• 五、为api server自签证书


    [root@k8s-master01 k8s]# cat ca-csr.json 
        "CN": "kubernetes",
        "key": {
            "algo": "rsa",
            "size": 2048
        "names": [
                "C": "CN",
                "L": "HuBei",
                "ST": "WuHan",
                "O": "k8s",
                "OU": "System"
    [root@k8s-master01 k8s]# cat ca-config.json 
      "signing": {
        "default": {
          "expiry": "876000h"
        "profiles": {
          "kubernetes": {
             "expiry": "876000h",
             "usages": [
                "key encipherment",
                "server auth",
                "client auth"


    [root@k8s-master01 k8s]# cat kube-proxy-csr.json 
      "CN": "system:kube-proxy",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      "names": [
          "C": "CN",
          "L": "HuBei",
          "ST": "WuHan",
          "O": "k8s",
          "OU": "System"
    [root@k8s-master01 k8s]# cat server-csr.json 
        "CN": "kubernetes",
        "hosts": [
        "key": {
            "algo": "rsa",
            "size": 2048
        "names": [
                "C": "CN",
                "L": "HuBei",
                "ST": "WuHan",
                "O": "k8s",
                "OU": "System"
          "",  master01
          "",   master02
          "",   LB
          "",   备用IP
          ""    备用IP


    [root@k8s-master01 k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -


    [root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
    2019/11/04 16:59:08 [INFO] generate received request
    2019/11/04 16:59:08 [INFO] received CSR
    2019/11/04 16:59:08 [INFO] generating key: rsa-2048
    2019/11/04 16:59:09 [INFO] encoded CSR
    2019/11/04 16:59:09 [INFO] signed certificate with serial number 710468047565346200192196031945671979263159074343
    2019/11/04 16:59:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").
    [root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
    2019/11/04 16:59:23 [INFO] generate received request
    2019/11/04 16:59:23 [INFO] received CSR
    2019/11/04 16:59:23 [INFO] generating key: rsa-2048
    2019/11/04 16:59:23 [INFO] encoded CSR
    2019/11/04 16:59:23 [INFO] signed certificate with serial number 632011921807538541174903390077695048984832013926
    2019/11/04 16:59:23 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").


    [root@k8s-master01 k8s]# ll *.pem
    -rw------- 1 root root 1679 11月  4 16:58 ca-key.pem
    -rw-r--r-- 1 root root 1346 11月  4 16:58 ca.pem
    -rw------- 1 root root 1679 11月  4 16:59 kube-proxy-key.pem
    -rw-r--r-- 1 root root 1395 11月  4 16:59 kube-proxy.pem
    -rw------- 1 root root 1675 11月  4 16:59 server-key.pem
    -rw-r--r-- 1 root root 1643 11月  4 16:59 server.pem
  • 相关阅读:
    [置顶] NB多项式事件模型、神经网络、SVM之函数/几何间隔——斯坦福ML公开课笔记6
    “冗余”的参数(变量) —— 提升访问的效率
    Python Tricks(二十)—— 阶乘的极简实现
    Python Tricks(二十)—— 阶乘的极简实现
    算法中的优化问题(optimization problem)
    算法中的优化问题(optimization problem)
  • 原文地址:https://www.cnblogs.com/xw115428/p/11955973.html
Copyright © 2020-2023  润新知