kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zh] Adjust kubeadm-certs.md format

pull/33805/head
Sean Wei 2022-05-18 23:26:36 +08:00
parent 86a5120ea3
commit 64d998e297
1 changed files with 77 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
View File

@ -15,11 +15,10 @@ weight: 10
{{< feature-state for_k8s_version="v1.15" state="stable" >}}
<!--
Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year.
<!--
Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year.
This page explains how to manage certificate renewals with kubeadm. It also covers other tasks related
to kubeadm certificate management.
-->
由 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
本页说明如何使用 kubeadm 管理证书续订,同时也涵盖其他与 kubeadm 证书管理相关的说明。
@ -42,16 +41,16 @@ You can override this behavior by providing your own certificates.
## 使用自定义的证书 {#custom-certificates}
默认情况下, kubeadm 会生成运行一个集群所需的全部证书。
默认情况下kubeadm 会生成运行一个集群所需的全部证书。
你可以通过提供你自己的证书来改变这个行为策略。
<!--
To do so, you must place them in whatever directory is specified by the
`--cert-dir` flag or the `CertificatesDir`field of kubeadm's `ClusterConfiguration` . By default this
is `/etc/kubernetes/pki`.
`--cert-dir` flag or the `certificatesDir` field of kubeadm's `ClusterConfiguration`.
By default this is `/etc/kubernetes/pki`.
-->
如果要这样做, 你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
`CertificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`
如果要这样做你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
`certificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`
<!--
If a given certificate and private key pair exists before running `kubeadm init`,
@ -60,7 +59,7 @@ CA into `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`,
and kubeadm will use this CA for signing the rest of the certificates.
-->
如果在运行 `kubeadm init` 之前存在给定的证书和私钥对kubeadm 将不会重写它们。
例如,这意味着可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt`
例如,这意味着可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt`
`/etc/kubernetes/pki/ca.key` 中,而 kubeadm 将使用此 CA 对其余证书进行签名。
<!--
@ -69,7 +68,8 @@ and kubeadm will use this CA for signing the rest of the certificates.
It is also possible to provide only the `ca.crt` file and not the
`ca.key` file (this is only available for the root CA file, not other cert pairs).
If all other certificates and kubeconfig files are in place, kubeadm recognizes
this condition and activates the "External CA" mode. kubeadm will proceed without the CA key on disk.
this condition and activates the "External CA" mode. kubeadm will proceed without the
CA key on disk.
-->
## 外部 CA 模式 {#external-ca-mode}
@ -83,7 +83,7 @@ this condition and activates the "External CA" mode. kubeadm will proceed withou
Instead, run the controller-manager standalone with `--controllers=csrsigner` and
point to the CA certificate and key.
-->
否则, kubeadm 将独立运行 controller-manager附加一个
否则kubeadm 将独立运行 controller-manager附加一个
`--controllers=csrsigner` 的参数,并且指明 CA 证书和密钥。
<!--
@ -92,12 +92,12 @@ setting up a cluster to use an external CA.
-->
[PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)包括集群使用外部 CA 的设置指南。
<!--
## Check certificate expiration
<!--
## Check certificate expiration
You can use the `check-expiration` subcommand to check when certificates expire:
-->
## 检查证书是否过期
## 检查证书是否过期 {#check-certificate-expiration}
你可以使用 `check-expiration` 子命令来检查证书何时过期
@ -105,8 +105,8 @@ You can use the `check-expiration` subcommand to check when certificates expire:
kubeadm certs check-expiration
```
<!--
The output is similar to this:
<!--
The output is similar to this:
-->
输出类似于以下内容:
@ -129,17 +129,17 @@ etcd-ca Dec 28, 2029 23:36 UTC 9y no
front-proxy-ca Dec 28, 2029 23:36 UTC 9y no
```
<!--
The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`).
<!--
The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`).
-->
该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及
kubeadm`admin.conf`, `controller-manager.conf``scheduler.conf`
该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及
kubeadm`admin.conf`、`controller-manager.conf``scheduler.conf`
使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。
<!--
Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools.
<!--
Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools.
