kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zh] Adjust kubeadm-certs.md format

pull/33805/head
Sean Wei 2022-05-18 23:26:36 +08:00
parent 86a5120ea3
commit 64d998e297
1 changed files with 77 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
View File

@ -19,7 +19,6 @@ weight: 10
Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year.
This page explains how to manage certificate renewals with kubeadm. It also covers other tasks related
to kubeadm certificate management.
-->
由 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
本页说明如何使用 kubeadm 管理证书续订,同时也涵盖其他与 kubeadm 证书管理相关的说明。
@ -42,16 +41,16 @@ You can override this behavior by providing your own certificates.
## 使用自定义的证书 {#custom-certificates}
默认情况下, kubeadm 会生成运行一个集群所需的全部证书。
默认情况下kubeadm 会生成运行一个集群所需的全部证书。
你可以通过提供你自己的证书来改变这个行为策略。
<!--
To do so, you must place them in whatever directory is specified by the
`--cert-dir` flag or the `CertificatesDir`field of kubeadm's `ClusterConfiguration` . By default this
is `/etc/kubernetes/pki`.
`--cert-dir` flag or the `certificatesDir` field of kubeadm's `ClusterConfiguration`.
By default this is `/etc/kubernetes/pki`.
-->
如果要这样做, 你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
`CertificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`
如果要这样做你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
`certificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`
<!--
If a given certificate and private key pair exists before running `kubeadm init`,
@ -60,7 +59,7 @@ CA into `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`,
and kubeadm will use this CA for signing the rest of the certificates.
-->
如果在运行 `kubeadm init` 之前存在给定的证书和私钥对kubeadm 将不会重写它们。
例如,这意味着可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt`
例如,这意味着可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt`
`/etc/kubernetes/pki/ca.key` 中,而 kubeadm 将使用此 CA 对其余证书进行签名。
<!--
@ -69,7 +68,8 @@ and kubeadm will use this CA for signing the rest of the certificates.
It is also possible to provide only the `ca.crt` file and not the
`ca.key` file (this is only available for the root CA file, not other cert pairs).
If all other certificates and kubeconfig files are in place, kubeadm recognizes
this condition and activates the "External CA" mode. kubeadm will proceed without the CA key on disk.
this condition and activates the "External CA" mode. kubeadm will proceed without the
CA key on disk.
-->
## 外部 CA 模式 {#external-ca-mode}
@ -83,7 +83,7 @@ this condition and activates the "External CA" mode. kubeadm will proceed withou
Instead, run the controller-manager standalone with `--controllers=csrsigner` and
point to the CA certificate and key.
-->
否则, kubeadm 将独立运行 controller-manager附加一个
否则kubeadm 将独立运行 controller-manager附加一个
`--controllers=csrsigner` 的参数,并且指明 CA 证书和密钥。
<!--
@ -97,7 +97,7 @@ setting up a cluster to use an external CA.
You can use the `check-expiration` subcommand to check when certificates expire:
-->
## 检查证书是否过期
## 检查证书是否过期 {#check-certificate-expiration}
你可以使用 `check-expiration` 子命令来检查证书何时过期
@ -133,13 +133,13 @@ front-proxy-ca Dec 28, 2029 23:36 UTC 9y no
The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`).
-->
该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及
kubeadm`admin.conf`, `controller-manager.conf``scheduler.conf`
kubeadm`admin.conf`、`controller-manager.conf``scheduler.conf`
使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。
<!--
Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools.
-->
另外, kubeadm 会通知用户证书是否由外部管理;
另外kubeadm 会通知用户证书是否由外部管理;
在这种情况下,用户应该小心的手动/使用其他工具来管理证书更新。
<!--
@ -158,7 +158,7 @@ To repair an expired kubelet client certificate see
-->
{{< note >}}
上面的列表中没有包含 `kubelet.conf`,因为 kubeadm 将 kubelet 配置为
[自动更新证书](/docs/tasks/tls/certificate-rotation/)。
[自动更新证书](/zh/docs/tasks/tls/certificate-rotation/)。
轮换的证书位于目录 `/var/lib/kubelet/pki`
要修复过期的 kubelet 客户端证书,请参阅
[kubelet 客户端证书轮换失败](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert)。
@ -186,12 +186,12 @@ client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
<!--
## Automatic certificate renewal
`kubeadm` renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-15/).
