来自AI助手的总结
文章介绍了Kubernetes集群中CA证书的位置、用途及各组件证书配置。
一、Kubernetes集群中的CA证书
如果使用Kubeadm部署集群,CA证书会自动生成,但如果用二进制方式部署则需要手动生成。
服务器上CA证书在哪里?
[root@master01 ~]# tree /etc/kubernetes/pki/
/etc/kubernetes/pki/
├── apiserver.crt
├── apiserver-etcd-client.crt
├── apiserver-etcd-client.key
├── apiserver.key
├── apiserver-kubelet-client.crt
├── apiserver-kubelet-client.key
├── ca.crt
├── ca.key
├── etcd
│ ├── ca.crt
│ ├── ca.key
│ ├── healthcheck-client.crt
│ ├── healthcheck-client.key
│ ├── peer.crt
│ ├── peer.key
│ ├── server.crt
│ └── server.key
├── front-proxy-ca.crt
├── front-proxy-ca.key
├── front-proxy-client.crt
├── front-proxy-client.key
├── sa.key
└── sa.pub
Kubernetes为了安全,使用的是双向认证( 除了客户端需要验证服务器的证书,服务器也要通过客户端证书验证客户端的身份。)
kubeadm安装和二进制安装的集群中我们都是用3套CA证书来管理和签发其他证书,一套CA给ETCD使用,一套是给kubernates内部组件使用,还有一套是给配置聚合层使用的,当然如果你觉得管理3套CA比较麻烦,您也可以用一套来管理。
1、Etcd证书
Etcd证书位于/etc/kubernetes/pki/etcd目录下,可以用ps查看Etcd的进程以及参数:
[root@master01 ~]# ps aux |grep etcd |grep -v 'kube-apiserver'
root 1913 2.9 2.4 11284800 96956 ? Ssl Nov01 19:41 etcd --advertise-client-urls=https://192.168.1.60:2379 --cert-file=/etc/kubernetes/pki/etcd/server.crt --client-cert-auth=true --data-dir=/var/lib/etcd --experimental-initial-corrupt-check=true --experimental-watch-progress-notify-interval=5s --initial-advertise-peer-urls=https://192.168.1.60:2380 --initial-cluster=master01=https://192.168.1.60:2380 --key-file=/etc/kubernetes/pki/etcd/server.key --listen-client-urls=https://127.0.0.1:2379,https://192.168.1.60:2379 --listen-metrics-urls=http://127.0.0.1:2381 --listen-peer-urls=https://192.168.1.60:2380 --name=master01 --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt --peer-client-cert-auth=true --peer-key-file=/etc/kubernetes/pki/etcd/peer.key --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt --snapshot-count=10000 --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
root 51024 0.0 0.0 112828 2304 pts/1 S+ 08:08 0:00 grep --color=auto etcd
证书以及说明
├── etcd
│ ├── ca.crt ## 用于Etcd集群节点之间相互认证的CA证书
│ ├── ca.key ## 同上
│ ├── healthcheck-client.crt ## 当Etcd访问其它服务时,它作为客户端使用的CA证书
│ ├── healthcheck-client.key ## 同上
│ ├── peer.crt ## Etcd集群节点之间相互认证的peer证书,这是公钥
│ ├── peer.key ## 同上,这是私钥
│ ├── server.crt ## Etcd对外提供服务时,比如apiserver连接etcd时,它作为服务端的CA证书,这是公钥
│ └── server.key ## 同上,这是私钥
