本篇是介绍以CA证书的方式配置Kubernetes集群,要求Master上的kube-apiserver、kube-controller-manager、kube-schedule进程及各Node上的kubelet、kube-proxy进程进行CA签名双向数字证书安全设置。
基于CA签名的双向数字证书的生成过程如下:
1.为kube-apiserver生成一个数字证书,并用CA证书进行签名
2.为kube-aposerver进程配置证书相关的启动参数,包括CA证书(用于验证客户端证书的签名真伪)、自己的经过CA签名后的证书及私钥。
3.为每个访问Kubernetes API Server的客户端进程生成自己的数字证书,也都用CA证书进行签名,在相关程序的启动参数里增加CA证书、自己的证书等相关参数。
1). 设置kube-apiserver的证书相关的文件和启动参数
[root@k8smaster ~]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
....................................................................+++
e is 65537 (0x10001)
[root@k8smaster ~]# openssl req -x509 -new -nodes -key ca.key -subj "/CN=k8smaster" -days 5000 -out ca.crt
[root@k8smaster ~]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
.............................................................................................................+++
e is 65537 (0x10001)
\#创建一个master-ssl.cnf配置文件,用来生成书证签名请求文件和证书文件
[root@k8smaster ~]# vim master_ssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.DEFAULT
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = k8smaster
# matser IP
IP.1 = 10.2.110.99
\# k8s.default's ClusterIP,查询方法见下部分命令“kubectl get svc kubernetes -o yaml”
IP.2 = 192.96.0.1
#查看kubernetes.default的cluster IP:
[root@k8smaster ~]# kubectl get svc kubernetes -o yaml
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2022-03-08T09:08:08Z"
labels:
component: apiserver
provider: kubernetes
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:component: {}
f:provider: {}
f:spec:
f:clusterIP: {}
f:ports:
.: {}
k:{"port":443,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
f:sessionAffinity: {}
f:type: {}
manager: kube-apiserver
operation: Update
time: "2022-03-08T09:08:08Z"
name: kubernetes
namespace: default
resourceVersion: "158"
selfLink: /api/v1/namespaces/default/services/kubernetes
uid: 0605bc1a-7ef3-4d1f-83e2-49ec6e05437b
spec:
clusterIP: 192.96.0.1
ports:
- name: https
port: 443
protocol: TCP
targetPort: 6443
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
#基于master_ssl.cnf创建server.csr和server.crt文件。在生成server.csr时,-subj参数中“/CN”的值需为Master的主机名。本处即为k8smaster.**
[root@k8smaster ~]# openssl req -new -key server.key -subj "/CN=k8smaster" -config master_ssl.cnf -out server.csr
[root@k8smaster ~]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extfile master_ssl.cnf -out server.crt
Signature ok
subject=/CN=k8smaster
Getting CA Private Key
全部执行完会生成6个文件:==ca.crt,ca.key,ca.crl,server.crt,server.csr,server.key。==
将这些文件复制到一个目录中(例如/var/run/kubernetes/),然后设置kube-apiserver的三个启动参数“--client-ca-file”、“--tls-cert-file”、“--tls-private-key-file”,分别代表CA根证书文件,服务端证书文件和服务端私钥文件。
#设置kube-apiserver启动参数
KUBE_API_ARGS="--client-ca-file=/var/run/kubernetes/ca.crt --tls-private-key-file=/var/run/kubernetes/server.key --tls-cert-file=/var/run/kubernetes/server.crt --secure-port=6443"
同时,可以关闭非安全端口8080,设置安全端口为6443(默认值):
--insecure-port=0
--secure-port=6443
#重启kube-apiserver服务
systemctl restart kube-apiserver
2).设置kube-controller-manager的客户端证书、私钥和启动参数
\#私钥文件
openssl genrsa -out cs_client.key 2048
#证书签名请求(Certificate Signing Request)文件
openssl req -new -key cs_client.key -subj "/CN=k8smaster" -out cs_client.csr
#证书文件
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -out cs_client.crt
上面的ca.crt和ca.key是使用的apiserver创建的文件。可以将这些文件复制到一个固定目录中(如/var/run/kubernetes/)。
#创建kubeconfig配置文件
vim /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
users:
- name: controllermanager
user:
client-certificate: /var/run/kubernetes/cs_client.crt
client-key: /var/run/kubernetes/cs_client.key
clusters:
- name: local
cluster:
certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
cluster: local
user: controllermanager
name: my-context
current-context: my-context
#配置启动参数,重新启动kube-controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--master=https://10.2.110.99:6443 --service-account-key-file=/var/run/kubernetes/server.key --root-ca-file=/var/run/kubernetes/ca.crt --kubeconfig=/etc/kubernetes/kubeconfig"
systemctl restart kube-controller-manager
3).kube-scheduler配置重启
kube-scheduler复用上一步kube-controller-manager创建的客户端证书
配置启动参数
KUBE_SCHEDULER_ARGS="--address=0.0.0.0 --master=https://10.2.110.99:6443 --kubeconfig=/etc/kubernetes/kubeconfig"
#重启服务
systemctl restart kube-scheduler
4).Node节点设置客户端证书、私钥、和启动参数
从master复制ca.crt和ca.key到Node节点上,按照前面的方式生成证书签名请求和证书文件。在生成kubelet_client.csr时将-subj参数中的“/CN”设置为本Node的IP地址。将生成的文件复制到一个目录中(例如/var/run/kubernetes/)。
openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=k8snode1" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -out kubelet_client.crt
接下来创建 /etc/kubernetes/kubeconfig 文件(kubelet和kube-proxy进程共用),配置客户端相关参数,内容如下:
apiVersion: v1
kind: Config
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl_keys/kubelet_client.crt #1
client-key: /etc/kubernetes/ssl_keys/kubelet_client.key #2
clusters:
- name: local
cluster:
certificate-authority: /etc/kubernetes/ssl_keys/ca.crt #3
contexts:
- context:
cluster: local
user: kubelet
name: my-context
current-context: my-context
设置启动参数
--apiservers=http://10.2.110.99:6443
--kubeconfig=/etc/kubernetes/kubeconfig
#重启kubelet服务
systemctl restart kubelet
5). 设置kube-proxy的启动参数
kube-proxy 复用上一步kubelet创建的客户端证书,配置启动参数:
--master=https://10.2.110.99:6443
--kubeconfig=/etc/kubernetes/kubeconfig
#重启kube-proxy服务
systemctl restart kube-proxy
测试验证ssl
# kubectl --server=https://10.2.110.99:6443 --certificate-authority=/var/run/kubernetes/ssl_keys/ca.crt --client-certificate=/var/run/kubernetes/ssl_keys/cs_client.crt --client-key=/var/run/kubernetes/ssl_keys/cs_client.key get nodes
NAME STATUS AGE
node1 Ready 5d
node2 Ready 5d
至此,一个基于CA的双向数字证书认证的Kubernetes集群环境就搭建完成了。
本文由 Mr Gu 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名
最后编辑时间为: Mar 29, 2022 at 11:32 am