每个Kubernetes群集都有一个群集根证书颁发机构(CA)。通常由集群组件使用CA来验证API服务器的证书,由API服务器验证kubelet客户端证书等。为了支持这种情况,将CA证书捆绑包分发给集群中的每个节点并且作为秘密附加地分发到默认的服务帐户。或者,您的工作负载可以使用此CA来建立信任。

一、介绍

使用openssl工具
使用一台主机生成所有证书在分发,这样就不会存在证书过期时间不同导致的错误

官方提供的证书生成脚本

二、自签署一个CA根证书

使用下面命令自签署一个CA根证书,-subj指定用户信息。/CN=用户/O=组
openssl genrsa -out ca-key.pem 2048 

openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"

三、给各组件签署证书

1、创建openssl.conf   alt_names里指定MasterIP和DNS,这里是2台Master的示例,cluster.local是集群名字
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = localhost
DNS.6 = node1
DNS.7 = node2
IP.1 = 192.168.1.121                        #IP1:kubernetes server IP
IP.2 = 192.168.1.121                        #IP2:Master IP
IP.3 = 192.168.1.122                        
IP.4 = 192.168.1.122
IP.5 = 10.233.0.1
IP.6 = 127.0.0.1
2、签署签署证书,使用对于字符串替换变量 $CONFIG=openssl.conf路径
openssl genrsa -out ${name}-key.pem 2048

openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG}

openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 3650 -extensions v3_req -extfile ${CONFIG}

  • admin

    name=admin  subject=/CN=kube-admin/O=system:masters

  • apiServer

    name=apiserver   subject=/CN=kube-apiserver

  • kube-scheduler

    name=kube-scheduler   subject=/CN=system:kube-scheduler

  • kube-controller-manager

    name=kube-controller-manager   subject=/CN=system:kube-controller-manager

  • Node1证书,其他node请自行更换

    name=node1   subject=/CN=system:node:node1/O=system:nodes

  • kube-proxy

    name=kube-proxy-node1   subject=/CN=system:kube-proxy/O=system:node-proxier
所有证书就签署完成,etcd证书也是同理,更换名字就行。

四、使用脚步生成证书

1、脚本
#!/bin/bash
#MASTERS是所有Master节点,有多少填多少
MASTERS="node1 node2"
#HOSTS代表所有节点,有多少填多少
HOSTS="node1 node2 node3 node4"

set -o errexit
set -o pipefail

usage()
{
cat << EOF
Create self signed certificates

Usage : $(basename $0) -f  [-d ]
      -h | --help         : Show this message
      -f | --config       : Openssl configuration file
      -d | --ssldir       : Directory where the certificates will be installed

      Environmental variables MASTERS and HOSTS should be set to generate keys
      for each host.

           ex :
           MASTERS=node1 HOSTS="node1 node2" $(basename $0) -f openssl.conf -d /srv/ssl
EOF
}

# Options parsing
while (($#)); do
case "$1" in
-h | --help)   usage;   exit 0;;
-f | --config) CONFIG=${2}; shift 2;;
-d | --ssldir) SSLDIR="${2}"; shift 2;;
*)
usage
echo "ERROR : Unknown option"
exit 3
;;
esac
done

if [ -z ${CONFIG} ]; then
echo "ERROR: the openssl configuration file is missing. option -f"
exit 1
fi
if [ -z ${SSLDIR} ]; then
SSLDIR="/etc/kubernetes/certs"
fi

tmpdir=$(mktemp -d /tmp/kubernetes_cacert.XXXXXX)
trap 'rm -rf "${tmpdir}"' EXIT
cd "${tmpdir}"

mkdir -p "${SSLDIR}"

# Root CA
if [ -e "$SSLDIR/ca-key.pem" ]; then
# Reuse existing CA
cp $SSLDIR/{ca.pem,ca-key.pem} .
else
openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
fi

gen_key_and_cert() {
local name=$1
local subject=$2
openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 3650 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
}

# Admins
if [ -n "$MASTERS" ]; then
# kube-apiserver
# Generate only if we don't have existing ca and apiserver certs
if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
gen_key_and_cert "apiserver" "/CN=kube-apiserver"
cat ca.pem >> apiserver.pem
fi
# If any host requires new certs, just regenerate scheduler and controller-manager master certs
# kube-scheduler
gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
# kube-controller-manager
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"

for host in $MASTERS; do
cn="${host%%.*}"
# admin
gen_key_and_cert "admin-${host}" "/CN=kube-admin-${cn}/O=system:masters"
done
fi

# Nodes
if [ -n "$HOSTS" ]; then
for host in $HOSTS; do
cn="${host%%.*}"
gen_key_and_cert "node-${host}" "/CN=system:node:${cn,,}/O=system:nodes"
done
fi

# system:node-proxier
if [ -n "$HOSTS" ]; then
for host in $HOSTS; do
# kube-proxy
gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy/O=system:node-proxier"
done
fi

# Install certs
mv *.pem ${SSLDIR}/
3、生成证书
bash make-ssl.sh -f /home/wang/certs/openssl.conf -d /home/wang/certs

手动搭建Kubernetes1.8高可用集群(2)TLS Certificates_第1张图片

4、证书分发

手动搭建Kubernetes1.8高可用集群(2)TLS Certificates_第2张图片

属主:kube:
属组:kube-cert
mode:0600

下一步配置ETCD