k8s集羣部署二（自籤TLS證書）

k8s的集羣部署，不必定要使用證書，證書的做用是爲了加密傳輸。所使用的加密方式是非對稱加密RSA2048。

總共有3個證書工具：

首先在任意文件夾下建一個目錄，好比ssl，下載這3個工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

chmod 755 *

mv cfssl_linux-amd64 /usr/local/bin/cfssl

mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

能夠查看一下命令說明

# cfssl -help
Usage:
Available commands:
    sign
    version
    gencrl
    serve
    ocspdump
    info
    print-defaults
    certinfo
    ocspsign
    bundle
    genkey
    gencert
    ocsprefresh
    ocspserve
    selfsign
    scan
    revoke
Top-level flags:
  -allow_verification_with_non_compliant_keys
        Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.
  -loglevel int
        Log level (0 = DEBUG, 5 = FATAL) (default 1)

生成兩個模板文件

cfssl print-defaults config > config.json

# cat config.json 
{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

包含簽名，過時時間等等

cfssl print-defaults csr > csr.json

# cat csr.json 
{
    "CN": "example.net",
    "hosts": [
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

包含域名，區域等等

固然這些只是模板文件，並非咱們真正使用的，咱們真正使用的能夠執行如下命令

cat > ca-config.json <<EOF
{
   "signing": {
     "default": {
       "expiry":"87600h"
     },
     "profiles": {
       "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
         ]
       }
     }
   }
}
EOF

執行之後能夠看到多了一個ca-config.json的文件

cat > ca-csr.json <<EOF
{
   "CN": "kubernetes",
   "key": {
      "algo": "rsa",
      "size": 2048
   },
   "names": [
      {
         "C": "CN",
         "L": "Beijing",
         "ST": "Beijing",
         "O": "k8s",
         "OU": "System"
      }
   ]
}
EOF

執行之後多了一個ca-csr.json的文件

而後執行

# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2019/02/15 11:27:46 [INFO] generating a new CA key and certificate from CSR
2019/02/15 11:27:46 [INFO] generate received request
2019/02/15 11:27:46 [INFO] received CSR
2019/02/15 11:27:46 [INFO] generating key: rsa-2048
2019/02/15 11:27:46 [INFO] encoded CSR
2019/02/15 11:27:46 [INFO] signed certificate with serial number 522234478678554843943438612699648327400263717044

生成咱們須要的兩個證書ca-key.pem，ca.pem

繼續執行

cat > server-csr.json <<EOF
{
   "CN": "kubernetes",
   "hosts": [
      "10.10.10.1",
      "127.0.0.1",
      "172.18.98.47",
      "172.18.98.48",
      "172.18.98.46",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
   ],
   "key": {
      "algo": "rsa",
      "size": 2048
   },
   "names": [
      {
         "C": "CN",
         "L": "Beijing",
         "ST": "Beijing",
         "O": "k8s",
         "OU": "System"
      }
   ]
}
EOF

其中172.18.98.47等爲你本身的IP地址，三臺服務器的。此時能夠看到生成了一個server-csr.json

生成證書

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2019/02/15 11:51:04 [INFO] generate received request
2019/02/15 11:51:04 [INFO] received CSR
2019/02/15 11:51:04 [INFO] generating key: rsa-2048
2019/02/15 11:51:04 [INFO] encoded CSR
2019/02/15 11:51:04 [INFO] signed certificate with serial number 13508754972361930848639963529220936364095728469
2019/02/15 11:51:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

此時多了兩個文件server-key.pem和server.pem

繼續執行

# cat > admin-csr.json <<EOF
{
   "CN": "admin",
   "hosts": [],
   "key": {
      "algo": "rsa",
      "size": 2048
   },
   "name": [
      {
        "C": "CN",
        "L": "Beijing",
        "ST": "Beijing",
        "O": "system:masters",
        "OU": "System"
      }
   ]
}
EOF

此時生成一個admin-csr.json

生成證書，這是一個權限的證書

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/02/15 13:49:36 [INFO] generate received request
2019/02/15 13:49:36 [INFO] received CSR
2019/02/15 13:49:36 [INFO] generating key: rsa-2048
2019/02/15 13:49:37 [INFO] encoded CSR
2019/02/15 13:49:37 [INFO] signed certificate with serial number 128010541049789040815911678632547332318067283580
2019/02/15 13:49:37 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

此時多了兩個證書文件admin-key.pem和admin.pem

繼續執行

# cat > kube-proxy-csr.json <<EOF
{
   "CN": "system:kube-proxy",
   "hosts": [],
   "key": {
      "algo": "rsa",
      "size": 2048
   },
   "names": [
     {
        "C": "CN",
        "L": "Beijing",
        "ST": "Beijing",
        "O": "k8s",
        "OU": "System"
     }
   ]
}
EOF

此時生成一個kube-proxy-csr.json

生成證書

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/02/15 14:06:38 [INFO] generate received request
2019/02/15 14:06:38 [INFO] received CSR
2019/02/15 14:06:38 [INFO] generating key: rsa-2048
2019/02/15 14:06:39 [INFO] encoded CSR
2019/02/15 14:06:39 [INFO] signed certificate with serial number 563471985753033006864304507036823783228076641762
2019/02/15 14:06:39 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

此時生成了kube-proxy-key.pem和kube-proxy.pem

如今全部的證書就生成完了。

# ll | grep pem
-rw------- 1 root root 1675 Feb 15 13:49 admin-key.pem
-rw-r--r-- 1 root root 1277 Feb 15 13:49 admin.pem
-rw------- 1 root root 1679 Feb 15 11:27 ca-key.pem
-rw-r--r-- 1 root root 1359 Feb 15 11:27 ca.pem
-rw------- 1 root root 1679 Feb 15 14:06 kube-proxy-key.pem
-rw-r--r-- 1 root root 1403 Feb 15 14:06 kube-proxy.pem
-rw------- 1 root root 1679 Feb 15 11:51 server-key.pem
-rw-r--r-- 1 root root 1602 Feb 15 11:51 server.pem

能夠把以前的執行命令寫入一個可執行文件certificate.sh中，方便之後進行一次性執行。

# chmod 755 certificate.sh