run/kubernetes/server.crt-- secure-port=6443"

-- client-ca-file represents the CA root certificate file,-- tls-private-key-file server certificate file,-tls-cert-file server private key file

Restart the kube-apiserver service:

Systemctl restart kube-apiserver sets the client of kube-controller-manager (1) to generate certificate signing request file and certificate file

Private key file:

Openssl genrsa-out cs_client.key 2048

Certificate signing request (Certificate Signing Request) file:

Openssl req-new-key cs_client.key-subj "/ CN=master"-out cs_client.csr

Certificate file:

Openssl x509-req-in cs_client.csr-CA ca.crt-CAkey ca.key-CAcreateserial-days 7000-out cs_client.crt create kubeconfigapiVersion: v1kind: Configusers:- name: controllermanager user: client-certificate: / var/run/kubernetes/cs_client.crt client-key: / var/run/kubernetes/cs_client.keyclusters:- name: local cluster: certificate-authority: / var/run/kubernetes/ca.crtcontexts:- context: cluster: local user: Controllermanager name: my-contextcurrent-context: my-context configuration parameter Restart kube-controller-manager

/ etc/kubernetes/controller-manager

# Add your ownkeeper KUBEN controlled Managerie Arggs = "--master= https://192.168.1.122:6443-- service-account-key-file=/var/run/kubernetes/server.key-- root-ca-file=/var/run/kubernetes/ca.crt-- kubeconfig=/etc/kubernetes/kubeconfig"

Restart the service

Systemctl restart kube-controller-managerkube-scheduler configuration restart # Add your ownworthy KUBEER programs = "--address=0.0.0.0-- master= https://192.168.1.122:6443-- kubeconfig=/etc/kubernetes/kubeconfig"

Restart the service:

Systemctl restart kube-schedulerNode Node Settings

Copy the ca.crt and ca.key from master to the Node node and generate the certificate signing request and certificate file as before.

Kubelet client

Private key:

Openssl genrsa-out kubelet_client.key 2048

Certificate signing request file:

Openssl req-new-key kubelet_client.key-subj "/ CN=node2"-out kubelet_client.csr

Certificate file:

Openssl x509-req-in kubelet_client.csr-CA ca.crt-CAkey ca.key-CAcreateserial-days 7000-out kubelet_client.crt

Set up kubelet startup:

KUBELET_ARGS= "--certificate-authority=/var/run/kubernetes/ssl_keys/ca.crt-- client-certificate=/var/run/kubernetes/ssl_keys/cs_client.crt-- client-key=/var/run/kubernetes/ssl_keys/cs_client.key" # Add your ownworthy KUBELET ARGSs = "--kubeconfig=/etc/kubernetes/keubeconfig"

Restart:

Systemctl restart kubeletkube-proxyKUBE_PROXY_ARGS= "- bind-address=0.0.0.0-master= https://192.168.1.122:6443-kubeconfig=/etc/kubernetes/kubeconfig"

Restart:

Systemctl restart kube-proxy

After the setting is completed, master should pay attention to open port 6443:

# add port firewall-cmd-- zone=public-- add-port=6443/tcp-- permanent# reload firewall-cmd-- reload

Whether the test was successful:

# kubectl-- server= https://192.168.1.122:6443-- certificate-authority=/var/run/kubernetes/ssl_keys/ca.crt-- client-certificate=/var/run/kubernetes/ssl_keys/cs_client.crt-- client-key=/var/run/kubernetes/ssl_keys/cs_client.key get nodesNAME STATUS AGEnode1 Ready 5dnode2 Ready 5d this is how to set up CA two-way digital certificate authentication in the kubernetes shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.