创建 CA 证书和秘钥

kubernetes 系统各组件需要使用 TLS 证书对通信进行加密,本文档使用 CloudFlare 的 PKI 工具集 cfssl 来生成 Certificate Authority (CA) 证书和秘钥文件,CA 是自签名的证书,用来签名后续创建的其它 TLS 证书。

安装 CFSSL

  1. $ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
  2. $ chmod +x cfssl_linux-amd64
  3. $ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl
  4. $ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
  5. $ chmod +x cfssljson_linux-amd64
  6. $ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson
  7. $ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
  8. $ chmod +x cfssl-certinfo_linux-amd64
  9. $ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo
  10. $ export PATH=/root/local/bin:$PATH
  11. $ mkdir ssl
  12. $ cd ssl
  13. $ cfssl print-defaults config > config.json
  14. $ cfssl print-defaults csr > csr.json
  15. $

创建 CA (Certificate Authority)

创建 CA 配置文件:

  1. $ cat ca-config.json
  2. {
  3. "signing": {
  4. "default": {
  5. "expiry": "8760h"
  6. },
  7. "profiles": {
  8. "kubernetes": {
  9. "usages": [
  10. "signing",
  11. "key encipherment",
  12. "server auth",
  13. "client auth"
  14. ],
  15. "expiry": "8760h"
  16. }
  17. }
  18. }
  19. }
  • ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
  • signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE
  • server auth:表示 client 可以用该 CA 对 server 提供的证书进行验证;
  • client auth:表示 server 可以用该 CA 对 client 提供的证书进行验证;

创建 CA 证书签名请求:

  1. $ cat ca-csr.json
  2. {
  3. "CN": "kubernetes",
  4. "key": {
  5. "algo": "rsa",
  6. "size": 2048
  7. },
  8. "names": [
  9. {
  10. "C": "CN",
  11. "ST": "BeiJing",
  12. "L": "BeiJing",
  13. "O": "k8s",
  14. "OU": "System"
  15. }
  16. ]
  17. }
  • “CN”:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
  • “O”:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);

生成 CA 证书和私钥:

  1. $ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
  2. $ ls ca*
  3. ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
  4. $

分发证书

将生成的 CA 证书、秘钥文件、配置文件拷贝到所有机器/etc/kubernetes/ssl 目录下

  1. $ sudo mkdir -p /etc/kubernetes/ssl
  2. $ sudo cp ca* /etc/kubernetes/ssl
  3. $

校验证书

以校验 kubernetes 证书(后续部署 master 节点时生成的)为例:

使用 openssl 命令

  1. $ openssl x509 -noout -text -in kubernetes.pem
  2. ...
  3. Signature Algorithm: sha256WithRSAEncryption
  4. Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=Kubernetes
  5. Validity
  6. Not Before: Apr 5 05:36:00 2017 GMT
  7. Not After : Apr 5 05:36:00 2018 GMT
  8. Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
  9. ...
  10. X509v3 extensions:
  11. X509v3 Key Usage: critical
  12. Digital Signature, Key Encipherment
  13. X509v3 Extended Key Usage:
  14. TLS Web Server Authentication, TLS Web Client Authentication
  15. X509v3 Basic Constraints: critical
  16. CA:FALSE
  17. X509v3 Subject Key Identifier:
  18. DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0
  19. X509v3 Authority Key Identifier:
  20. keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CD
  21. X509v3 Subject Alternative Name:
  22. DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1
  23. ...
  • 确认 Issuer 字段的内容和 ca-csr.json 一致;
  • 确认 Subject 字段的内容和 kubernetes-csr.json 一致;
  • 确认 X509v3 Subject Alternative Name 字段的内容和 kubernetes-csr.json 一致;
  • 确认 X509v3 Key Usage、Extended Key Usage 字段的内容和 ca-config.jsonkubernetes profile 一致;

使用 cfssl-certinfo 命令

  1. $ cfssl-certinfo -cert kubernetes.pem
  2. ...
  3. {
  4. "subject": {
  5. "common_name": "kubernetes",
  6. "country": "CN",
  7. "organization": "k8s",
  8. "organizational_unit": "System",
  9. "locality": "BeiJing",
  10. "province": "BeiJing",
  11. "names": [
  12. "CN",
  13. "BeiJing",
  14. "BeiJing",
  15. "k8s",
  16. "System",
  17. "kubernetes"
  18. ]
  19. },
  20. "issuer": {
  21. "common_name": "Kubernetes",
  22. "country": "CN",
  23. "organization": "k8s",
  24. "organizational_unit": "System",
  25. "locality": "BeiJing",
  26. "province": "BeiJing",
  27. "names": [
  28. "CN",
  29. "BeiJing",
  30. "BeiJing",
  31. "k8s",
  32. "System",
  33. "Kubernetes"
  34. ]
  35. },
  36. "serial_number": "174360492872423263473151971632292895707129022309",
  37. "sans": [
  38. "kubernetes",
  39. "kubernetes.default",
  40. "kubernetes.default.svc",
  41. "kubernetes.default.svc.cluster",
  42. "kubernetes.default.svc.cluster.local",
  43. "127.0.0.1",
  44. "10.64.3.7",
  45. "10.64.3.8",
  46. "10.66.3.86",
  47. "10.254.0.1"
  48. ],
  49. "not_before": "2017-04-05T05:36:00Z",
  50. "not_after": "2018-04-05T05:36:00Z",
  51. "sigalg": "SHA256WithRSA",
  52. ...

参考