-->
另外, kubeadm 会通知用户证书是否由外部管理;
另外kubeadm 会通知用户证书是否由外部管理;
在这种情况下,用户应该小心的手动/使用其他工具来管理证书更新。
<!--
@ -149,7 +149,7 @@ Additionally, kubeadm informs the user if the certificate is externally managed;
`kubeadm` 不能管理由外部 CA 签名的证书
{{< /warning >}}
<!--
<!--
`kubelet.conf` is not included in the list above because kubeadm configures kubelet
for [automatic certificate renewal](/docs/tasks/tls/certificate-rotation/)
with rotatable certificates under `/var/lib/kubelet/pki`.
@ -158,7 +158,7 @@ To repair an expired kubelet client certificate see
-->
{{< note >}}
上面的列表中没有包含 `kubelet.conf`,因为 kubeadm 将 kubelet 配置为
[自动更新证书](/docs/tasks/tls/certificate-rotation/)。
[自动更新证书](/zh/docs/tasks/tls/certificate-rotation/)。
轮换的证书位于目录 `/var/lib/kubelet/pki`
要修复过期的 kubelet 客户端证书,请参阅
[kubelet 客户端证书轮换失败](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert)。
@ -183,35 +183,35 @@ client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
```
{{< /warning >}}
<!--
<!--
## Automatic certificate renewal
`kubeadm` renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-15/).
kubeadm renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
-->
## 自动更新证书
## 自动更新证书 {#automatic-certificate-renewal}
`kubeadm` 会在控制面
kubeadm 会在控制面
[升级](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
的时候更新所有证书。
<!--
This feature is designed for addressing the simplest use cases;
if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.
<!--
This feature is designed for addressing the simplest use cases;
if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.
-->
这个功能旨在解决最简单的用例;如果你对此类证书的更新没有特殊要求,
并且定期执行 Kubernetes 版本升级(每次升级之间的间隔时间少于 1 年),
则 kubeadm 将确保你的集群保持最新状态并保持合理的安全性。
<!--
<!--
It is a best practice to upgrade your cluster frequently in order to stay secure.
-->
{{< note >}}
最佳的做法是经常升级集群以确保安全。
{{< /note >}}
<!--
If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`.
<!--
If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`.
-->
如果你对证书更新有更复杂的需求,则可通过将 `--certificate-renewal=false` 传递给
`kubeadm upgrade apply` 或者 `kubeadm upgrade node`,从而选择不采用默认行为。
@ -227,16 +227,16 @@ kubeadm 在 1.17 版本之前有一个[缺陷](https://github.com/kubernetes/kub
在这种情况下,你需要显式地设置 `--certificate-renewal=true`
{{< /warning >}}
<!--
## Manual certificate renewal
<!--
## Manual certificate renewal
You can renew your certificates manually at any time with the `kubeadm certs renew` command.
You can renew your certificates manually at any time with the `kubeadm certs renew` command.
-->
## 手动更新证书
## 手动更新证书 {#manual-certificate-renewal}
你能随时通过 `kubeadm certs renew` 命令手动更新你的证书。
<!--
<!--
This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in `/etc/kubernetes/pki`.
After running the command you should restart the control plane Pods. This is required since
@ -249,44 +249,43 @@ The kubelet will terminate the Pod if it's no longer in the manifest directory.
You can then move the file back and after another `fileCheckFrequency` period, the kubelet will recreate
the Pod and the certificate renewal for the component can complete.
-->
此命令用 CA (或者 front-proxy-CA )证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
此命令用 CA或者 front-proxy-CA )证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
执行完此命令之后你需要重启控制面 Pods。因为动态证书重载目前还不被所有组件和证书支持所有这项操作是必须的。
[静态 Pods](/zh/docs/tasks/configure-pod-container/static-pod/) 是被本地 kubelet 而不是 API Server 管理,
所以 kubectl 不能用来删除或重启他们。
要重启静态 Pod 你可以临时将清单文件从 `/etc/kubernetes/manifests/` 移除并等待 20 秒
(参考 [KubeletConfiguration 结构](/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值)。
(参考 [KubeletConfiguration 结构](/zh/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值)。
如果 Pod 不在清单目录里kubelet 将会终止它。
在另一个 `fileCheckFrequency` 周期之后你可以将文件移回去,为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。
<!--
If you are running an HA cluster, this command needs to be executed on all the control-plane nodes.
<!--
If you are running an HA cluster, this command needs to be executed on all the control-plane nodes.