2、 Kube-apiserver证书
Apiserver对应的证书目录在/etc/kubernetes/pki,可以用ps查看进程
[root@master01 ~]# ps aux |grep apiserver
root 1952 2.7 8.9 1186240 360692 ? Ssl Nov01 17:58 kube-apiserver --feature-gates=LegacyServiceAccountTokenNoAutoGeneration=false --advertise-address=192.168.1.60 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.0.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
root 52851 0.0 0.0 112828 2192 pts/1 S+ 08:10 0:00 grep --color=auto apiserver
证书以及说明:
[root@master01 ~]# tree /etc/kubernetes/pki/
/etc/kubernetes/pki/
├── apiserver.crt ##Apiserver作为服务端用到的CA证书
├── apiserver.key ##同上
├── apiserver-etcd-client.crt ##Apiserver作为客户端访问Etcd服务时用到的CA证书
├── apiserver-etcd-client.key ##同上
├── apiserver-kubelet-client.crt ##Apiserver访问kublet时,它作为客户端用到的证书
├── apiserver-kubelet-client.key ##同上
├── ca.crt ##用来签发k8s中其它证书CA证书,是一个根证书
├── ca.key ##同上
├── front-proxy-ca.crt ##配置聚合层(Apiserver扩展)的CA证书
├── front-proxy-ca.key ##同上
├── front-proxy-client.crt ##置聚合层(Apiserver扩展)的客户端证书
├── front-proxy-client.key ##同上
├── sa.key ##验证service account token用的私钥
└── sa.pub ##验证service account token用的公钥
3、 kube-controller-manager用到的证书
用ps查看进程
[root@master01 ~]# ps aux |grep controller
root 1950 1.1 2.0 833636 83140 ? Ssl Nov01 7:55 kube-controller-manager --feature-gates=LegacyServiceAccountTokenNoAutoGeneration=false --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=172.16.0.0/12 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.0.0.0/16 --use-service-account-credentials=true
polkitd 2963 0.0 0.8 1569160 35592 ? Ssl Nov01 0:09 /usr/bin/kube-controllers
root 56196 0.0 0.0 112828 2260 pts/1 S+ 08:14 0:00 grep --color=auto controller
说明:
ps看到的进程用到的ca证书如下
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.key
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/sa.key
这些证书其实是Apiserver相关的证书,而kube-controller-manager用到的证书在/etc/kubernetes/controller-manager.conf这个配置文件里
[root@master01 ~]# cat /etc/kubernetes/controller-manager.