k8s认证

Tony.Cheng2023-10-22 20:22

1. 证书介绍

服务端保留公钥和私钥,客户端使用root CA认证服务端的公钥

一共有多少证书:

*Etcd:

  1. Etcd对外提供服务,要有一套etcd server证书
  2. Etcd各节点之间进行通信,要有一套etcd peer证书
  3. Kube-APIserver访问Etcd,要有一套etcd client证书

kubernetes:

  1. Kube-apiserver对外提供服务,要有一套kube-apiserver server证书
  2. kube-scheduler、kube-controller-manager、kube-proxy、kubelet和其他可能用到的组件,需要访问kube-APIserver,要有一套kube-apiserver client证书
  3. kube-controller-manager要生成服务的service account,要有一对用来签署service account的证书(CA证书)
  4. kubelet对外提供服务,要有一套kubelet server证书
  5. kube-apiserver需要访问kubelet,要有一套kubelet client证书

2. openssl制作证书

所需证书如下:

制作api-server client证书:

# ${tmpdir}为生成的临时文件夹
# tmpdir=$(mktemp -d)

# 生成证书私钥
openssl genrsa -out ${tmpdir}/server-key.pem 2048

# 生成csr签名文件,CN设定为域名/机器名/或者IP名称
openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config

# 根据csr签名文件创建csr
kubectl create -f *.yaml

# approve and fetch the signed certificate
kubectl certificate approve ${csrName}

# 生成server-cert.pem证书文件
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem

# 使用server-key.pem和server-cert.pem进行认证
server-key.pem
server-cert.pem

制作脚本如下:

#!/bin/bash

set -e
set -x

usage() {
    cat <<EOF
Generate certificate suitable for use with an sidecar-injector webhook service.

This script uses k8s' CertificateSigningRequest API to a generate a
certificate signed by k8s CA suitable for use with sidecar-injector webhook
services. This requires permissions to create and approve CSR. See
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
detailed explantion and additional instructions.

The server key/cert k8s CA cert are stored in a k8s secret.

usage: ${0} [OPTIONS]

The following flags are required.

       --service          Service name of webhook.
       --namespace        Namespace where webhook service and secret reside.
       --secret           Secret name for CA certificate and server certificate/key pair.
EOF
    exit 1
}

while [[ $# -gt 0 ]]; do
    case ${1} in
        --service)
            service="$2"
            shift
            ;;
        --secret)
            secret="$2"
            shiftdo
            ;;
        --namespace)
            namespace="$2"
            shift
            ;;
        *)
            usage
            ;;
    esac
    shift
done

[ -z ${service} ] && service=logsidecar-injector-admission
[ -z ${secret} ] && secret=logsidecar-injector-admission-certs
[ -z ${namespace} ] && namespace=kubesphere-logging-system

if [ ! -x "$(command -v openssl)" ]; then
    echo "openssl not found"
    exit 1
fi

csrName=${service}.${namespace}
tmpdir=$(mktemp -d)
echo "creating certs in tmpdir ${tmpdir} "

cat <<EOF >> ${tmpdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF

openssl genrsa -out ${tmpdir}/server-key.pem 2048
openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf

# clean-up any previously created CSR for our service. Ignore errors if not present.
kubectl delete csr ${csrName} 2>/dev/null || true

# create  server cert/key CSR and  send to k8s API
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${csrName}
spec:
  groups:
  - system:authenticated
  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

# verify CSR has been created
while true; do
    kubectl get csr ${csrName}
    if [ "$?" -eq 0 ]; then
        break
    fi
done

# approve and fetch the signed certificate
kubectl certificate approve ${csrName}
# verify certificate has been signed
for x in $(seq 10); do
    serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
    if [[ ${serverCert} != '' ]]; then
        break
    fi
    sleep 1
done
if [[ ${serverCert} == '' ]]; then
    echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
    exit 1
fi
echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem


# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
        --from-file=key.pem=${tmpdir}/server-key.pem \
        --from-file=cert.pem=${tmpdir}/server-cert.pem \
        --dry-run -o yaml |
    kubectl -n ${namespace} apply -f -
相关推荐
drebander5 小时前
Maven 与 Kubernetes 部署:构建和部署到 Kubernetes 环境中
java·kubernetes·maven
ITPUB-微风6 小时前
58同城深度学习推理平台:基于Istio的云原生网关实践解析
深度学习·云原生·istio
qq_448941089 小时前
10、k8s对外服务之ingress
linux·容器·kubernetes
野猪佩挤9 小时前
minio作为K8S后端存储
云原生·容器·kubernetes
斯普信专业组10 小时前
K8S下redis哨兵集群使用secret隐藏configmap内明文密码方案详解
redis·kubernetes·bootstrap
福大大架构师每日一题15 小时前
6.4 k8s的informer机制
云原生·容器·kubernetes
炸鸡物料库16 小时前
Kubernetes 使用 Kube-Prometheus 构建指标监控 +飞书告警
运维·云原生·kubernetes·飞书·prometheus·devops
ITPUB-微风16 小时前
云原生DevOps:Zadig架构设计与企业实践分析
运维·云原生·devops
IT闫17 小时前
【Dubbo+Zookeeper】——SpringBoot+Dubbo+Zookeeper知识整合
分布式·zookeeper·云原生·dubbo
CarryBest18 小时前
搭建Kubernetes (K8s) 集群----Centos系统
容器·kubernetes·centos
热门推荐
01本地部署DeepSeek教程(Mac版本)02如何在WPS和Word/Excel中直接使用DeepSeek功能03DeepSeek本地部署详细指南04DeepSeek各版本说明与优缺点分析05本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程06DeepSeek r1本地安装全指南07太炸裂了!清华大学deepseek从入门到精通使用手册又出第三版了,《普通人如何抓住DeepSeek红利》(无套路,直接下载)08DeepSeek R1本地化部署 Ollama + Chatbox 打造最强 AI 工具09在Windows下安装Ollama并体验DeepSeek r1大模型10Page Assist - 本地Deepseek模型 Web UI 的安装和使用