First, the device Kube-apiserver CA formally related files and startup parameters
OpenSSL genrsa-out Ca.key 2048
OpenSSL req x509-new nodes-key ca.key-subj "/cn=yourcompany.com"-days 5000-out ca.crt
OPENSLL Genrsa-out Server.key 2048
Second, prepare the master_ssl.conf file for the X509 v3 version of the certificate
[Req]
Req_extensions = V3_req
Distinguished_name = Req_distinguished_name
[Req_distinguished_name]
[V3_req]
Basicconstraints = Ca:false
Keyusage = nonrepudiation, DigitalSignature, keyencipherment
SubjectAltName = @alt_names
[Alt_names]
Dns.1 = Kubernetes
Dns.2 = Kubernetes.default
Dns.3 = Kubernetes.default.svc
Dns.4 = kubernetes.default.svc.cluster.local
Dns.5 = k8s-master (server's hostname)
IP.1 = 169.169.0.1 (svc's cluster IP)
IP.2 = 192.168.01. (Node's IP)
III. Create SERVER.CSR and SERVER.CRT files based on maste_ssl.conf "-SUBJ" in the parameter that generates SERVER.CSR is/CN is the host name of master
OpenSSL req-new-key server.key-subj "/cn=k8s-master"-config master_ssl.conf-out SERVER.CSR
OpenSSL x509-req-in server.csr-ca ca.crt-cakey ca.key-cacreateserial-days 5000-extensions v3_req-extfile master_ss L.conf-out SERVER.CRT
6 files will be produced after all execution: Ca.crt ca.key ca.srl server.crt SERVER.CSR Server.key
Four, the production of 6 files CP into a directory, and then set the Kube-apiserver three start parameters
--CLIENT-CA-FILE=CA.CRT--tls-cert-file=server.key--TLS-PRIVATE-KEY-FILE=SERVER.CRT
Switch off the non-secure port--insecure-port=0--secure-port=6443 restart Kube-apiserver
Vi. Setting the Kube-controller-manager client certificate, private key, startup parameters
OpenSSL genrsa-out Cs_client.key 2048
OpenSSL req-new-key cs_client.key-subj "/cn=k8s-node-1"-out CS_CLIENT.CSR
OpenSSL x509-req-in cs_client.csr-ca ca.crt-cakey ca.key--cacreateserial-days 5000-out cs_client.crt
This article is from the "Let Me Men Grow Together" blog, please be sure to keep this source http://wujingfeng.blog.51cto.com/5725921/1945005
Kubernetes Cluster CA Certification