kubeadm renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
-->
## 自动更新证书
## 自动更新证书 {#automatic-certificate-renewal}
`kubeadm` 会在控制面
kubeadm 会在控制面
[升级](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
的时候更新所有证书。
@ -232,7 +232,7 @@ kubeadm 在 1.17 版本之前有一个[缺陷](https://github.com/kubernetes/kub
You can renew your certificates manually at any time with the `kubeadm certs renew` command.
-->
## 手动更新证书
## 手动更新证书 {#manual-certificate-renewal}
你能随时通过 `kubeadm certs renew` 命令手动更新你的证书。
@ -249,13 +249,13 @@ The kubelet will terminate the Pod if it's no longer in the manifest directory.
You can then move the file back and after another `fileCheckFrequency` period, the kubelet will recreate
the Pod and the certificate renewal for the component can complete.
-->
此命令用 CA (或者 front-proxy-CA )证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
此命令用 CA或者 front-proxy-CA )证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
执行完此命令之后你需要重启控制面 Pods。因为动态证书重载目前还不被所有组件和证书支持所有这项操作是必须的。
[静态 Pods](/zh/docs/tasks/configure-pod-container/static-pod/) 是被本地 kubelet 而不是 API Server 管理,
所以 kubectl 不能用来删除或重启他们。
要重启静态 Pod 你可以临时将清单文件从 `/etc/kubernetes/manifests/` 移除并等待 20 秒
(参考 [KubeletConfiguration 结构](/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值)。
(参考 [KubeletConfiguration 结构](/zh/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值)。
如果 Pod 不在清单目录里kubelet 将会终止它。
在另一个 `fileCheckFrequency` 周期之后你可以将文件移回去,为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。
@ -267,17 +267,17 @@ If you are running an HA cluster, this command needs to be executed on all the c
{{< /warning >}}
<!--
` certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
`certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
-->
{{< note >}}
`certs renew` 使用现有的证书作为属性 (Common Name、Organization、SAN 等) 的权威来源,
而不是 kubeadm-config ConfigMap 。强烈建议使它们保持同步。
`certs renew` 使用现有的证书作为属性Common Name、Organization、SAN 等)的权威来源,
而不是 kubeadm-config ConfigMap。强烈建议使它们保持同步。
{{< /note >}}
<!--
`kubeadm certs renew` provides the following options:
-->
`kubeadm certs renew`提供以下选项:
`kubeadm certs renew` 提供以下选项:
<!--
The Kubernetes certificates normally reach their expiration date after one year.
@ -285,8 +285,7 @@ The Kubernetes certificates normally reach their expiration date after one year.
Kubernetes 证书通常在一年后到期。
<!--
- `--csr-only` can be used to renew certificats with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information.
- `--csr-only` can be used to renew certificates with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information.
- It's also possible to renew a single certificate instead of all.
-->
@ -297,9 +296,9 @@ Kubernetes 证书通常在一年后到期。
<!--
## Renew certificates with the Kubernetes certificates API
This section provide more details about how to execute manual certificate renewal using the Kubernetes certificates API.
This section provides more details about how to execute manual certificate renewal using the Kubernetes certificates API.
-->
## 用 Kubernetes 证书 API 更新证书
## 用 Kubernetes 证书 API 更新证书 {#renew-certificates-with-the-kubernetes-certificates-api}
本节提供有关如何使用 Kubernetes 证书 API 执行手动证书更新的更多详细信息。
@ -317,10 +316,10 @@ These are advanced topics for users who need to integrate their organization's c
The Kubernetes Certificate Authority does not work out of the box.
You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the built-in signer.
The built-in signer is part of [`kube-controller-manager`](/docs/reference/command-line-tools-reference/kube-controller-manager/).
