\u670d\u52a1\u7aef\uff1a\u5236\u4f5c\u4e00\u5bf9\u79d8\u94a5\uff0c\u79c1\u94a5\u548c\u516c\u94a5\uff0c\u516c\u94a5\u53d1\u7ed9\u6240\u6709\u7684\u5ba2\u6237\u7aef\n\n#1\u3001\u5ba2\u6237\u7aef----\u53d1\u9001\u6570\u636e\u7ed9---\u300b\u670d\u52a1\u7aef\uff1a\n\u5982\u4f55\u4fdd\u8bc1\u5ba2\u6237\u7aef\u53d1\u5f80\u670d\u52a1\u7aef\u7684\u6570\u636e\u4e0d\u88ab\u7a83\u53d6\u5462\uff1f\uff1f\uff1f\n\n\u5ba2\u6237\u7aef\u7528\u516c\u94a5\u52a0\u5bc6\n\u670d\u52a1\u7aef\u7528\u79c1\u94a5\u89e3\u5bc6\n\n#2\u3001\u670d\u52a1\u7aef---\u53d1\u9001\u6570\u636e\u7ed9---\u300b\u5ba2\u6237\u7aef\n\u5982\u4f55\u4fdd\u8bc1\u53d1\u9001\u7684\u6570\u636e\u4e0d\u88ab\u7be1\u6539\u5462\uff1f\uff1f\uff1f\n\n\u670d\u52a1\u7aef\u5148\u5c06\u660e\u6587\u6570\u636e\u505ahash\u6821\u9a8c\uff0c\u5f97\u5230\u4e00\u4e2ahash\u503c\u79f0\u4e4b\u4e3adigest\u6458\u8981\n\u7136\u540e\u5c06hash\u503c\u7528\u79c1\u94a5\u52a0\u5bc6\uff0c\u5f97\u5230\u7684\u5185\u5bb9\u79f0\u4e4b\u4e3a\u6570\u5b57\u7b7e\u540d\uff0c\u5373signature\n\u7136\u540e\u6570\u5b57\u7b7e\u540d\u9644\u5728\u660e\u6587\u6570\u636e\u4e2d\u53d1\u9001\u7ed9\u5ba2\u6237\u7aef\n\n\u5ba2\u6237\u7aef\u6536\u5230\u540e\uff0c\u7528\u516c\u94a5\u89e3\u5f00\uff0c\u5c31\u5f97\u5230\u4e86\u6570\u5b57\u7b7e\u540d\uff0c\u7136\u540e\u7528\u76f8\u540c\u7684hash\u7b97\u6cd5\u8ba1\u7b97\u660e\u6587\u6570\u636e\uff0c\u5982\u679c\u5f97\u5230\u7684\u503c\u4e0e\u6570\u636e\u7b7e\u540d\u4e00\u81f4\uff0c\u8bc1\u660e\u6570\u636e\u6ca1\u6709\u88ab\u7be1\u6539\n\n#3\u3001\u6709\u4eba\u4f1a\u5c06\u81ea\u5df1\u4f2a\u9020\u6210\u670d\u52a1\u7aef\uff0c\u7136\u540e\u5236\u4f5c\u5bc6\u94a5\u5bf9\uff0c\u5c06\u5ba2\u6237\u7aef\u7684\u516c\u94a5\u66ff\u6362\u6210\u81ea\u5df1\u7684\uff0c\u7136\u540e\u7528\u81ea\u5df1\u7684\u79c1\u94a5\u52a0\u5bc6\u6570\u636e\u53d1\u7ed9\u5ba2\u6237\u7aef\uff0c\u4e3a\u4e86\u9632\u6b62\u8fd9\u4ef6\u4e8b\uff0c\u600e\u4e48\u505a\u5462\uff1f\uff1f\uff1f\n\uff081\uff09\u670d\u52a1\u7aef\u9700\u8981\u628a\u81ea\u5df1\u7684\u516c\u94a5\u53bbCA\u4e2d\u5fc3\u8fd9\u4e2a\u6743\u5a01\u673a\u6784\u8ba4\u8bc1\u4e00\u4e0b\uff0cCA\u4e2d\u5fc3\u4f1a\u7528\u81ea\u5df1\u7684\u79c1\u94a5\u5c06\u670d\u52a1\u7aef\u7684\u516c\u94a5\u52a0\u5bc6\uff0c\u5f97\u5230\u7684\u5185\u5bb9\u79f0\u4e4b\u4e3a\u6570\u5b57\u8bc1\u4e66Digital Certificate\n\n\uff082\uff09\u670d\u52a1\u7aef\u53d1\u9001\u6570\u636e\u4f1a\u9644\u4e0a\u6570\u5b57\u7b7e\u540d\u4e0eCA\u4e2d\u5fc3\u53d1\u5e03\u7684\u6570\u5b57\u8bc1\u4e66\u4e00\u8d77\u7ed9\u5ba2\u6237\u7aef\n\n\uff083\uff09\u5ba2\u6237\u7aef\u4f1a\u4eceCA\u4e2d\u5fc3\u4e2d\u83b7\u53d6\u516c\u94a5\u6765\u89e3\u5bc6\uff0c\u4ece\u800c\u62ff\u5230\u670d\u52a1\u7aef\u7684\u51c6\u786e\u516c\u94a5\uff0c\u7136\u540e\u7528\u51c6\u786e\u7684\u516c\u94a5\u6765\u89e3\u5bc6\u670d\u52a1\u7aef\u6570\u636e\u3002\u3002\u3002\uff08\u6d4f\u89c8\u5668\u57fa\u672c\u90fd\u5185\u7f6e\u5404\u5927\u6743\u5a01\u673a\u6784\u7684CA\u516c\u94a5\uff09\n\n\u8865\u51451\uff1a\u6570\u5b57\u8bc1\u4e66\u5305\u542b\u5982\u4e0b\u5185\u5bb9\uff1a\n1.