Shulou(Shulou.com)06/01 Report--

This article is about how CFSSL builds local CA in kubernetes. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

One: preface

SSL:Secure Sockets Layer is called "TLS" after standardization. Http protocol does not encrypt content by default, so it is likely to be monitored by others when the content is transmitted. For situations with high security requirements, it must be encrypted. Https is the http protocol with encryption.

Message-- > [Public key]-- > encrypted message-- > [Private key]-- > message

Certificate information of all organizations

Public key

Information about the certification organization

Permissions granted by a certification organization, such as certificate validity, applicable hostname, purpose, etc.

A digital signature created using the private key of a certificate issuing organization

Each public key has a corresponding private key, which, under the control of the certificate owner, can be used to digitally sign the data, and the verifier can use the public key in the certificate to verify the data. If the certificate itself contains the digital signature of a third-party certification authority, then as long as the verifier trusts the third party, it can ensure that the certificate is legitimate. Sometimes, the certificate is signed by the intermediary certification authority, and the certificate of the intermediary certification authority is signed by different certification authorities. In this case, the certificate verifier will follow the chain all the way to the certificate it trusts. The trust chain model is very useful for certification authorities because it allows us to store the private key of the root certificate offline and sign only the intermediary certificate.

Second: CFSSL to build local CA

1. Create your own certification authority

CFSSL has all the functions needed to run a certification authority. Although CFSSL was created to run internal CA, it is robust enough to be used for publicly trusted CA.

A CA certificate (ca.pem) and a corresponding private key (ca-key.pem) are required to run the certification authority. The latter is extremely sensitive data. Anyone who knows the private key can act as a CA to issue certificates. Therefore, the protection of private key is very important.

two。 Generate CA certificate and private key

Create a ca-csr.json file

Click (here) to collapse or open

{

"CN": "kubernetes"

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"L": "BeiJing"

"ST": "BeiJing"

"O": "K8s"

"OU": "System"

}

]

}

"CN": Common Name,kube-apiserver extracts this field from the certificate as the requested? User name (User Name); this field is used by browsers to verify whether the website is legal

"O": Organization, kube-apiserver extracts this field from the certificate as a request? The group to which the household belongs (Group)

Execute the command cfssl gencert-initca ca-csr.json | cfssljson-bare ca

Generate: ca.pem ca-key.pem ca.csr (certificate signing request for cross-signing or re-signing)

3. Configure certificate generation policy

Configure the certificate generation policy to let the CA software know what kind of certificate to issue. Create ca-config.json

Click (here) to collapse or open

{

"signing": {

"default": {

"expiry": "87600h"

}

"profiles": {

"kubernetes": {

"usages": [

"signing"

"key encipherment"

"server auth"

"client auth"

]

"expiry": "87600h"

}

}

}

}

Ca-config.jso: you can define multiple profiles, specify different expiration time, use scenarios and other parameters. Here we only define a profile for kubernetes.

Signing: indicates that the certificate can be used to sign other certificates, and CA=TRUE in the generated ca.pem certificate

Server auth: indicates that client can use this CA to verify the certificate provided by server

Client auth: indicates that server can use this CA to verify the certificate provided by client

4. Certificate generation and signature

So far, the CFSSL-based CA has been configured, how does the CA issue certificates? CFSSL provides two commands: gencert and sign. Gencert automatically handles the entire certificate generation process. This process requires two files, one telling the CFSSL local client the location of the CA and how to validate the request, the config file, and the other is the CSR configuration information, which is used to populate the CSR or csr file.

For example: create a kubernetes certificate signing request? Piece kubernetes-csr.json (the previous ca-config.json was adopted for config files)

Click (here) to collapse or open

{

"CN": "kubernetes"

"hosts": [

"127.0.0.1"

"10.116.137.196"

"10.116.82.28"

"10.116.36.57"

"10.254.0.1"

"kubernetes"

"kubernetes.default"

"kubernetes.default.svc"

"kubernetes.default.svc.cluster"

"kubernetes.default.svc.cluster.local"

]

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"L": "BeiJing"

"ST": "BeiJing"

"O": "K8s"

"OU": "System"

}

]

}

If the hosts field is not empty, you need to specify the IP or domain name list that is authorized to use the certificate. Since the certificate is subsequently used by etcd cluster and kubernetes master cluster, the above specifies the etcd cluster, the host IP of kubernetes master cluster and the service IP of kubernetes service (usually the first IP of the service-cluster-ip-range IP address range specified by kube-apiserver, such as 10.254.0.1).

The content in the hosts can be empty, and even as configured above, there is no need to regenerate the certificate after adding a new node to the cluster.

Execute the command: cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes kubernetes-csr.json | cfssljson-bare kubernetes

Generate kubernetes.csr kubernetes-key.pem kubernetes.pem file

Thank you for reading! This is the end of this article on "how to build a local CA in CFSSL in kubernetes". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.