To activate the build-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
To activate the built-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
-->
### 设置一个签名者Signer
### 设置一个签名者Signer {#set-up-a-signer}
Kubernetes 证书颁发机构不是开箱即用。你可以配置外部签名者,例如 [cert-manager](https://cert-manager.io/docs/configuration/ca/)
也可以使用内置签名者。
@ -346,7 +345,7 @@ controllerManager:
<!--
### Create certificate signing requests (CSR)
-->
### 创建证书签名请求 (CSR)
### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr}
<!--
See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest) for creating CSRs with the Kubernetes API.
@ -357,9 +356,9 @@ See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certif
<!--
## Renew certificates with external CA
This section provides more details about how to execute manual certificate renewal using an external CA.
This section provide more details about how to execute manual certificate renewal using an external CA.
-->
## 通过外部 CA 更新证书
## 通过外部 CA 更新证书 {#renew-certificates-with-external-ca}
本节提供有关如何使用外部 CA 执行手动更新证书的更多详细信息。
@ -381,13 +380,13 @@ Both the CSR and the accompanying private key are given in the output.
You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
If `--csr-dir` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
-->
### 创建证书签名请求 (CSR)
### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr-1}
你可以通过 `kubeadm certs renew --csr-only` 命令创建证书签名请求。
CSR 和随附的私钥都在输出中给出。
你可以传入一个带有 `--csr-dir` 的目录,将 CRS 输出到指定位置。
如果未指定 `--csr-dir` ,则使用默认证书目录(`/etc/kubernetes/pki`)。
如果未指定 `--csr-dir`,则使用默认证书目录(`/etc/kubernetes/pki`)。
<!--
Certificates can be renewed with `kubeadm certs renew --csr-only`.
@ -431,7 +430,7 @@ Kubeadm does not support rotation or replacement of CA certificates out of the b
For more information about manual rotation or replacement of CA, see [manual rotation of CA certificates](/docs/tasks/tls/manual-rotation-of-ca-certificates/).
-->
## 证书机构CA轮换 {#certificate-authority-rotation}
## 证书机构CA轮换 {#certificate-authority-rotation}
kubeadm 并不直接支持对 CA 证书的轮换或者替换。
@ -449,9 +448,9 @@ kubelet cannot be secured with TLS.
To configure the kubelets in a new kubeadm cluster to obtain properly signed serving
certificates you must pass the following minimal configuration to `kubeadm init`:
-->
## 启用已签名的 kubelet 服务证书 {#kubelet-serving-certs}
## 启用已签名的 kubelet 服务证书 {#kubelet-serving-certs}
默认情况下kubeadm 所部署的 kubelet 服务证书是自签名Self-Signed
默认情况下kubeadm 所部署的 kubelet 服务证书是自签名Self-Signed
这意味着从 [metrics-server](https://github.com/kubernetes-sigs/metrics-server)
这类外部服务发起向 kubelet 的链接时无法使用 TLS 来完成保护。
@ -554,7 +553,7 @@ the node identity with an out of band mechanism.
<!--
Third party custom controllers can be used:
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
Such a controller is not a secure mechanism unless it not only verifies the CommonName
in the CSR but also verifies the requested IPs and domain names. This would prevent
@ -563,7 +562,7 @@ CSRs requesting serving certificates for any IP or domain name.
-->
也可以使用第三方定制的控制器:
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
除非既能够验证 CSR 中的 CommonName也能检查请求的 IP 和域名,
这类控制器还算不得安全的机制。
@ -573,7 +572,7 @@ CSRs requesting serving certificates for any IP or domain name.
<!--
## Generating kubeconfig files for additional users {#kubeconfig-additional-users}
-->
## 为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
## 为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
<!--
During cluster creation, kubeadm signs the certificate in the `admin.conf` to have
@ -605,7 +604,7 @@ using `kubeadm kubeconfig user ... > somefile.conf`.
<!--
Example configuration file that can be used with `--config`:
-->
如下 kubeadm 可以 在`--config` 后加的配置文件示例:
如下 kubeadm 可以`--config` 后加的配置文件示例:
```yaml
# example.yaml