kubernetes1.8.4安装指南 -- 5. 证书生成
生活随笔
收集整理的這篇文章主要介紹了
kubernetes1.8.4安装指南 -- 5. 证书生成
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
下載cfssl工具
cd /usr/local/src/
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o cfssl-certinfo
chmod +x cfssl*
加入PATH
mkdir -p /etc/kubernetes/pki cd /etc/kubernetes/pki
ca-config.json {"signing":{"default":{"expiry":"87600h"},"profiles":{"kubernetes":{"usages":["signing","key encipherment","server auth","client auth"],"expiry":"87600h"}}}} ca-csr.json {"CN":"kubernetes","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"Kubernetes","OU":"Kubernetes-manual"}]} 生成CA私鑰和證書 cfssl gencert -initca ca-csr.json | cfssljson -bare ca
apiserver-csr.json {"CN":"kube-apiserver","hosts":["127.0.0.1","10.96.0.1","10.0.0.210","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","node210"],"key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"Kubernetes","OU":"Kubernetes-manual"}]} 生成kube-apiserver私鑰和證書 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver
生成Front proxy CA私鑰和證書 front-proxy-ca-csr.json {"CN":"kubernetes","key":{"algo":"rsa","size":2048}} cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare front-proxy-ca
生成Front proxy client 私鑰和證書 front-proxy-client-csr.json {"CN":"front-proxy-client","key":{"algo":"rsa","size":2048}} cfssl gencert -ca=front-proxy-ca.pem -ca-key=front-proxy-ca-key.pem -config=ca-config.json -profile=kubernetes front-proxy-client-csr.json | cfssljson -bare front-proxy-client
使用Bootstrap Token $ head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 生成/etc/kubernetes/token.csv文件,第一項內容為上面命令的輸出結果。 a9ccc6ef5dd93b83f02080f5c022f42c,kubelet-bootstrap,10001,"system:kubelet-bootstrap" 生成kubeconfig文件bootstrap.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../bootstrap.conf kubectl config set-credentials kubelet-bootstrap --token=a9ccc6ef5dd93b83f02080f5c022f42c --kubeconfig=../bootstrap.conf kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=../bootstrap.conf kubectl config use-context default --kubeconfig=../bootstrap.conf
生成admin的私鑰和證書 admin-csr.json {"CN":"admin","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:masters","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成kubeconfig文件admin.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../admin.conf kubectl config set-credentials kubernetes-admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=../admin.conf kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=../admin.conf kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=../admin.conf
生成controller-manager的私鑰和證書 manager-csr.json {"CN":"system:kube-controller-manager","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:kube-controller-manager","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes manager-csr.json | cfssljson -bare controller-manager
生成kubeconfig文件controller-manager.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../controller-manager.conf kubectl config set-credentials system:kube-controller-manager --client-certificate=controller-manager.pem --client-key=controller-manager-key.pem --embed-certs=true --kubeconfig=../controller-manager.conf kubectl config set-context system:kube-controller-manager@kubernetes --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=../controller-manager.conf kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=../controller-manager.conf
生成sheduler的私鑰和證書 scheduler-csr.json {"CN":"system:kube-scheduler","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:kube-scheduler","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes scheduler-csr.json | cfssljson -bare scheduler
生成kubeconfig文件scheduler.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../scheduler.conf kubectl config set-credentials system:kube-scheduler --client-certificate=scheduler.pem --client-key=scheduler-key.pem --embed-certs=true --kubeconfig=../scheduler.conf kubectl config set-context system:kube-scheduler@kubernetes --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=../scheduler.conf kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=../scheduler.conf
kubernetes master節點kubelet證書生成 kubelet-csr.json {"CN":"system:node:node210","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","L":"Shanghai","ST":"Shanghai","O":"system:nodes","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=node210,10.0.0.210 -profile=kubernetes kubelet-csr.json | cfssljson -bare kubelet
生成kubeconfig文件kubelet.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../kubelet.conf kubectl config set-credentials system:node:node210 --client-certificate=kubelet.pem --client-key=kubelet-key.pem --embed-certs=true --kubeconfig=../kubelet.conf kubectl config set-context system:node:node210@kubernetes --cluster=kubernetes --user=system:node:node210 --kubeconfig=../kubelet.conf kubectl config use-context system:node:node210@kubernetes --kubeconfig=../kubelet.conf
service account 私鑰和證書生成 openssl genrsa -out sa.key 2048 openssl rsa -in sa.key -pubout -out sa.pub
最終結果如下
備注說明:kube-proxy.conf, kube-proxy.pem, kube-proxy-key.pem會在后面的步驟生成。
超強干貨來襲 云風專訪:近40年碼齡,通宵達旦的技術人生
cd /usr/local/src/
