In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
This article will explain in detail how to create TLS certificates and keys in kubernetes. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.
One: preface
Each Kubernetes cluster has a cluster root certificate authority (CA). Components in the cluster usually use CA to validate API SERVER certificates, API servers to verify kubelet client certificates, and so on. To support this feature, the CA certificate package is distributed to each node in the cluster and distributed as an sercret attachment to the default service account.
The generated CA certificate and key files are as follows:
Ca-key.pem
Ca.pem
Kubernetes-key.pem
Kubernetes.pem
Kube-proxy.pem
Kube-proxy-key.pem
Admin.pem
Admin-key.pem
The components that use the certificate are:
Etcd: using ca.pem, kubernetes-key.pem, kubernetes.pem
Kube-apiserver: using ca.pem, kubernetes-key.pem, kubernetes.pem
Kubelet: using ca.pem
Kube-proxy: using ca.pem, kube-proxy-key.pem, kubeproxy.pem
Kubectl: using ca.pem, admin-key.pem, admin.pem
Kube-controller-manager: using ca-key.pem, ca.pem
Kubernetes cluster node deployment structure:
10.116.137.196 k8s_master
10.116.82.28 k8s_node1
10.116.36.57 k8s_node2
Two: install CFSSL
Click (here) to collapse or open
Wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
Chmod + x cfssl_linux-amd64
Mv cfssl_linux-amd64 / usr/local/bin/cfssl
Wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
Chmod + x cfssljson_linux-amd64
Mv cfssljson_linux-amd64 / usr/local/bin/cfssljson
Wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
Chmod + x cfssl-certinfo_linux-amd64
Mv cfssl-certinfo_linux-amd64 / usr/local/bin/cfssl-certinfo
Export PATH=/usr/local/bin:$PATH
Three: create CA (Certificate Authority)
Mkdir / root/ssl
Cd / root/ssl
Cfssl print-defaults config > config.json
Cfssl print-defaults csr > csr.json
Config.json
Click (here) to collapse or open
{
"signing": {
"default": {
"expiry": "168 h"
}
"profiles": {
"www": {
"expiry": "8760h"
"usages": [
"signing"
"key encipherment"
"server auth"
]
}
"client": {
"expiry": "8760h"
"usages": [
"signing"
"key encipherment"
"client auth"
]
}
}
}
}
Csr.json
Click (here) to collapse or open
{
"CN": "example.net"
"hosts": [
"example.net"
"www.example.net"
]
"key": {
"algo": "ecdsa"
"size": 256
}
"names": [
{
"C": "US"
"L": "CA"
"ST": "San Francisco"
}
]
}
# create the following ca-config.json file according to the format of config.json file
# Expiration time is set to 87600h
Ca-config.json
Click (here) to collapse or open
{
"signing": {
"default": {
"expiry": "87600h"
}
"profiles": {
"kubernetes": {
"usages": [
"signing"
"key encipherment"
"server auth"
"client auth"
]
"expiry": "87600h"
}
}
}
}
Ca-csr.json
Click (here) to collapse or open
{
"CN": "kubernetes"
"key": {
"algo": "rsa"
"size": 2048
}
"names": [
{
"C": "CN"
"L": "BeiJing"
"ST": "BeiJing"
"O": "K8s"
"OU": "System"
}
]
}
Generate CA certificate and private key
Cfssl gencert-initca ca-csr.json | cfssljson-bare ca
Four: create a kubernetes certificate
Kubernetes-csr.json
Click (here) to collapse or open
{
"CN": "kubernetes"
"hosts": [
"127.0.0.1"
"10.116.137.196"
"10.116.82.28"
"10.116.36.57"
"10.254.0.1"
"kubernetes"
"kubernetes.default"
"kubernetes.default.svc"
"kubernetes.default.svc.cluster"
"kubernetes.default.svc.cluster.local"
]
"key": {
"algo": "rsa"
"size": 2048
}
"names": [
{
"C": "CN"
"L": "BeiJing"
"ST": "BeiJing"
"O": "K8s"
"OU": "System"
}
]
}
Generate kubernetes certificate and private key
Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes kubernetes-csr.json | cfssljson-bare kubernetes
Five: create an admin certificate
Admin-csr.json
Click (here) to collapse or open
{
"CN": "admin"
"hosts": []
"key": {
"algo": "rsa"
"size": 2048
}
"names": [
{
"C": "CN"
"L": "BeiJing"
"ST": "BeiJing"
"O": "system:masters"
"OU": "System"
}
]
}
Generate admin certificate and private key
Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes admin-csr.json | cfssljson-bare admin
Six: create a kube-proxy certificate
Kube-proxy-csr.json
Click (here) to collapse or open
{
"CN": "system:kube-proxy"
"hosts": []
"key": {
"algo": "rsa"
"size": 2048
}
"names": [
{
"C": "CN"
"L": "BeiJing"
"ST": "BeiJing"
"O": "K8s"
"OU": "System"
}
]
}
Generate kube-proxy client certificate and private key
Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes kube-proxy-csr.json | cfssljson-bare kube-proxy
Seven: verification certificate
Example: cfssl-certinfo-cert kubernetes.pem
Eight: distribute certificates
Copy the generated certificate and secret key file (suffixed with .pem) to the
Backup under / etc/kubernetes/ssl directory
Mkdir-p / etc/kubernetes/ssl
Cp * .pem / etc/kubernetes/ssl
This is the end of the article on "how to create TLS certificates and keys in kubernetes". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