-->
{{< warning >}}
如果你运行了一个 HA 集群,这个命令需要在所有控制面板节点上执行。
{{< /warning >}}
<!--
` certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
<!--
`certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
-->
{{< note >}}
`certs renew` 使用现有的证书作为属性 (Common Name、Organization、SAN 等) 的权威来源,
而不是 kubeadm-config ConfigMap 。强烈建议使它们保持同步。
`certs renew` 使用现有的证书作为属性Common Name、Organization、SAN 等)的权威来源,
而不是 kubeadm-config ConfigMap。强烈建议使它们保持同步。
{{< /note >}}
<!--
`kubeadm certs renew` provides the following options:
-->
`kubeadm certs renew`提供以下选项:
`kubeadm certs renew` 提供以下选项:
<!--
The Kubernetes certificates normally reach their expiration date after one year.
-->
Kubernetes 证书通常在一年后到期。
<!--
- `--csr-only` can be used to renew certificats with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information.
<!--
- `--csr-only` can be used to renew certificates with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information.
- It's also possible to renew a single certificate instead of all.
-->
@ -297,14 +296,14 @@ Kubernetes 证书通常在一年后到期。
<!--
## Renew certificates with the Kubernetes certificates API
This section provide more details about how to execute manual certificate renewal using the Kubernetes certificates API.
This section provides more details about how to execute manual certificate renewal using the Kubernetes certificates API.
-->
## 用 Kubernetes 证书 API 更新证书
## 用 Kubernetes 证书 API 更新证书 {#renew-certificates-with-the-kubernetes-certificates-api}
本节提供有关如何使用 Kubernetes 证书 API 执行手动证书更新的更多详细信息。
<!--
These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If the default kubeadm configuration satisfies your needs, you should let kubeadm manage certificates instead.
<!--
These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If the default kubeadm configuration satisfies your needs, you should let kubeadm manage certificates instead.
-->
{{< caution >}}
这些是针对需要将其组织的证书基础结构集成到 kubeadm 构建的集群中的用户的高级主题。
@ -317,10 +316,10 @@ These are advanced topics for users who need to integrate their organization's c
The Kubernetes Certificate Authority does not work out of the box.
You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the built-in signer.
The built-in signer is part of [`kube-controller-manager`](/docs/reference/command-line-tools-reference/kube-controller-manager/).
To activate the build-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
To activate the built-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
-->
### 设置一个签名者Signer
### 设置一个签名者Signer {#set-up-a-signer}
Kubernetes 证书颁发机构不是开箱即用。你可以配置外部签名者,例如 [cert-manager](https://cert-manager.io/docs/configuration/ca/)
也可以使用内置签名者。
@ -343,10 +342,10 @@ controllerManager:
cluster-signing-key-file: /etc/kubernetes/pki/ca.key
```
<!--
<!--
### Create certificate signing requests (CSR)
-->
### 创建证书签名请求 (CSR)
### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr}
<!--
See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest) for creating CSRs with the Kubernetes API.
@ -357,9 +356,9 @@ See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certif
<!--
## Renew certificates with external CA
This section provides more details about how to execute manual certificate renewal using an external CA.
This section provide more details about how to execute manual certificate renewal using an external CA.
-->
## 通过外部 CA 更新证书
## 通过外部 CA 更新证书 {#renew-certificates-with-external-ca}
本节提供有关如何使用外部 CA 执行手动更新证书的更多详细信息。
@ -372,8 +371,8 @@ In kubeadm terms, any certificate that would normally be signed by an on-disk CA
CSR 表示向 CA 请求客户的签名证书。
在 kubeadm 术语中,通常由磁盘 CA 签名的任何证书都可以作为 CSR 生成。但是CA 不能作为 CSR 生成。
<!--
### Create certificate signing requests (CSR)
<!--
### Create certificate signing requests (CSR)
You can create certificate signing requests with `kubeadm certs renew --csr-only`.
@ -381,13 +380,13 @@ Both the CSR and the accompanying private key are given in the output.
You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
If `--csr-dir` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
-->
### 创建证书签名请求 (CSR)
### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr-1}
你可以通过 `kubeadm certs renew --csr-only` 命令创建证书签名请求。
CSR 和随附的私钥都在输出中给出。
你可以传入一个带有 `--csr-dir` 的目录,将 CRS 输出到指定位置。
如果未指定 `--csr-dir` ,则使用默认证书目录(`/etc/kubernetes/pki`)。
如果未指定 `--csr-dir`,则使用默认证书目录(`/etc/kubernetes/pki`)。
<!--
Certificates can be renewed with `kubeadm certs renew --csr-only`.
