• 一、Kubernetes_V1.10集群部署-master-生成证书

    一、证书生成

    1.下载cfssl

    mkdir -p /etc/kubernetes/ssl
    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64

mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
    cd /etc/kubernetes/ssl

    2.生成ca证书

    (1)生成ca-config.json

    cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

    (2)生成ca-csr.json

    cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
              "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

    (3)生成ca证书

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

    3.生成server.pem证书

    (1)生成server-csr.json证书请求

    cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "172.18.6.39",
          "172.18.6.40",
          "172.18.6.41",
      "172.31.0.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

    (2)生成server.pem

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

    4.生成admin证书

    (1)生成admin证书请求

    cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

    (2)生成admin证书

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

    5.生成kube-proxy证书

    (1)生成kube-proxy证书请求

    cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

    (2)生成kube-proxy证书

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
  • 相关阅读:
    关于使用JavaMail注册激活邮箱的注意点
    Maven Web报错:org.apache.jasper.JasperException: Unable to compile class for JSP
    IDEA的中文乱码问题
    深入了解Java动态代理与反射机制
    String、StringBuffer和StringBuilder的区别
    Java中HashCode()和equals()的关系
    Java中向下转型的意义
    局部内部类访问局部变量的问题
    Java内部类的应用场景
    Python os.rmdir() 方法
  • 原文地址:https://www.cnblogs.com/dingkailinux/p/9264843.html
Copyright © 2020-2023  润新知