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJSnVLUVJNb0tLYmN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpFeE1ERXdPVEUwTURGYUZ3MHpNekV3TWprd09URTVNREZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNucFYzMEhGQ2dsYUJ1ZkN6YWNsV2xtYzRTQjBnVElOaHlmbFJTR1JYZEVIS0QzN2hjS1Q0M2lhZVQKbDhWVXg1RlVldXdMVWN4WlJBUGJrZ3lIMkdtUXVRYXErRmNpcEJNRE0zNm8zQjVWQVk1djBOa1dHT0s4T1pIVgpjYURWaUwrMVNEWDR3WkI1YS8zOEVYb1AvTTQ1TlZlZmdwZi9MU3hhY0RLU1BYcFVuUnp2T1ZURGRqNjNZUkM5CmlpczEzZi9vVk1iYmdVSm1vUzduZXpMcndVRXNxQzhvYW5pVU5wc2dkYVlQenJaeUQyL09mQU5iN0FvNXZ4N3cKSk1nOTlMWE82dTdyK3JaN2RzRGl5OCtKZDRqNXZUeGgxaUJianNoaUZXYjdKb1k2YkliajREZHNjaTFBRlIyLwpQRjcwVy9iRkZyR2hndjhXRytsYmNVQkZsbjByQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTdUNWaVM4UUF5U3R0YnZYOTdnL2JNTEJKUG56QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ2ZjQVBrTEt0SgpNNHJZbHNWWFlTY3JjYUh6QnBDMWs0MVNiWjluVFAya2c0ZVhoY0pDQ0loZFZPcVEyTXJ2SGxxMXpNTVlFUlBpClBlajlvclpGaGliU0YvN0hGeUx2NjhhT1FnSVpUcVhGUi8xUUM1Z0FXL3d1b0NXNFIwR0V5cUR6VnQ4aEVYOWcKM2NyT3dVeVYwS2RsUWR1bGhZR0pIbVd4VS9oQTJ1cmhXVExIV3F3RldtRU1yUm1uZk12YkI2eXZBVzJkZ1pGRAp2VkFSYit5TkpmbW5QL2FrMFBvNXg5dFBXK3lxQy9MMnlGNlNwUEk4b0NqVjFuYk5PYi9RRGJXOWdMZmo3eksxCkZJbEQ4L2VOZjRpWEsyZ1VsT0VOdVozdFRvZnhUOWJNZlo0Y0c5THpndndTSEtSZlFzRm9GaGNvS2RSSnBYZ3MKc2gwYjd4WGdqb0k4Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.1.60:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: system:kube-controller-manager
name: system:kube-controller-manager@kubernetes
current-context: system:kube-controller-manager@kubernetes
kind: Config
preferences: {}
users:
- name: system:kube-controller-manager
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGakNDQWY2Z0F3SUJBZ0lJYzBoUVhTZndWdlF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpFeE1ERXdPVEUwTURGYUZ3MHlOREV3TXpFd09URTVNRE5hTUNreApKekFsQmdOVkJBTVRIbk41YzNSbGJUcHJkV0psTFdOdmJuUnliMnhzWlhJdGJXRnVZV2RsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU4zR05GNmlLY3JXenVzRm4vS2Z6bkx4U1dNenpXSngKSlNZOWF3UTFFbFBFYUNFWGsrT1FiZzNia1dTNGEycG5sWFlpL0VjWStuYlRIU2REUzkvWVUrZ3lCYkVRUzF4UgpkK3U1QXQrc2Vhc3Q5bmxNdTRqdVgrWGxRZ3A4TTFFUmlNdVN6V2M1bkUxd0ljN1l0UzlFOTdyV2ZZaW4yM3RNCmtQaXJTVXlRRHNNZzVGcGhiWlMyQjZ1VUt1K01YSkUxeXhCS1ExYkh5dU9CNEpMeEVQcmtoMTNvRDRyQXhNN00KWjhTMTR6THlpV3ppS05PZzZ3Q2QzVjZsZVpRcDc5WkxwckJrQVRYY1F2V1NITmpDb1VSQ1U5U2lvQVhhRTJTTgpla3FWTkNCTnI2cHYzNGw4V3Z1bjhtVHZmWWc5eEtWbnBZbXQ2VlFnS0c3dVkwVEc5MVl6M05VQ0F3RUFBYU5XCk1GUXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIKL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVcmdsWWt2RUFNa3JiVzcxL2U0UDJ6Q3dTVDU4d0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBQmVOM2ovZnpRTUlOVXNCelZMVE1BSmhLMDBOZ3N1ZzJSeWtnUlF6TEF3OTJnclN4aFNUCk5ONng0NWdWUnZZUUxNL0tXa05VRmNGeXVTQTFwWEtTRzlDYXBWRnJFRHYxbzhDUzJNR1N5RHQ3T1NoMitxRWgKOTJtdXVhZnlXSUpWMGNGb1gxR3V5bzZXMXpLakRxRzI3eGNTNFBuT3NCYUJyTE5HbGZkNEJYU3hmQVJiNWczdwp4M0lncStKdm9UVHJPZ1Niem5yaDVxUW10REQ4ajNqb25lTVJHcWVzeHRFcDluQkhVWHFqSjg2QklBZWcydTljCnV6OFFYVExrdEhzamlhM2x0RnFWeHNzWG1NaSttcFB6MzNGNHYvY2xiK2cyRi83d0luZUg2a0M4MlpiTGxXOGIKYUtOU3pkODg5VVNVMFBPN2c1YnF0QTZFN3FJR3pvQ0RPQjg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM2NZMFhxSXB5dGJPNndXZjhwL09jdkZKWXpQTlluRWxKajFyQkRVU1U4Um9JUmVUCjQ1QnVEZHVSWkxocmFtZVZkaUw4UnhqNmR0TWRKME5MMzloVDZESUZzUkJMWEZGMzY3a0MzNng1cXkzMmVVeTcKaU81ZjVlVkNDbnd6VVJHSXk1TE5aem1jVFhBaHp0aTFMMFQzdXRaOWlLZmJlMHlRK0t0SlRKQU93eURrV21GdApsTFlIcTVRcTc0eGNrVFhMRUVwRFZzZks0NEhna3ZFUSt1U0hYZWdQaXNERXpzeG54TFhqTXZLSmJPSW8wNkRyCkFKM2RYcVY1bENudjFrdW1zR1FCTmR4QzlaSWMyTUtoUkVKVDFLS2dCZG9UWkkxNlNwVTBJRTJ2cW0vZmlYeGEKKzZmeVpPOTlpRDNFcFdlbGlhM3BWQ0FvYnU1alJNYjNWalBjMVFJREFRQUJBb0lCQUNmWHVnVGVZVis5bzhMNQphYmp2R09ueGkxdTFMTXJveE9IUDJ2QVFrTkJYMHRWUEpSU1hHQTZKU2Qrc2VpL05tRDUzSHBldlZ5QU40WWp5ClFDbGc5Z0liS29hYkJNNzdHKzVQZU1LeWU5RlRHcHJFUEZUbmJuY2c3dkp2U2REZ3M1RFBPUE80bCtvWm9SbEcKT1piYWJ4OHo5YTJkYW9NR1NHMUVhSkRHdU1BNVRPKzJaa0NLNWFGZFpmME1hRGZKT3RHVHBWSjQzdVBGTHluQwpIay9WdVJiMmJRMFFoc1F3c0FxWjY2ZnVHamtaZWFhck1VZ0NNaEZHOXl2REIxVE9ZR2lwejgvTjdtRWM2QnZoCm1IQnhSZ1p0K3JITGdjaXB0S2xTQUU4a1BLRVFlOFBmVkFyQ2o3Q3doWWdNSmM5YXhza0VWV25jdEdyZXNRWEkKb3N0dCtta0NnWUVBN2Y1dGdqek9sL3ZmUlA1MkV6L1htNUhySVZUNFVvQlhqdDAyMVEvbklRK1Z2djZEbEU2NwpUajdjVUFhQ01GeXEyZEZxczljZkZOUHJwYWRsRUc5Q1QxS0Q5aVB5Y3k5amlLOEV2QTExK2VnRWVOS1BSZ3NDCnNIbTMyUTJoUkVKZXNzNDZZdklQN2FVSXZxMm9pK3ZJRmdHYUwyc09KUkRGWUhCVkhpN2lFeGNDZ1lFQTdvMmcKdTJiV2oyRzI2YURZOGJDb0wxaDhTc3RHZGZ0UjZoQW1WbjBaMGJOWlp3cDhycUwwUTRDQWdyMUFWaCtvOXJySwpQZUJSL2RMQ1YxMjlpeFpnZ09xWEJVQlJieFUxL1Axa2thSkI3U0V4SERRU0VBSnpsT28rOGhMaENzdnQ3dTQrCkdieW5rNTNDc08wU1B2UlE3NEpFNWl5d0h2SnNFWGxrcU5idzh2TUNnWUJqajBRUWI0K2RWT2laM0RsWTVDUTIKR0Z6Y25NY2svRHVrc0RYMys2Y2MxWUEzWGhGOVFWSnA4VElJNkRBZU95WGQ2UlZTRm5RU0tuVXgzMDBRQ3ZzYQpZOUtBYlpsSFJsUEZJakpBMlFDNWdxNGNQVGxpZThpc09yOEdOZ1Y0b0tzczhjakxDNmhPS2ZQMmtIOHB5WUR5CmM4a2tmUXgxeFFaTXliRlI1eHI4RVFLQmdGUHVQSWp5eTdheXVIcEdmMDI1eTlLc25UNXJlcVQwQVlRS25wSjcKZldRTVovNGE4SGM1R