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o cfssl-certinfo
chmod +x cfssl*
加入PATH
mkdir -p /etc/kubernetes/pki cd /etc/kubernetes/pki
ca-config.json {"signing":{"default":{"expiry":"87600h"},"profiles":{"kubernetes":{"usages":["signing","key encipherment","server auth","client auth"],"expiry":"87600h"}}}} ca-csr.json {"CN":"kubernetes","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"Kubernetes","OU":"Kubernetes-manual"}]} 生成CA私鑰和證書 cfssl gencert -initca ca-csr.json | cfssljson -bare ca
apiserver-csr.json {"CN":"kube-apiserver","hosts":["127.0.0.1","10.96.0.1","10.0.0.210","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","node210"],"key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"Kubernetes","OU":"Kubernetes-manual"}]} 生成kube-apiserver私鑰和證書 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver
生成Front proxy CA私鑰和證書 front-proxy-ca-csr.json {"CN":"kubernetes","key":{"algo":"rsa","size":2048}} cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare front-proxy-ca
生成Front proxy client 私鑰和證書 front-proxy-client-csr.json {"CN":"front-proxy-client","key":{"algo":"rsa","size":2048}} cfssl gencert -ca=front-proxy-ca.pem -ca-key=front-proxy-ca-key.pem -config=ca-config.json -profile=kubernetes front-proxy-client-csr.json | cfssljson -bare front-proxy-client
使用Bootstrap Token $ head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 生成/etc/kubernetes/token.csv文件,第一項內容為上面命令的輸出結果。 a9ccc6ef5dd93b83f02080f5c022f42c,kubelet-bootstrap,10001,"system:kubelet-bootstrap" 生成kubeconfig文件bootstrap.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../bootstrap.conf kubectl config set-credentials kubelet-bootstrap --token=a9ccc6ef5dd93b83f02080f5c022f42c --kubeconfig=../bootstrap.conf kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=../bootstrap.conf kubectl config use-context default --kubeconfig=../bootstrap.conf
生成admin的私鑰和證書 admin-csr.json {"CN":"admin","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:masters","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成kubeconfig文件admin.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../admin.conf kubectl config set-credentials kubernetes-admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=../admin.conf kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=../admin.conf kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=../admin.conf
生成controller-manager的私鑰和證書 manager-csr.json {"CN":"system:kube-controller-manager","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:kube-controller-manager","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes manager-csr.json | cfssljson -bare controller-manager
生成kubeconfig文件controller-manager.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../controller-manager.conf kubectl config set-credentials system:kube-controller-manager --client-certificate=controller-manager.pem --client-key=controller-manager-key.pem --embed-certs=true --kubeconfig=../controller-manager.conf kubectl config set-context system:kube-controller-manager@kubernetes --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=../controller-manager.conf kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=../controller-manager.conf
生成sheduler的私鑰和證書 scheduler-csr.json {"CN":"system:kube-scheduler","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"Shanghai","L":"Shanghai","O":"system:kube-scheduler","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes scheduler-csr.json | cfssljson -bare scheduler
生成kubeconfig文件scheduler.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../scheduler.conf kubectl config set-credentials system:kube-scheduler --client-certificate=scheduler.pem --client-key=scheduler-key.pem --embed-certs=true --kubeconfig=../scheduler.conf kubectl config set-context system:kube-scheduler@kubernetes --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=../scheduler.conf kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=../scheduler.conf
kubernetes master節點kubelet證書生成 kubelet-csr.json {"CN":"system:node:node210","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","L":"Shanghai","ST":"Shanghai","O":"system:nodes","OU":"Kubernetes-manual"}]} cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=node210,10.0.0.210 -profile=kubernetes kubelet-csr.json | cfssljson -bare kubelet
生成kubeconfig文件kubelet.conf kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://10.0.0.210:6443 --kubeconfig=../kubelet.conf kubectl config set-credentials system:node:node210 --client-certificate=kubelet.pem --client-key=kubelet-key.pem --embed-certs=true --kubeconfig=../kubelet.conf kubectl config set-context system:node:node210@kubernetes --cluster=kubernetes --user=system:node:node210 --kubeconfig=../kubelet.conf kubectl config use-context system:node:node210@kubernetes --kubeconfig=../kubelet.conf
service account 私鑰和證書生成 openssl genrsa -out sa.key 2048 openssl rsa -in sa.key -pubout -out sa.pub
最終結果如下
備注說明:kube-proxy.conf, kube-proxy.pem, kube-proxy-key.pem會在后面的步驟生成。
超強干貨來襲 云風專訪:近40年碼齡,通宵達旦的技術人生
總結
以上是生活随笔為你收集整理的kubernetes1.8.4安装指南 -- 5. 证书生成的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: rancher安装和使用
- 下一篇: kubernetes1.8.4 安装指南