\u7533\u8bf7\u8005\u516c\u94a5\n2.\u7533\u8bf7\u8005\u7ec4\u7ec7\u548c\u4e2a\u4eba\u4fe1\u606f\n3.\u7b7e\u53d1\u673a\u6784CA\u4fe1\u606f\uff0c\u6709\u6548\u65f6\u95f4\uff0c\u5e8f\u5217\u53f7\u7b49\n4.\u4ee5\u4e0a\u4fe1\u606f\u7684\u7b7e\u540d\n\n\u8865\u51452\uff1a\u6839\u8bc1\u4e66\u53c8\u540d\u81ea\u7b7e\u540d\u8bc1\u4e66\uff0c\u4e5f\u5c31\u662f\u81ea\u5df1\u7ed9\u81ea\u5df1\u9881\u53d1\u7684\u8bc1\u4e66\u3002CA(Certificate Authority)\u88ab\u79f0\u4e3a\u8bc1\u4e66\u6388\u6743\u4e2d\u5fc3\uff0c\nk8s\u4e2d\u7684ca\u8bc1\u4e66\u5c31\u662f\u6839\u8bc1\u4e66\u3002<\/code><\/pre>\n\u4e8c CA\u8bc1\u4e66\u7684\u521b\u5efa\u53ca\u5206\u53d1<\/h1>\n
\u5148\u5728manager\u7ba1\u7406\u8282\u70b9\u521b\u5efa\u597dca\u8bc1\u4e66\uff0c\u7136\u540e\u5206\u53d1\u7ed9\u6240\u6709\u5176\u4ed6\u8282\u70b9\uff0c\u4ee5\u540e\u5176\u4ed6\u8282\u70b9\u5c31\u53ef\u4ee5\u7528\u8be5ca\u8bc1\u4e66\u6765\u4e3a\u81ea\u5df1\u7b7e\u53d1\u6570\u5b57\u8bc1\u4e66\u4e86<\/p>\n
ca\u8fd9\u4e2a\u6839\u8bc1\u4e66\u53ef\u4ee5\u4e3a\u5176\u4ed6\u4eba\u7b7e\u53d1\u7684\u8bc1\u4e66\u6709\u670d\u52a1\u7aef\u548c\u5ba2\u6237\u7aef\u4e24\u79cd\uff0c\u670d\u52a1\u7aef\u4e3b\u8981\u7528\u4e8e\u522b\u4eba\u6765\u8bbf\u95ee\u81ea\u5df1\uff0c\u5ba2\u6237\u7aef\u5219\u7528\u4e8e\u81ea\u5df1\u53bb\u8bbf\u95ee\u522b\u4eba<\/p>\n
\u5982\u4e0b\u6211\u4eec\u7684ca-config.json\u4e2d\u7684server auth\u5e76\u4e14client auth\uff0c\u6307\u7684\u662f\u6211\u4eec\u7684\u8fd9\u4e2aca\u65e2\u53ef\u4ee5\u7b7e\u53d1\u670d\u52a1\u7aef\u7684\u8bc1\u4e66\u3001\u53c8\u53ef\u4ee5\u7b7e\u53d1\u5ba2\u6237\u7aef\u7684\u8bc1\u4e66<\/p>\n
#1\u3001\u5728manager\u8282\u70b9\u5b89\u88c5CFSSL\ncd \/usr\/local\/src\nwget https:\/\/pkg.cfssl.org\/R1.2\/cfssl_linux-amd64\nwget https:\/\/pkg.cfssl.org\/R1.2\/cfssljson_linux-amd64\nwget https:\/\/pkg.cfssl.org\/R1.2\/cfssl-certinfo_linux-amd64\nchmod +x cfssl* # \u589e\u52a0\u6267\u884c\u6743\u9650\n\nmv cfssl-certinfo_linux-amd64 \/opt\/kubernetes\/bin\/cfssl-certinfo\nmv cfssljson_linux-amd64 \/opt\/kubernetes\/bin\/cfssljson\nmv cfssl_linux-amd64 \/opt\/kubernetes\/bin\/cfssl\n\n#2\u3001\u628amanager\u8282\u70b9\u4e0a\u7684cfssl\u547d\u4ee4\u6587\u4ef6\u5230\u6240\u6709\u5176\u4ed6\u8282\u70b9\u4e0a\n#!