kubelet的tls證書理解記錄

kulelet若是有token的方式作認證，只須要生成一次bootstrap-kubeconfig就能夠了 生成的方式

BOOTSTRAP_TOKEN='your_token'
HOST_NAME='node_ip'
kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=https://apiserver:port \
  --kubeconfig=bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=bootstrap.kubeconfig
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=bootstrap.kubeconfig
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
mv bootstrap.kubeconfig /etc/kubernetes/

token怎麼來，我建議直接用kubeadm作一個出來

kubeadm token create --print-join-command --ttl 0

kubelet啓動以後會向apiserver請求認證，若是認證經過，會自動生成一個kubelet的配置kubelet.conf，若是kubelet沒有指定這兩個參數

tlsCertFile
tlsPrivateKeyFile

默認會自動生成一對，但是若是apiserver配置有問題，可能遇到下面的問題

kubectl logs xxxx
x509: certificate signed by unknown authority
cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

現象就是apiserver上發給kueblet一個請求，tls握手和認證失敗 如此，你可能須要本身生成一對證書私鑰來顯式指定kubelet的tsl參數

#kubelet-csr.json
{
  "CN": "system:node:x.x.x.x",
  "hosts": [
        "x.x.x.x",
        "localhost",
	"127.0.0.1"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "system:nodes"
    }
  ]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssljson -bare kubelet-base

把新做出來的這樣指定kubelet的配置

--tlsCertFile=kubelet-base.pem
--tlsPrivateKeyFile=kubelet-base-key.pem