Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to create TLS certificates and keys in kubernetes. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

One: preface

Each Kubernetes cluster has a cluster root certificate authority (CA). Components in the cluster usually use CA to validate API SERVER certificates, API servers to verify kubelet client certificates, and so on. To support this feature, the CA certificate package is distributed to each node in the cluster and distributed as an sercret attachment to the default service account.

The generated CA certificate and key files are as follows:

Ca-key.pem

Ca.pem

Kubernetes-key.pem

Kubernetes.pem

Kube-proxy.pem

Kube-proxy-key.pem

Admin.pem

Admin-key.pem

The components that use the certificate are:

Etcd: using ca.pem, kubernetes-key.pem, kubernetes.pem

Kube-apiserver: using ca.pem, kubernetes-key.pem, kubernetes.pem

Kubelet: using ca.pem

Kube-proxy: using ca.pem, kube-proxy-key.pem, kubeproxy.pem

Kubectl: using ca.pem, admin-key.pem, admin.pem

Kube-controller-manager: using ca-key.pem, ca.pem

Kubernetes cluster node deployment structure:

10.116.137.196 k8s_master

10.116.82.28 k8s_node1

10.116.36.57 k8s_node2

Two: install CFSSL

Click (here) to collapse or open

Wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

Chmod + x cfssl_linux-amd64

Mv cfssl_linux-amd64 / usr/local/bin/cfssl

Wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

Chmod + x cfssljson_linux-amd64

Mv cfssljson_linux-amd64 / usr/local/bin/cfssljson

Wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

Chmod + x cfssl-certinfo_linux-amd64

Mv cfssl-certinfo_linux-amd64 / usr/local/bin/cfssl-certinfo

Export PATH=/usr/local/bin:$PATH

Three: create CA (Certificate Authority)

Mkdir / root/ssl

Cd / root/ssl

Cfssl print-defaults config > config.json

Cfssl print-defaults csr > csr.json

Config.json

Click (here) to collapse or open

{

"signing": {

"default": {

"expiry": "168 h"

}

"profiles": {

"www": {

"expiry": "8760h"

"usages": [

"signing"

"key encipherment"

"server auth"

]

}

"client": {

"expiry": "8760h"

"usages": [

"signing"

"key encipherment"

"client auth"

]

}

}

}

}

Csr.json

Click (here) to collapse or open

{

"CN": "example.net"

"hosts": [

"example.net"

"www.example.net"

]

"key": {

"algo": "ecdsa"

"size": 256

}

"names": [

{

"C": "US"

"L": "CA"

"ST": "San Francisco"

}

]

}

# create the following ca-config.json file according to the format of config.json file

# Expiration time is set to 87600h

Ca-config.json

Click (here) to collapse or open

{

"signing": {

"default": {

"expiry": "87600h"

}

"profiles": {

"kubernetes": {

"usages": [

"signing"

"key encipherment"

"server auth"

"client auth"

]

"expiry": "87600h"

}

}

}

}

Ca-csr.json

Click (here) to collapse or open

{

"CN": "kubernetes"

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"L": "BeiJing"

"ST": "BeiJing"

"O": "K8s"

"OU": "System"

}

]

}

Generate CA certificate and private key

Cfssl gencert-initca ca-csr.json | cfssljson-bare ca

Four: create a kubernetes certificate

Kubernetes-csr.json

Click (here) to collapse or open

{

"CN": "kubernetes"

"hosts": [

"127.0.0.1"

"10.116.137.196"

"10.116.82.28"

"10.116.36.57"

"10.254.0.1"

"kubernetes"

"kubernetes.default"

"kubernetes.default.svc"

"kubernetes.default.svc.cluster"

"kubernetes.default.svc.cluster.local"

]

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"L": "BeiJing"

"ST": "BeiJing"

"O": "K8s"

"OU": "System"

}

]

}

Generate kubernetes certificate and private key

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes kubernetes-csr.json | cfssljson-bare kubernetes

Five: create an admin certificate

Admin-csr.json

Click (here) to collapse or open

{

"CN": "admin"

"hosts": []

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"L": "BeiJing"

"ST": "BeiJing"

"O": "system:masters"

"OU": "System"

}

]

}

Generate admin certificate and private key

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes admin-csr.json | cfssljson-bare admin

Six: create a kube-proxy certificate

Kube-proxy-csr.json

Click (here) to collapse or open

{

"CN": "system:kube-proxy"

"hosts": []

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"L": "BeiJing"

"ST": "BeiJing"

"O": "K8s"

"OU": "System"

}

]

}

Generate kube-proxy client certificate and private key

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes kube-proxy-csr.json | cfssljson-bare kube-proxy

Seven: verification certificate

Example: cfssl-certinfo-cert kubernetes.pem

Eight: distribute certificates

Copy the generated certificate and secret key file (suffixed with .pem) to the

Backup under / etc/kubernetes/ssl directory

Mkdir-p / etc/kubernetes/ssl

Cp * .pem / etc/kubernetes/ssl

This is the end of the article on "how to create TLS certificates and keys in kubernetes". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.