您好,欢迎来到网暖!

当前位置:网暖 » 站长资讯 » 建站基础 » 网络技术 » 文章详细 订阅RssFeed

Kubernetes/K8s CFSSL 证书相关

来源:网络整理 浏览:319次 时间:2020-08-15

Kubernetes/K8s CFSSL 证书相关
各节点访问之间使用证书验证可靠性
work node ——> load banlancer ——>api server ——>etcd<——etcd
worknode 访问load banlancer 需要验证证书的有限性 所以需要同一个ca根证书,同理其他也是 etcd 由于需要互访所以是双向证书
1,使用CFSSL签发生成证书

curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod +x /bin/cfssl*

容器相关证书类型

client certificate: 用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端
server certificate: 服务端使用,客户端以此验证服务端身份,例如docker服务端、kube-apiserver
peer certificate: 双向证书,用于etcd集群成员间通信

创建生成CA根证书

##生成默认CA配置mkdir /opt/sslcd /opt/sslcfssl print-defaults config > ca-config.jsoncfssl print-defaults csr > ca-csr.json####################修改ca-config.json,分别配置针对三种不同证书类型的profile,其中有效期43800h为5年{"signing": {    "default": {        "expiry": "43800h"    },    "profiles": {        "server": {            "expiry": "43800h",            "usages": [                "signing",                "key encipherment",                "server auth"            ]        },        "client": {            "expiry": "43800h",            "usages": [                "signing",                "key encipherment",                "client auth"            ]        },        "peer": {            "expiry": "43800h",            "usages": [                "signing",                "key encipherment",                "server auth",                "client auth"            ]        }    }}}##字段说明##ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;##signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA:TRUE;##server auth:表示client可以用该 CA 对server提供的证书进行验证;##client auth:表示server可以用该CA对client提供的证书进行验证;

修改ca-csr.json

{"CN": "Self Signed Ca","key": {    "algo": "rsa",    "size": 2048},"names": [    {        "C": "CN",        "L": "SH",        "O": "Netease",        "ST": "SH",                    "OU": "OT"    }    ]}#######字段说明“CN”:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);“O”:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);“C”: Country, 国家“L”: Locality,地区,城市“O”: Organization Name,组织名称,公司名称“OU”: Organization Unit Name,组织单位名称,公司部门“ST”: State,州,省

生成CA证书和私钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca##生成ca.pem、ca.csr、ca-key.pem(CA私钥,需妥善保管)

签发Server Certificate,client Certificate,peer Certificate,注其中的hosts 地址 和cn名称 ,其他正文格式都是一样

cfssl print-defaults csr > server.jsonvim server.json{    "CN": "Server",    "hosts": [        "192.168.1.1"       ],    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "SH",            "ST": "SH"        }    ]}##生成服务端证书和私钥cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

