-
操作 hdss7-200 虚拟机
安装 CFSSL
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssl-json wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo chmod u+x /usr/local/bin/cfssl* export PATH=/usr/local/bin:$PATH
创建 CA 证书签名请求
创建生成CA证书签名请求(csr)的JSON配置文件
mkdir /opt/certs/ cd /opt/certs/ vim /opt/certs/ca-csr.json
创建 ca-csr.json
文件,内容如下:
{ "CN": "kubernetes", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ], "ca": { "expiry": "175200h" } }
-
CN:
Common Name
,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法; -
C:
Country
,国家 -
ST:
State
,州,省 -
L:
Locality
,地区,城市 -
O:
Organization
,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group); -
OU:
Organization Unit
,部门名称 -
expiry: 过期时间,h小时
生成CA证书和私钥
cfssl gencert -initca ca-csr.json | cfssl-json -bare ca ls ca*
参考资料:https://jimmysong.io/kubernetes-handbook/practice/create-tls-and-secret-key.html