Shulou(Shulou.com)06/03 Report--

Today, the editor will bring you an article about the introduction and use of Kubernetes certificates. The editor thinks it is very practical, so I will share it for you as a reference. Let's follow the editor and have a look.

Use certificates to verify reliability between node accesses

Work node-- > load banlancer-- > api server-- > etcd ca-config.jsoncfssl print-defaults csr > ca-csr.json# modify ca-config.json to configure profile for three different certificate types, with a validity period of 43800h for 5 years {"signing": {"expiry": "43800h"} "profiles": {"server": {"expiry": "43800h", "usages": ["signing", "key encipherment", "server auth"]}, "client": {"expiry": "43800h" "usages": ["signing", "key encipherment", "client auth"]}, "peer": {"expiry": "43800h", "usages": ["signing", "key encipherment" "server auth", "client auth"]} # # Field description # # ca-config.json: multiple profiles can be defined Specify different expiration time, usage scene and other parameters respectively. Later, use a profile;##signing when signing a certificate: indicates that the certificate can be used to sign other certificates; CA:TRUE;##server auth: in the generated ca.pem certificate: indicates that client can use this CA to verify the certificate provided by server; # # client auth: indicates that server can use this CA to verify the certificate provided by client

Modify ca-csr.json

{"CN": "Self Signed Ca", "key": {"algo": "rsa", "size": 2048}, "names": [{"C": "CN", "L": "SH", "O": "Netease", "ST": "SH" "OU": "OT"}]} # Field description "CN": Common Name Kube-apiserver extracts this field from the certificate as the requested user name (User Name) "O": Organization,kube-apiserver extracts this field from the certificate as the group to which the requesting user belongs (Group); "C": Country, country "L": Locality, region, city "O": Organization Name, organization name, company name "OU": Organization Unit Name, organizational unit name, company department "ST": State, state, province

Generate CA certificate and private key

Cfssl gencert-initca ca-csr.json | cfssljson-bare ca## generates ca.pem, ca.csr, ca-key.pem (CA private key, which needs to be kept properly)

Issue Server Certificate,client Certificate,peer Certificate, note the hosts address and cn name, other text format is the same

Cfssl print-defaults csr > server.jsonvim server.json {"CN": "Server", "hosts": ["192.168.1.1"], "key": {"algo": "rsa", "size": 2048}, "names": [{"C": "CN", "L": "SH" "ST": "SH"}]} # # generate server certificate and private key cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=server server.json | cfssljson-bare server

Verify the certificate

Openssl x509-in server.pem-text-nooutCertificate: Data: Version: 3 (0x2) Serial Number: 6f:25:cf:8d:42:1e:c8:2d:b8:78:95:d1:f4:0a:25:8e:bb:48:53:9d Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=San Francisco, L=Chongqing CN=test Validity Not Before: Feb 13 11:35:00 2019 GMT Not After: Feb 13 11:35:00 2020 GMT Subject: C=US, ST=San Francisco, L=CA CN=etcd Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:79:4d:af:27:a0:c9:0e:8a:d0:8c:25:d4:12: f7:22:21:45:ce:80:25:e5:c6:0b:47:fe: Ba:79:c7: aa:14:d6:51:be:45:2d:92:49:a5:07:37:36:66:9b: 38:a9:9c:9c:0b:cf:91:45:55:7a:20:43:ad:64:09: 31:bb:25:30:ba:50:20:fe:3b:4e:cf:8c: 21:bc:43: d8:cf:f4:1b:d6:ed:3b:3e:9d:53:74:89:db:17:4b: a7:a2:01:bb:00:36:74:95:a7:cf:0a:24:a1:0d:62: 6d:47:d3:f4:3a:93:e4:15:df:20:af:59: Fb:5f:77: 9b:76:45:ad:68:24:69:d3:1a:cf:75:ef:3f:6d:19: d6:3c:54:76:ec:1b:a3:98:bf:e3:d6:d7:a5:f8:ec: 12:47:ee:06:ab:ae:31:8b:83:be:43:6e: B9:41:2d: 82:ff:c6:20:e6:2c:69:d5:81:d4:9a:07:b2:e4:9a: 40:af:e9:ed:98:4e:c0:27:ef:7c:14:86:cf:6e:6e: 18:98:1c:d1:d9:dd:4e:a3:10:d3:63:f9: 00:d6:3b: 04:e9:47:54:af:87:db:83:d5:8a:8a:05:f4:e8:38: 4d:64:e7:ae:b4:5f:3f:6a:18:c8:87:32:7d:24:46: 72:a8:4a:7f:dd:5c:5b:cf:6a:2f:af:88: Bb:b2:d8: 02:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: B7:EF:2C:02:18:05:D0:7E:30:63:BB:F9:8F:52:B4:1E:1F:57:4A:C8 X509v3 Authority Key Identifier: keyid : 3C:58:00:7D:E0:2B:C1:AE:81:88:58:F1:FB:95:45:88:33:28:F7:00 X509v3 Subject Alternative Name: IP Address:172.19.0.203 IP Address:172.19.0.204 IP Address:172.19.0.205 Signature Algorithm: sha256WithRSAEncryption 35:8f:af:a7:03:c3:8f:5e:42:ec:10:af:33:c8:4e:b1:0e:d5: f7:3e:b2:5f:5d:cf:b4:49:15:94:b1:6b:78:3a:b5:fb:95:68: ab:ff:ff:45:74:f9:5f:17:a7:be:16 : c8:92:66:28:d0:7c:6d: 60:0d:82:26:65:01:71:f1:93:0d:0b:44:f3:08:59:9e:d5:89: d5:8c:83:d1:dc:b2:a5:8f:b6:be:e8:9e:79:3c:62:02:6b:0e: b0:1e:82:b6:2c:4c:b0:f8:eb:93:20 : 84:8c:c6:32:69:b3:88: 27:bb:e8:7f:1c:37:01:26:35:0b:9a:61:bf:cc:00:c7:17:80: 61:11:cb:b7:4d:66:85:e6:13:3e:8c:8e:be:ec:47:d1:00:85: cb:b1:aa:69:6a:49:35:44:43:d9:cf : 67:fd:ec:63:50:96:4a: 26:5b:36:c8:72:15:d7:5f:49:e5:30:98:0e:13:58:70:d2:72: 03:02:45:c1:9c:81:dc:e0:e1:1c:f0:a4:e3:13:e1:b8:d4:01: f7:83:d6:cf:72:ba:46:aa:84:55:57 : 64:e6:93:bb:bc:68:55: 32:cd:a4:d1:d6:db:e7:e6:9f:4f:1e:8a:24:44:76:42:ec:9d: 4e:d2:5a:7f:74:7b:9a:66:ed:c3:1d:e4:5d:1a:07:ed:c6:fe: bf:8e:d2:80

Represents a server certificate

Represents a client certificate

Represents a two-way certificate

Represents a CA certificate

After reading the above, do you have a general understanding of the introduction and use of Kubernetes certificates? If you want to know more about the content of the article, welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.