K8S 证书列表说明
2019-09-23 本文已影响0人
陈sir的知识图谱
root CA
CA 证书:
| path | Default CN | description |
|---|---|---|
| ca.crt,key | kubernetes-ca | Kubernetes 根CA证书 |
| etcd/ca.crt,key | etcd-ca | etcd 的 CA 根证书 |
| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | 用于 front-end proxy |
组件所需认证证书
Required certificates:
| Default CN | Parent CA | O (in Subject) | kind(类型) | hosts (SAN) |
|---|---|---|---|---|
| kube-etcd | etcd-ca | server, client | localhost, 127.0.0.1 | |
| kube-etcd-peer | etcd-ca | server, client | <hostname>, <Host_IP>, localhost, 127.0.0.1 | |
| kube-etcd-healthcheck-client | etcd-ca | client | ||
| kube-apiserver-etcd-client | etcd-ca | system:masters | client | |
| kube-apiserver | kubernetes-ca | server | <hostname>, <Host_IP>, <advertise_IP>, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local | |
| kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | |
| front-proxy-client | kubernetes-front-proxy-ca | client |
kind(类型) 介绍 x509 key usage :
| kind | Key usage |
|---|---|
| server | digital signature, key encipherment, server auth |
| client | digital signature, key encipherment, client auth |
Certificate paths
证书存放位置已 kubeadm 生成的证书位置为标准 (as used by kubeadm).
| Default CN | recommended key path | recommended cert path | command | key argument | cert argument |
|---|---|---|---|---|---|
| etcd-ca | etcd/ca.key | etcd/ca.crt | kube-apiserver | –etcd-cafile | |
| etcd-client | apiserver-etcd-client.key | apiserver-etcd-client.crt | kube-apiserver | –etcd-keyfile | –etcd-certfile |
| kubernetes-ca | ca.key | ca.crt | kube-apiserver | –client-ca-file | |
| kube-apiserver | apiserver.key | apiserver.crt | kube-apiserver | –tls-private-key-file | –tls-cert-file |
| apiserver-kubelet-client | apiserver-kubelet-client.key | apiserver-kubelet-client.crt | kube-apiserver | –kubelet-client-certificate | |
| front-proxy-ca | front-proxy-ca.key | front-proxy-ca.crt | kube-apiserver | –requestheader-client-ca-file | |
| front-proxy-client | front-proxy-client.key | front-proxy-client.crt | kube-apiserver | –proxy-client-key-file | –proxy-client-cert-file |
| etcd-ca | etcd/ca.key | etcd/ca.crt | etcd | –trusted-ca-file, –peer-trusted-ca-file | |
| kube-etcd | etcd/server.key | etcd/server.crt | etcd | –key-file | –cert-file |
| kube-etcd-peer | etcd/peer.key | etcd/peer.crt | etcd | –peer-key-file | –peer-cert-file |
| etcd-ca | etcd/ca.crt | etcdctl[2 | –cacert | ||
| kube-etcd-healthcheck-client | etcd/healthcheck-client.key | etcd/healthcheck-client.crt | etcdctl[2] | –key | –cert |
[2]: For a liveness probe, if self-hosted
用证书配置账户
下面的管理员账户和 service accounts 需要手工配置:
| filename | credential name | Default CN | O (in Subject) |
|---|---|---|---|
| admin.conf | default-admin | kubernetes-admin | system:masters |
| kubelet.conf | default-auth | system:node:<nodeName> (see note) |
system:nodes |
| controller-manager.conf | default-controller-manager | system:kube-controller-manager | |
| scheduler.conf | default-manager | system:kube-scheduler |
Note: 在
kubelet.conf文件中的<nodeName>必须 和apiserver 中注册的名字一样,一般使用机器名。更多细节,参见 Node Authorization.
-
每一个生成的 x509 cert/key 证书对在CN和O 字段都需要和上表的内容匹配.
-
执行
kubectl进行配置,命令如下:
KUBECONFIG=<filename> kubectl config set-cluster default-cluster --server=https://<host ip>:6443 --certificate-authority <path-to-kubernetes-ca> --embed-certs
KUBECONFIG=<filename> kubectl config set-credentials <credential-name> --client-key <path-to-key>.pem --client-certificate <path-to-cert>.pem --embed-certs
KUBECONFIG=<filename> kubectl config set-context default-system --cluster default-cluster --user <credential-name>
KUBECONFIG=<filename> kubectl config use-context default-system
相关文件
| filename | command | comment |
|---|---|---|
| admin.conf | kubectl | 配置管理员账号 |
| kubelet.conf | kubelet | 每个集群中的node 都需要此文件爱你 |
| controller-manager.conf | kube-controller-manager | 必须在 /etc/kubernetes/manifests/kube-controller-manager.yaml
|
| scheduler.conf | kube-scheduler | 必须在 ``/etc/kubernetes/manifests/kube-scheduler.yaml` |
