kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
website/content/zh/docs/tasks/administer-cluster/certificates.md

374 lines
12 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
title: 证书
content_type: task
weight: 20
---
<!--
---
title: Certificates
content_type: task
weight: 20
---
-->
<!-- overview -->
<!--
When using client certificate authentication, you can generate certificates
manually through `easyrsa`, `openssl` or `cfssl`.
-->
在使用客户端证书认证的场景下,你可以通过 `easyrsa`、`openssl` 或 `cfssl` 等工具以手工方式生成证书。
<!-- body -->
### easyrsa
<!--
**easyrsa** can manually generate certificates for your cluster.
-->
**easyrsa** 支持以手工方式为你的集群生成证书。
<!--
1. Download, unpack, and initialize the patched version of easyrsa3.
-->
1. 下载、解压、初始化打过补丁的 easyrsa3。
curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3
./easyrsa init-pki
<!--
1. Generate a new certificate authority (CA). `--batch` sets automatic mode;
`--req-cn` specifies the Common Name (CN) for the CA's new root certificate.
-->
1. 生成新的证书颁发机构CA。参数 `--batch` 用于设置自动模式;
参数 `--req-cn` 用于设置新的根证书的通用名称CN
./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
<!--
1. Generate server certificate and key.
The argument `--subject-alt-name` sets the possible IPs and DNS names the API server will
be accessed with. The `MASTER_CLUSTER_IP` is usually the first IP from the service CIDR
that is specified as the `--service-cluster-ip-range` argument for both the API server and
the controller manager component. The argument `--days` is used to set the number of days
after which the certificate expires.
The sample below also assumes that you are using `cluster.local` as the default
DNS domain name.
-->
1. 生成服务器证书和秘钥。
参数 `--subject-alt-name` 设置 API 服务器的 IP 和 DNS 名称。
`MASTER_CLUSTER_IP` 用于 API 服务器和控制管理器,通常取 CIDR 的第一个 IP`--service-cluster-ip-range` 的参数提供。
参数 `--days` 用于设置证书的过期时间。
下面的示例假定你的默认 DNS 域名为 `cluster.local`
./easyrsa --subject-alt-name="IP:${MASTER_IP},"\
"IP:${MASTER_CLUSTER_IP},"\
"DNS:kubernetes,"\
"DNS:kubernetes.default,"\
"DNS:kubernetes.default.svc,"\
"DNS:kubernetes.default.svc.cluster,"\
"DNS:kubernetes.default.svc.cluster.local" \
--days=10000 \
build-server-full server nopass
<!--
1. Copy `pki/ca.crt`, `pki/issued/server.crt`, and `pki/private/server.key` to your directory.
1. Fill in and add the following parameters into the API server start parameters:
-->
1. 拷贝文件 `pki/ca.crt`、`pki/issued/server.crt` 和 `pki/private/server.key` 到你的目录中。
1. 在 API 服务器的启动参数中添加以下参数:
--client-ca-file=/yourdirectory/ca.crt
--tls-cert-file=/yourdirectory/server.crt
--tls-private-key-file=/yourdirectory/server.key
### openssl
<!--
**openssl** can manually generate certificates for your cluster.
-->
**openssl** 支持以手工方式为你的集群生成证书。
<!--
1. Generate a ca.key with 2048bit:
-->
1. 生成一个 2048 位的 ca.key 文件
openssl genrsa -out ca.key 2048
<!--
1. According to the ca.key generate a ca.crt (use -days to set the certificate effective time):
-->
1. 在 ca.key 文件的基础上,生成 ca.crt 文件(用参数 -days 设置证书有效期)
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
<!--
1. Generate a server.key with 2048bit:
-->
1. 生成一个 2048 位的 server.key 文件:
openssl genrsa -out server.key 2048
<!--
1. Create a config file for generating a Certificate Signing Request (CSR).
Be sure to substitute the values marked with angle brackets (e.g. `<MASTER_IP>`)
with real values before saving this to a file (e.g. `csr.conf`).
Note that the value for `MASTER_CLUSTER_IP` is the service cluster IP for the
API server as described in previous subsection.
The sample below also assumes that you are using `cluster.local` as the default
DNS domain name.
-->
1. 创建一个用于生成证书签名请求CSR的配置文件。
保存文件(例如:`csr.conf`)前,记得用真实值替换掉尖括号中的值(例如:`<MASTER_IP>`)。
注意:`MASTER_CLUSTER_IP` 就像前一小节所述,它的值是 API 服务器的服务集群 IP。
下面的例子假定你的默认 DNS 域名为 `cluster.local`
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER_IP>
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = <MASTER_IP>
IP.2 = <MASTER_CLUSTER_IP>
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
<!--
1. Generate the certificate signing request based on the config file:
-->
1. 基于上面的配置文件生成证书签名请求:
openssl req -new -key server.key -out server.csr -config csr.conf
<!--
1. Generate the server certificate using the ca.key, ca.crt and server.csr:
-->
1. 基于 ca.key、ca.key 和 server.csr 等三个文件生成服务端证书:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 10000 \
-extensions v3_ext -extfile csr.conf
<!--
1. View the certificate signing request:
-->
1. 查看证书签名请求:
openssl req -noout -text -in ./server.csr
<!--
1. View the certificate:
-->
1. 查看证书:
openssl x509 -noout -text -in ./server.crt
<!--
Finally, add the same parameters into the API server start parameters.