验证证书

openssl x509 -in server.pem -text -nooutCertificate:    Data:        Version: 3 (0x2)        Serial Number:            6f:25:cf:8d:42:1e:c8:2d:b8:78:95:d1:f4:0a:25:8e:bb:48:53:9d    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=San Francisco, L=Chongqing, CN=test        Validity            Not Before: Feb 13 11:35:00 2019 GMT            Not After : Feb 13 11:35:00 2020 GMT        Subject: C=US, ST=San Francisco, L=CA, CN=etcd        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:b6:79:4d:af:27:a0:c9:0e:8a:d0:8c:25:d4:12:                    f7:22:21:45:ce:80:25:e5:c6:0b:47:fe:ba:79:c7:                    aa:14:d6:51:be:45:2d:92:49:a5:07:37:36:66:9b:                    38:a9:9c:9c:0b:cf:91:45:55:7a:20:43:ad:64:09:                    31:bb:25:30:ba:50:20:fe:3b:4e:cf:8c:21:bc:43:                    d8:cf:f4:1b:d6:ed:3b:3e:9d:53:74:89:db:17:4b:                    a7:a2:01:bb:00:36:74:95:a7:cf:0a:24:a1:0d:62:                    6d:47:d3:f4:3a:93:e4:15:df:20:af:59:fb:5f:77:                    9b:76:45:ad:68:24:69:d3:1a:cf:75:ef:3f:6d:19:                    d6:3c:54:76:ec:1b:a3:98:bf:e3:d6:d7:a5:f8:ec:                    12:47:ee:06:ab:ae:31:8b:83:be:43:6e:b9:41:2d:                    82:ff:c6:20:e6:2c:69:d5:81:d4:9a:07:b2:e4:9a:                    40:af:e9:ed:98:4e:c0:27:ef:7c:14:86:cf:6e:6e:                    18:98:1c:d1:d9:dd:4e:a3:10:d3:63:f9:00:d6:3b:                    04:e9:47:54:af:87:db:83:d5:8a:8a:05:f4:e8:38:                    4d:64:e7:ae:b4:5f:3f:6a:18:c8:87:32:7d:24:46:                    72:a8:4a:7f:dd:5c:5b:cf:6a:2f:af:88:bb:b2:d8:                    02:af                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Key Usage: critical                Digital Signature, Key Encipherment            X509v3 Extended Key Usage:                 TLS Web Server Authentication            X509v3 Basic Constraints: critical                CA:FALSE            X509v3 Subject Key Identifier:                 B7:EF:2C:02:18:05:D0:7E:30:63:BB:F9:8F:52:B4:1E:1F:57:4A:C8            X509v3 Authority Key Identifier:                 keyid:3C:58:00:7D:E0:2B:C1:AE:81:88:58:F1:FB:95:45:88:33:28:F7:00            X509v3 Subject Alternative Name:                 IP Address:172.19.0.203, IP Address:172.19.0.204, IP Address:172.19.0.205    Signature Algorithm: sha256WithRSAEncryption         35:8f:af:a7:03:c3:8f:5e:42:ec:10:af:33:c8:4e:b1:0e:d5:         f7:3e:b2:5f:5d:cf:b4:49:15:94:b1:6b:78:3a:b5:fb:95:68:         ab:ff:ff:45:74:f9:5f:17:a7:be:16:c8:92:66:28:d0:7c:6d:         60:0d:82:26:65:01:71:f1:93:0d:0b:44:f3:08:59:9e:d5:89:         d5:8c:83:d1:dc:b2:a5:8f:b6:be:e8:9e:79:3c:62:02:6b:0e:         b0:1e:82:b6:2c:4c:b0:f8:eb:93:20:84:8c:c6:32:69:b3:88:         27:bb:e8:7f:1c:37:01:26:35:0b:9a:61:bf:cc:00:c7:17:80:         61:11:cb:b7:4d:66:85:e6:13:3e:8c:8e:be:ec:47:d1:00:85:         cb:b1:aa:69:6a:49:35:44:43:d9:cf:67:fd:ec:63:50:96:4a:         26:5b:36:c8:72:15:d7:5f:49:e5:30:98:0e:13:58:70:d2:72:         03:02:45:c1:9c:81:dc:e0:e1:1c:f0:a4:e3:13:e1:b8:d4:01:         f7:83:d6:cf:72:ba:46:aa:84:55:57:64:e6:93:bb:bc:68:55:         32:cd:a4:d1:d6:db:e7:e6:9f:4f:1e:8a:24:44:76:42:ec:9d:         4e:d2:5a:7f:74:7b:9a:66:ed:c3:1d:e4:5d:1a:07:ed:c6:fe:         bf:8e:d2:80

表示服务器证书
Kubernetes/K8s CFSSL 证书相关
表示客户端证书
Kubernetes/K8s CFSSL 证书相关
表示双向证书
Kubernetes/K8s CFSSL 证书相关
表示CA证书
Kubernetes/K8s CFSSL 证书相关

推荐站点

  • 腾讯腾讯

    腾讯网(www.QQ.com)是中国浏览量最大的中文门户网站,是腾讯公司推出的集新闻信息、互动社区、娱乐产品和基础服务为一体的大型综合门户网站。腾讯网服务于全球华人用户,致力成为最具传播力和互动性,权威、主流、时尚的互联网媒体平台。通过强大的实时新闻和全面深入的信息资讯服务,为中国数以亿计的互联网用户提供富有创意的网上新生活。

    www.qq.com
  • 搜狐搜狐

    搜狐网是全球最大的中文门户网站,为用户提供24小时不间断的最新资讯,及搜索、邮件等网络服务。内容包括全球热点事件、突发新闻、时事评论、热播影视剧、体育赛事、行业动态、生活服务信息,以及论坛、博客、微博、我的搜狐等互动空间。

    www.sohu.com
  • 网易网易

    网易是中国领先的互联网技术公司,为用户提供免费邮箱、游戏、搜索引擎服务,开设新闻、娱乐、体育等30多个内容频道,及博客、视频、论坛等互动交流,网聚人的力量。

    www.163.com
  • 新浪新浪

    新浪网为全球用户24小时提供全面及时的中文资讯,内容覆盖国内外突发新闻事件、体坛赛事、娱乐时尚、产业资讯、实用信息等,设有新闻、体育、娱乐、财经、科技、房产、汽车等30多个内容频道,同时开设博客、视频、论坛等自由互动交流空间。

    www.sina.com.cn
  • 百度一下百度一下

    百度一下,你就知道

    www.baidu.com