Kubernetes deployment of creating a TLS certificate (2)

Colleagues who have studied kubernetes know that kubernetes if you need to enable TLS authentication, making a certificate is an essential step. However, many people encounter a lot of trouble in making certificates. Today is the main record of how I made my certificate during the deployment of Kubernetes. Throughout the process, the startup parameters for each component are listed in detail, along with the configuration files and their implications and possible problems.

I. Pre-deployment preparation

1.1 Host Environment

Environment reference ETCD cluster deployment, here will add a VIP (192.168.15.200), user implementation kubernetes master high availability;

1.2 Installing the Cfssl tool

Cd/usr/src/wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64chmod +x CFSSL_LINUX-AMD64MV cfssl_linux-amd64/usr/ Local/bin/cfsslwget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64chmod +x CFSSLJSON_LINUX-AMD64MV cfssljson_ Linux-amd64/usr/local/bin/cfssljsonwget HTTPS://PKG.CFSSL.ORG/R1.2/CFSSL-CERTINFO_LINUX-AMD64
chmod +x CFSSL-CERTINFO_LINUX-AMD64MV Cfssl-certinfo_linux-amd64/usr/local/bin/cfssl-certinfo

Ii. Certificate of Generation

2.1 Creating a CA Certificate

Mkdir/root/sslcd/root/sslcat >> Ca-config.json << EOF{  "signing": {"    default": {      "expiry ":" 87600h "    },    " profiles ": {"      kubernetes ": {"        usages ": [            " Signing ",            " Key Encipherment ",            "Server auth",            "client auth"        ],        "expiry": "87600h"   }}}
Eof

Tips:

　　ca-config.json: You can define multiple profiles, specify different expiration time, use scene and other parameters, and subsequently use a profile for signing certificate;

　　signing: Indicates that the certificate can be used to sign other certificates in CA=TRUE the generated CA.PEM certificate;

　　server auth: Indicates that the client can authenticate the certificate provided by the server with the CA ;

　　client auth: Indicates that the server can authenticate the certificate provided by the client with the CA ;

To create a CA certificate signing request configuration:

cat >> ca-csr.json << EOF{  "CN": "Kubernetes",  "key": {    "Algo": "RSA",    "size": 2048  },  "names": [    {      "C": "CN",      "ST": "Beijing",      "L": "Beijing",      " O ":" K8s ",      " OU ":" System "    }  ]}eof

Tips:

　　CNThat is, Common name,kube-apiserver extracts the field from the certificate as the requested user name;

　　OThat is, Organization,kube-apiserver extracts the field from the certificate as the group to which the requesting user belongs;

Generate the CA certificate with CFSSL and issue the certificate:

Cfssl GENCERT-INITCA Ca-csr.json | Cfssljson-bare CA

2.2 Creating a Apiserver Certificate

Cat >> Apiserver-csr.json << eof{    "CN": "Kubernetes",    "hosts": [      "127.0.0.1",      " 192.168.15.131 ",      " 192.168.15.132 ",      " 192.168.15.133 ",      " 192.168.15.200 ",      " 10.96.0.1 ",      " Kubernetes ",      " Kubernetes.default ",      " Kubernetes.default.svc ",      " Kubernetes.default.svc.cluster ",      "Kubernetes.default.svc.cluster.local"    ],    "key": {        "Algo": "RSA",        "size": 2048    },    "Names": [        {            "C": "CN",            "ST": "Beijing", "            L": "Beijing",            "O": "K8s", "            OU": " System "        }    ]}eof

Tip: Note the IP and domain name list that is authorized to use the certificate in the Configure hosts field above, because the certificate to be generated now needs to be used by Kubernetes master cluster nodes, so the IP and hostname of each node are specified here. You also specify multiple domain names and IP addresses for kube-apiserver within the cluster 10.96.0.1 (the -service-cluster-ip-range=10.96.0.0/12 first IP of the specified network segment behind the Kube-apiserver parameter). Finally, if you use the VIP here is also need to add the IP address.

Generate Kube-apiserver's certificate and private key:

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=frognew Apiserver-csr.json | Cfssljson-bare Apiserver

2.3 Creating the Kubernetes-admin certificate and the private key

Cat >> Admin-csr.json << eof{  "CN": "Kubernetes-admin",  "hosts": [        "192.168.15.131",        " 192.168.15.132 ",        " 192.168.15.133 ",        " 192.168.15.200 "  ],  " key ": {    " Algo ":" RSA ",    " size ": 2048  },  "names": [    {      "C": "CN",      "ST": "Beijing",      "L": "Beijing", "      O": "System: Masters ",      " OU ":" System "    }  ]}eof

Tip: Kube-apiserver will extract CN The user name as the client, here kubernetes-admin is the group that will be extracted O as the user belongs to, here is system:master . Kube-apiserver pre-defined some clusterrolebindings used by RBAC, such as cluster-admin to bind group System:masters to Clusterrole Cluster-admin, And Cluster-admin has all the permissions to access Kube-apiserver, so kubernetes-admin This user will be the Super administrator of the cluster. (Refer to Kubernetes certification related documents)

Generated kubernetes-admin certificate and private key:

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=frognew Admin-csr.json | Cfssljson-bare Admin

2.4 Creating the Kubernetes-controller-manager certificate and private key

Cat >> Controller-manager-csr.json << eof{  "CN": "System:kube-controller-manager",  "hosts": [      "192.168.15.131",      "192.168.15.132",      "192.168.15.133",      "192.168.15.200"  ],  "key": {    " Algo ":" RSA ","    size ": 2048  },  " names ": [    {      " C ":" CN ",      " ST ":" Beijing ",      " L ":" Beijing ",      " O ":" System:kube-controller-manager ",      " OU ":" System "    }  ]}eof

Tip: Kube-apiserver will extract the CN user name as the client, here is the system:kube-controller-manager . Kube-apiserver predefined RBAC uses clusterrolebindings system:kube-controller-manager to bind the user to system:kube-controller-manager clusterrole system:kube-controller-manager .

Generate Kubernetes-controller-manager Certificate and private key:

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=frognew Controller-manager-csr.json | Cfssljson-bare Controller-manager

2.5 Creating the Kubernetes-scheduler certificate and private key

Cat >> Scheduler-csr.json << EOF {  "CN": "System:kube-scheduler",  "hosts": [      "192.168.15.131" ,      "192.168.15.132",      "192.168.15.133",      "192.168.15.200"  ],  "key": {    "Algo": "RSA",    " Size ": 2048  },  " names ": [    {      " C ":" CN ",      " ST ":" Beijing ",      " L ":" Beijing ",      " O ":" System:kube-scheduler ",      " OU ":" System "    }  ]}eof

Tip: Kube-scheduler will extract the CN user name as the client, here is the system:kube-scheduler . Kube-apiserver predefined RBAC uses clusterrolebindings system:kube-scheduler to bind the user to system:kube-scheduler clusterrole system:kube-scheduler .

Generate Kubernetes-scheduler Certificate and private key:

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=frognew Scheduler-csr.json | Cfssljson-bare Scheduler

At this point, all relevant certificates are made!

Kubernetes deployment of creating a TLS certificate (2)