-->
最后,为 API 服务器添加相同的启动参数。
### cfssl
<!--
**cfssl** is another tool for certificate generation.
-->
**cfssl** 是另一个用于生成证书的工具。
<!--
1. Download, unpack and prepare the command line tools as shown below.
Note that you may need to adapt the sample commands based on the hardware
architecture and cfssl version you are using.
-->
1. 下载、解压并准备如下所示的命令行工具。
注意:你可能需要根据所用的硬件体系架构和 cfssl 版本调整示例命令。
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl
chmod +x cfssl
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o cfssljson
chmod +x cfssljson
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 -o cfssl-certinfo
chmod +x cfssl-certinfo
<!--
1. Create a directory to hold the artifacts and initialize cfssl:
-->
1. 创建一个目录,用它保存所生成的构件和初始化 cfssl
mkdir cert
cd cert
../cfssl print-defaults config > config.json
../cfssl print-defaults csr > csr.json
<!--
1. Create a JSON config file for generating the CA file, for example, `ca-config.json`:
-->
1. 创建一个 JSON 配置文件来生成 CA 文件,例如:`ca-config.json`
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
<!--
1. Create a JSON config file for CA certificate signing request (CSR), for example,
`ca-csr.json`. Be sure to replace the values marked with angle brackets with
real values you want to use.
-->
1. 创建一个 JSON 配置文件,用于 CA 证书签名请求CSR例如`ca-csr.json`。
确认用你需要的值替换掉尖括号中的值。
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names":[{
"C": "<country>",
"ST": "<state>",
"L": "<city>",
"O": "<organization>",
"OU": "<organization unit>"
}]
}
<!--
1. Generate CA key (`ca-key.pem`) and certificate (`ca.pem`):
-->
1. 生成 CA 秘钥文件(`ca-key.pem`)和证书文件(`ca.pem`
../cfssl gencert -initca ca-csr.json | ../cfssljson -bare ca
<!--
1. Create a JSON config file for generating keys and certificates for the API
server, for example, `server-csr.json`. Be sure to replace the values in angle brackets with
real values you want to use. The `MASTER_CLUSTER_IP` is the service cluster
IP for the API server as described in previous subsection.
The sample below also assumes that you are using `cluster.local` as the default
DNS domain name.
-->
1. 创建一个 JSON 配置文件,用来为 API 服务器生成秘钥和证书,例如:`server-csr.json`。
确认用你需要的值替换掉尖括号中的值。`MASTER_CLUSTER_IP` 是为 API 服务器 指定的服务集群 IP就像前面小节描述的那样。
以下示例假定你的默认 DSN 域名为`cluster.local`。
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"<MASTER_IP>",
"<MASTER_CLUSTER_IP>",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "<country>",
"ST": "<state>",
"L": "<city>",
"O": "<organization>",
"OU": "<organization unit>"
}]
}
<!--
1. Generate the key and certificate for the API server, which are by default
saved into file `server-key.pem` and `server.pem` respectively:
-->
1. 为 API 服务器生成秘钥和证书,默认会分别存储为`server-key.pem` 和 `server.pem` 两个文件。
../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
--config=ca-config.json -profile=kubernetes \
server-csr.json | ../cfssljson -bare server
<!--
## Distributing Self-Signed CA Certificate
-->
## 分发自签名的 CA 证书
<!--
A client node may refuse to recognize a self-signed CA certificate as valid.
For a non-production deployment, or for a deployment that runs behind a company
firewall, you can distribute a self-signed CA certificate to all clients and
refresh the local list for valid certificates.
On each client, perform the following operations:
-->
客户端节点可能不认可自签名 CA 证书的有效性。
对于非生产环境,或者运行在公司防火墙后的环境,你可以分发自签名的 CA 证书到所有客户节点,并刷新本地列表以使证书生效。
在每一个客户节点,执行以下操作:
```bash
sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
sudo update-ca-certificates
```
```
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
done.
```
<!--
## Certificates API
-->
## 证书 API {#certificates-api}
<!--
You can use the `certificates.k8s.io` API to provision
x509 certificates to use for authentication as documented
[here](/docs/tasks/tls/managing-tls-in-a-cluster).
-->
你可以通过 `certificates.k8s.io` API 提供 x509 证书,用来做身份验证,
如[本](/zh/docs/tasks/tls/managing-tls-in-a-cluster)文档所述。
Reference in New Issue View Git Blame Copy Permalink