2h2TjBHa3ZVTDE4Y2lRczRBOFpKMy9ZY1V2dnpVcHNXeFBBZGRZQkpTV2lIdGFlQ0k0OAp1bGxGL2xOZjlxTHZXZDhnODNpVUw5MXVsbzRrQUhGcHNNUDlFNHpRUEVVdURIUFlMNG1VVzNybjdDSFJ4aHFwClZTa0ZBb0dCQUt1UE5TUFdySERDeUxoQ0gyNWpocnFHNENCQ1lsSjlPL3ZnamFwdC9IQVNYNWRldVRsK08xSlUKTjBjQ0pSM3plaVlNV1lrTEVDb2FVYVZaWGFEY0JFN2RRdncybXEvV09FL2RXUUNNeGJod3B2dlJVaXhJTFlDYQpNYTFiOGQ5SzI4R1JEZFFrMXJEaGx6VndxOTlXVVBXWngyOGJnMlBrZVl2VFJ6cU1hbTZkCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
Kubernetes 这里的设计是这样的:kube-controller-mananger、kube-scheduler、kube-proxy、kubelet等组件,采用一个kubeconfig 文件中配置的信息来访问 kube-apiserver。该文件中包含了 kube-apiserver 的地址,验证 kube-apiserver 服务器证书的 CA 证书,自己的客户端证书和私钥等访问信息。
4、Kube-scheduler
跟Kube-controller-namager一样,Kube-scheduler用的也是kubeconfig
[root@master01 ~]# cat /etc/kubernetes/scheduler.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJSnVLUVJNb0tLYmN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpFeE1ERXdPVEUwTURGYUZ3MHpNekV3TWprd09URTVNREZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNucFYzMEhGQ2dsYUJ1ZkN6YWNsV2xtYzRTQjBnVElOaHlmbFJTR1JYZEVIS0QzN2hjS1Q0M2lhZVQKbDhWVXg1RlVldXdMVWN4WlJBUGJrZ3lIMkdtUXVRYXErRmNpcEJNRE0zNm8zQjVWQVk1djBOa1dHT0s4T1pIVgpjYURWaUwrMVNEWDR3WkI1YS8zOEVYb1AvTTQ1TlZlZmdwZi9MU3hhY0RLU1BYcFVuUnp2T1ZURGRqNjNZUkM5CmlpczEzZi9vVk1iYmdVSm1vUzduZXpMcndVRXNxQzhvYW5pVU5wc2dkYVlQenJaeUQyL09mQU5iN0FvNXZ4N3cKSk1nOTlMWE82dTdyK3JaN2RzRGl5OCtKZDRqNXZUeGgxaUJianNoaUZXYjdKb1k2YkliajREZHNjaTFBRlIyLwpQRjcwVy9iRkZyR2hndjhXRytsYmNVQkZsbjByQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTdUNWaVM4UUF5U3R0YnZYOTdnL2JNTEJKUG56QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ2ZjQVBrTEt0SgpNNHJZbHNWWFlTY3JjYUh6QnBDMWs0MVNiWjluVFAya2c0ZVhoY0pDQ0loZFZPcVEyTXJ2SGxxMXpNTVlFUlBpClBlajlvclpGaGliU0YvN0hGeUx2NjhhT1FnSVpUcVhGUi8xUUM1Z0FXL3d1b0NXNFIwR0V5cUR6VnQ4aEVYOWcKM2NyT3dVeVYwS2RsUWR1bGhZR0pIbVd4VS9oQTJ1cmhXVExIV3F3RldtRU1yUm1uZk12YkI2eXZBVzJkZ1pGRAp2VkFSYit5TkpmbW5QL2FrMFBvNXg5dFBXK3lxQy9MMnlGNlNwUEk4b0NqVjFuYk5PYi9RRGJXOWdMZmo3eksxCkZJbEQ4L2VOZjRpWEsyZ1VsT0VOdVozdFRvZnhUOWJNZlo0Y0c5THpndndTSEtSZlFzRm9GaGNvS2RSSnBYZ3MKc2gwYjd4WGdqb0k4Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.1.60:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: system:kube-scheduler
name: system:kube-scheduler@kubernetes
current-context: system:kube-scheduler@kubernetes