@ -406,7 +405,7 @@ when issuing a certificate.
CSR 中包含一个证书的名字,域和 IP但是未指定用法。
颁发证书时CA 有责任指定[正确的证书用法](/zh/docs/setup/best-practices/certificates/#all-certificates)
<!--
<!--
* In `openssl` this is done with the
[`openssl ca` command](https://superuser.com/questions/738612/openssl-ca-keyusage-extension).
* In `cfssl` you specify
@ -419,8 +418,8 @@ CSR 中包含一个证书的名字,域和 IP但是未指定用法。
[在配置文件中指定用法](https://github.com/cloudflare/cfssl/blob/master/doc/cmd/cfssl.txt#L170)
来完成的。
<!--
After a certificate is signed using your preferred method, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`).
<!--
After a certificate is signed using your preferred method, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`).
-->
使用首选方法对证书签名后,必须将证书和私钥复制到 PKI 目录(默认为 `/etc/kubernetes/pki` )。
@ -431,7 +430,7 @@ Kubeadm does not support rotation or replacement of CA certificates out of the b
For more information about manual rotation or replacement of CA, see [manual rotation of CA certificates](/docs/tasks/tls/manual-rotation-of-ca-certificates/).
-->
## 证书机构CA轮换 {#certificate-authority-rotation}
## 证书机构CA轮换 {#certificate-authority-rotation}
kubeadm 并不直接支持对 CA 证书的轮换或者替换。
@ -449,9 +448,9 @@ kubelet cannot be secured with TLS.
To configure the kubelets in a new kubeadm cluster to obtain properly signed serving
certificates you must pass the following minimal configuration to `kubeadm init`:
-->
## 启用已签名的 kubelet 服务证书 {#kubelet-serving-certs}
## 启用已签名的 kubelet 服务证书 {#kubelet-serving-certs}
默认情况下kubeadm 所部署的 kubelet 服务证书是自签名Self-Signed
默认情况下kubeadm 所部署的 kubelet 服务证书是自签名Self-Signed
这意味着从 [metrics-server](https://github.com/kubernetes-sigs/metrics-server)
这类外部服务发起向 kubelet 的链接时无法使用 TLS 来完成保护。
@ -501,7 +500,7 @@ These CSRs can be viewed using:
字段 `serverTLSBootstrap` 将允许启动引导 kubelet 的服务证书,方式
是从 `certificates.k8s.io` API 处读取。这种方式的一种局限在于这些
证书的 CSR证书签名请求不能被 kube-controller-manager 中默认的
签名组件
签名组件
[`kubernetes.io/kubelet-serving`](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)
批准。需要用户或者第三方控制器来执行此操作。
@ -554,7 +553,7 @@ the node identity with an out of band mechanism.
<!--
Third party custom controllers can be used:
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
Such a controller is not a secure mechanism unless it not only verifies the CommonName
in the CSR but also verifies the requested IPs and domain names. This would prevent
@ -563,7 +562,7 @@ CSRs requesting serving certificates for any IP or domain name.
-->
也可以使用第三方定制的控制器:
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
除非既能够验证 CSR 中的 CommonName也能检查请求的 IP 和域名,
这类控制器还算不得安全的机制。
@ -573,7 +572,7 @@ CSRs requesting serving certificates for any IP or domain name.
<!--
## Generating kubeconfig files for additional users {#kubeconfig-additional-users}
-->
## 为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
## 为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
<!--
During cluster creation, kubeadm signs the certificate in the `admin.conf` to have
@ -597,7 +596,7 @@ The generated kubeconfig will be written to stdout and can be piped to a file
using `kubeadm kubeconfig user ... > somefile.conf`.
-->
你要使用 [`kubeadm kubeconfig user`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
命令为其他用户生成 kubeconfig 文件,这个命令支持命令行参数和
命令为其他用户生成 kubeconfig 文件,这个命令支持命令行参数和
[kubeadm 配置结构](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
以上命令会将 kubeconfig 打印到终端上,也可以使用 `kubeadm kubeconfig user ... > somefile.conf`
输出到一个文件中。
@ -605,7 +604,7 @@ using `kubeadm kubeconfig user ... > somefile.conf`.
<!--
Example configuration file that can be used with `--config`:
-->
如下 kubeadm 可以 在`--config` 后加的配置文件示例:
如下 kubeadm 可以`--config` 后加的配置文件示例:
```yaml
# example.yaml