\/bin\/bash\nfor i in 'master01' 'master02' 'master03' 'node01' 'node02' 'node03' 'manager'\ndo\n scp \/opt\/kubernetes\/bin\/cfssl* root@$i:\/opt\/kubernetes\/bin\ndone\n\n#3\u3001\u5728manager\u8282\u70b9\u4e0a\u521b\u5efa\u7528\u6765\u751f\u6210CA\u6587\u4ef6\u7684JSON\u914d\u7f6e\u6587\u4ef6\ncd \/usr\/local\/src\nmkdir ssl && cd ssl\n\ncat > ca-config.json << EOF\n{\n "signing": {\n "default": {\n "expiry": "175200h"\n },\n "profiles": {\n "kubernetes": {\n "usages": [\n "signing",\n "key encipherment",\n "server auth",\n "client auth"\n ],\n "expiry": "175200h"\n }\n }\n }\n}\n\nEOF\n\n==============\u300b\u77e5\u8bc6\u70b9\u300a=============\nca-config.json\uff1a\u53ef\u4ee5\u5b9a\u4e49\u591a\u4e2a profiles\uff0c\u5206\u522b\u6307\u5b9a\u4e0d\u540c\u7684\u8fc7\u671f\u65f6\u95f4\u3001\u4f7f\u7528\u573a\u666f\u7b49\u53c2\u6570\uff1b\u540e\u7eed\u5728\u7b7e\u540d\u8bc1\u4e66\u65f6\u4f7f\u7528\u67d0\u4e2a profile\uff1b\u6b64\u5b9e\u4f8b\u53ea\u6709\u4e00\u4e2akubernetes\u6a21\u677f\u3002\nsigning\uff1a\u8868\u793a\u8be5\u8bc1\u4e66\u53ef\u7528\u4e8e\u7b7e\u540d\u5176\u5b83\u8bc1\u4e66\uff1b\u751f\u6210\u7684 ca.pem \u8bc1\u4e66\u4e2d CA=TRUE\uff1b\nserver auth\uff1a\u8868\u793aclient\u53ef\u4ee5\u7528\u8be5 CA \u5bf9server\u63d0\u4f9b\u7684\u8bc1\u4e66\u8fdb\u884c\u9a8c\u8bc1\uff1b\nclient auth\uff1a\u8868\u793aserver\u53ef\u4ee5\u7528\u8be5CA\u5bf9client\u63d0\u4f9b\u7684\u8bc1\u4e66\u8fdb\u884c\u9a8c\u8bc1\uff1b\n\nclient certificate\uff1a \u5ba2\u6237\u7aef\u4f7f\u7528\uff0c\u7528\u4e8e\u670d\u52a1\u7aef\u8ba4\u8bc1\u5ba2\u6237\u7aef,\u4f8b\u5982etcdctl\u3001etcd proxy\u3001fleetctl\u3001docker\u5ba2\u6237\u7aef\u3002\nserver certificate: \u670d\u52a1\u7aef\u4f7f\u7528\uff0c\u5ba2\u6237\u7aef\u4ee5\u6b64\u9a8c\u8bc1\u670d\u52a1\u7aef\u8eab\u4efd,\u4f8b\u5982docker\u670d\u52a1\u7aef\u3001kube-apiserver\u3002\npeer certificate: \u53cc\u5411\u8bc1\u4e66\uff08server auth\u4e0eclient auth\u540c\u65f6\u5f00\u542f\uff09\uff0c\u7528\u4e8eetcd\u96c6\u7fa4\u6210\u5458\u95f4\u901a\u4fe1(\u7528\u8fd9\u79cd\u5c31\u884c\u4e86\uff0c\u7701\u4e8b\uff0c\u6bd4\u5982\u4e0a\u9762\u521b\u5efa\u7684kubernetes\u5c31\u5c5e\u4e8e\u8fd9\u7c7b)\n\n\u4e5f\u53ef\u4ee5\u5982\u4e0b\u914d\u7f6e\n{\n "signing": {\n "default": {\n "expiry": "175200h"\n },\n "profiles": {\n "server": {\n "expiry": "175200h",\n "usages": [\n "signing",\n "key encipherment",\n "server auth"\n ]\n },\n "client": {\n "expiry": "175200h",\n "usages": [\n "signing",\n "key encipherment",\n "client auth"\n ]\n },\n "peer": {\n "expiry": "175200h",\n "usages": [\n "signing",\n "key encipherment",\n "server auth",\n "client auth"\n ]\n }\n }\n }\n}\n\n#4\u3001\u5728manager\u8282\u70b9\u4e0a\u521b\u5efa\u7528\u6765\u751f\u6210 CA \u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42\uff08CSR\uff09\u7684 JSON \u914d\u7f6e\u6587\u4ef6\n\ncat > \/usr\/local\/src\/ssl\/ca-csr.json << EOF\n\n{\n "CN": "kubernetes",\n "key": {\n "algo": "rsa",\n "size": 2048\n },\n "names": [\n {\n "C": "CN",\n "ST": "BeiJing",\n "L": "BeiJing",\n "O": "k8s",\n "OU": "ops"\n }\n ]\n}\n\nEOF\n\n==============\u300b\u77e5\u8bc6\u70b9\u300a=============\nCN: Common Name\uff0c\u6d4f\u89c8\u5668\u4f7f\u7528\u8be5\u5b57\u6bb5\u9a8c\u8bc1\u7f51\u7ad9\u662f\u5426\u5408\u6cd5\uff0c\u4e00\u822c\u5199\u7684\u662f\u57df\u540d\u3002\u975e\u5e38\u91cd\u8981\u3002\u6d4f\u89c8\u5668\u4f7f\u7528\u8be5\u5b57\u6bb5\u9a8c\u8bc1\u7f51\u7ad9\u662f\u5426\u5408\u6cd5\nC: Country\uff0c \u56fd\u5bb6\nST: State\uff0c\u5dde\uff0c\u7701\nL: Locality\uff0c\u5730\u533a\uff0c\u57ce\u5e02\nO: Organization Name\uff0c\u7ec4\u7ec7\u540d\u79f0\uff0c\u516c\u53f8\u540d\u79f0\nOU: Organization Unit Name\uff0c\u7ec4\u7ec7\u5355\u4f4d\u540d\u79f0\uff0c\u516c\u53f8\u90e8\u95e8\n\n#5\u3001\u5728manager\u8282\u70b9\u4e0a\u751f\u6210CA\u8bc1\u4e66\uff08ca.pem\uff09\u548c\u5bc6\u94a5\uff08ca-key.pem\uff09\ncd \/usr\/local\/src\/ssl\/\n\n#\u751f\u6210\u8bc1\u4e66\u548c\u5bc6\u94a5,\u6ce8\u610f\u547d\u4ee4\u672b\u5c3e\u4e0d\u8981\u6709\u7a7a\u683c\uff0c\u4f1a\u751f\u6210ca.csr,ca.pem,ca-key.pem\ncfssl gencert -initca ca-csr.json | cfssljson -bare ca\n\n\u5176\u4e2dca-key.pem\u662fca\u7684\u79c1\u94a5\uff0cca.csr\u662f\u4e00\u4e2a\u7b7e\u7f72\u8bf7\u6c42\uff0cca.pem\u662fCA\u8bc1\u4e66\uff0c\u662f\u540e\u9762kubernetes\u7ec4\u4ef6\u4f1a\u7528\u5230\u7684RootCA\u3002\n\n#6\u3001\u628a\u7ba1\u7406\u8282\u70b9\u751f\u6210\u7684\u8bc1\u4e66\u5206\u53d1\u5230\u6240\u6709\u5176\u4ed6\u8282\u70b9\n#!\/bin\/bash\nfor i in 'master01' 'master02' 'master03' 'node01' 'node02' 'node03' 'manager'\ndo\n scp ca.csr ca.pem ca-key.pem ca-config.json root@$i:\/opt\/kubernetes\/ssl\/\ndone\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u4e00 k8s\u8bc1\u4e66\u4ecb\u7ecd \u8bc1\u4e66\u539f\u7406\u7b80\u4ecb\uff1ahttp:\/\/www.ruanyifeng.com\/blog\/2011\/08 […]<\/p>\n","protected":false},"author":3,"featured_media":6564,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[414,412],"tags":[],"_links":{"self":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/posts\/6577"}],"collection":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6577"}],"version-history":[{"count":0,"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/posts\/6577\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/media\/6564"}],"wp:attachment":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6577"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}