kind: Config
preferences: {}
users:
- name: system:kube-scheduler
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lJTloxcUQ1TXdLa3N3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpFeE1ERXdPVEUwTURGYUZ3MHlOREV3TXpFd09URTVNRE5hTUNBeApIakFjQmdOVkJBTVRGWE41YzNSbGJUcHJkV0psTFhOamFHVmtkV3hsY2pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUo2Y3U1c2Fsd0VFR3ZwUEkwbXJmVjJrUDVMSitBS0xzYnpibEdCTm9IZnYKclU1TVl5YXhPVEppRDhLQXJucE8wTjZiemlUQ0JmaHJVUk4zVlBiKzE1NUd5WUJDUzYzL05EdFpVdlZMaFRjSgpvTEJUWFdubWxQbndRWGwzQ0pXTHRQYXJhWENFTWFtcFdWRnh1L3ZKMWxKWGhTWFNpM1BaaU9rREdMaDlpRGZlCk9JaHQxN1ZyanhMMFVvWm8rY2FlKzV3REVHVS92UUt1SnZ4UXA0a2dOWVNOa0kyVWQwZjBvaHNibE8wdFlGbWYKRU9uSEJFR3daTTlUVERqWnRXcENyQmU5UDZTQ1hPYzF6Y0srWjdoS01mU3FDRkNkZ245TFJyWlR0TkwyWHUwWgp4bDcwQVRnZ2JjMjNocmNSQW5wQXVTWStaNmt4bzB6cVFCdnBDNHdjb3BzQ0F3RUFBYU5XTUZRd0RnWURWUjBQCkFRSC9CQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WUQKVlIwakJCZ3dGb0FVcmdsWWt2RUFNa3JiVzcxL2U0UDJ6Q3dTVDU4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBSmFPdjNwVkRyNUN2b1lYKzZ2dXNacEcwWXF2OG9yYUlMOG8wb2d2RFpRL1REUW53bWg3SjB5TTJ1WVp6YjVDCnBNQnN3dGQxZllOZXR4NUl1NENwTHh5QzhvWGN5ZTZLZEhaSkYwLy9HaktKcjJwd3A1RXk1d0wxTk11SzVuVzIKWE9xM2UyanBUVkVNeHozYzV5dXhTYWorYTZzK2I0cHdwZkVieVB1YlNucG1MQWlrMUtsZ0Q0Q1FTUC9yQWNReApuSVBxYURNb3NhRjZRRElTdkdScFpPVXpLaFBCR1ZDc1hPZnk3YVRPdjV3MUpVOW5SbEdkMVZkUUMwS05sM2RGCjFlK1NCa2J5TSsvZU00K2tJV1J5Rm9RZWJxK3V5V1V0WDlzaTFxUEZpTjF4TlExSnpwZk10QTh4Mm5jOUp0ZjEKYWhlTGRSSWE3cHU4RjBoZ2ZYTW9RTWc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBbnB5N214cVhBUVFhK2s4alNhdDlYYVEva3NuNEFvdXh2TnVVWUUyZ2QrK3RUa3hqCkpyRTVNbUlQd29DdWVrN1EzcHZPSk1JRitHdFJFM2RVOXY3WG5rYkpnRUpMcmY4ME8xbFM5VXVGTndtZ3NGTmQKYWVhVStmQkJlWGNJbFl1MDlxdHBjSVF4cWFsWlVYRzcrOG5XVWxlRkpkS0xjOW1JNlFNWXVIMklOOTQ0aUczWAp0V3VQRXZSU2htajV4cDc3bkFNUVpUKzlBcTRtL0ZDbmlTQTFoSTJRalpSM1IvU2lHeHVVN1MxZ1daOFE2Y2NFClFiQmt6MU5NT05tMWFrS3NGNzAvcElKYzV6WE53cjVudUVveDlLb0lVSjJDZjB0R3RsTzAwdlplN1JuR1h2UUIKT0NCdHpiZUd0eEVDZWtDNUpqNW5xVEdqVE9wQUcra0xqQnlpbXdJREFRQUJBb0lCQVFDREFld0hNWkEyRzZENAp6TExWMzVwOTVQTkptQjZNWTd2YnhQWXFFUlFRM0Z1bUIzd0I4bkhPeHFaRHZpdmZCQWlMUmQrZ0JzNE5vUDVuCmVMSXFETllsZWt4bTd0czVqVWdrR1NSblRRaHNMRHlZUjFNcDdIVnlkOXBzckQvZjNYUU1KZ3JDRDc1Qlo0cEoKdGdwUjd5VmgvNzRQUG5kR3FnL21mbE5GMXhIVEtpRmUxV1lnREMwTlNiR0tWOWFwNDZWYWdOb3FoUDQ2NTlTTApjSDBKaUZUaHgvR1pJZ3draW5kK0JhSlc2dW5OUDFKVDRWQnkyT2ppYld0T29Xb1RwWm14U2dGamMyb01PK3psCk9qY3BzeEFUdFNBOGxEcUFUbHBMTGF3dytzL3RYbWVEN1BWdFRVVW9MS0I3MW95WkZtUEZHaWpJM0lSWkxFaGUKZjhWS1pDbGhBb0dCQU1yNDEvZGJtMVM1TTQzRGRUZk0rTTJZeUhydTcxalVOM2FjazRnT2RTQ2FCTit3ajh1bApGdmQ1aE9TU1ozNWhLVXRnOUltd1NLZGsvN0c0YWpUalhhaSthVFZnbkkxS3UxTloyeSsrYk1ZbGJHMy9rUkRuCmVLM1Bpakt6RjZwZ0J6L0YzY0VVSnY2WCtQRmlUZkRiaVoxK2ZSQVdVWURGNFRZME5hVXA1dk1yQW9HQkFNZ04KQlZyWW9jdW1ncDRNTGFtdjNKUlF3QUhyNHpvUlhtOWx0UG9XNkVreW1xVm5hczZoUjFpNk9RaVNYVVNVYXFHbwpRNWk1eTlUV2VwQ0NMcFcwVFVOeCtva1dmUHJMdlBZclVSUGtZaTZrYTc4Y21CYlRrRDRvbGVvN1JENDd2dzRECnFLSkg4NG9ocmVCZVFobUJZVEppOVh1WXNpSGQ2ZWg0WGxFUmJCWlJBb0dCQUsvS0JZRytYVEZybFRMYWJkTCsKT3g0VmpNeXIwNi9qWElYbDVnQ1lST2tQZTlrZ1dlbk4rYTRzR09TOXg5UzA0Y2JmR2V1R09lYUFtdE9aSEtMaApxR1JWUlZsdGF5a1Q2Rm13SVIyZ2x5U2xsTnRQMUp3SFhZVnJrZzJHL3FBWXV5NkllQjZaRFl6Q29tQ3MrMFAzClg2Qi94R0VDYzJSTC9WbXNyaWwxdVFneEFvR0FTaW5KbW14RlR5Smp1Z1A1eWJhUXA4dG40MDUzNXNjWm8yS3AKUFMzUTM1SUxFdGJNR2Q1Z2ZOeE0ySWlxV3dwS25iT3JtNnNGamRvVmhnMDlCL0xYMGZFbldEc21DalFOMFpVdApjWnB4YTZrNDZKakpLVzAxUkZYM2ZlYUszaWQ0Sk5IbWFvTVNIbHR1QW9mdktWVjFteUJrc1hWaVZIdllnMzVjCk9PR2ttSUVDZ1lFQWlwRVNadDUzYzBReVk0cCtLa3NXMjhWb1lBQ1hnZnNzN0tlcTExaVQ1Y3Z1cmhrSWRVbVoKMWkxQ1JIV0pNS052NHI2a1JKeGYzbWJxUnVZdmdFQm1sNy9BMXdmaFl0TlJqZmd4aVBIQnpVaThDaFNaMXl5UAozUVNtK3dvNEgxWmVPYTdKMFp2TUZpNkp2UnBtSFhvdnJLWnNPQTdqYThqcXA3a1JnVEEwaWJVPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
可以看到,配置文件里的证书内容和Kube-controller-namager一样。
5、Kubelet
Kubelet用的也是kubeconfig
[root@master01 ~]# cat /etc/kubernetes/kubelet.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJSnVLUVJNb0tLYmN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpFeE1ERXdPVEUwTURGYUZ3MHpNekV3TWprd09URTVNREZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNucFYzMEhGQ2dsYUJ1ZkN6YWNsV2xtYzRTQjBnVElOaHlmbFJTR1JYZEVIS0QzN2hjS1Q0M2lhZVQKbDhWVXg1RlVldXdMVWN4WlJBUGJrZ3lIMkdtUXVRYXErRmNpcEJNRE0zNm8zQjVWQVk1djBOa1dHT0s4T1pIVgpjYURWaUwrMVNEWDR3WkI1YS8zOEVYb1AvTTQ1TlZlZmdwZi9MU3hhY0RLU1BYcFVuUnp2T1ZURGRqNjNZUkM5CmlpczEzZi9vVk1iYmdVSm1vUzduZXpMcndVRXNxQzhvYW5pVU5wc2dkYVlQenJaeUQyL09mQU5iN0FvNXZ4N3cKSk1nOTlMWE82dTdyK3JaN2RzRGl5OCtKZDRqNXZUeGgxaUJianNoaUZXYjdKb1k2YkliajREZHNjaTFBRlIyLwpQRjcwVy9iRkZyR2hndjhXRytsYmNVQkZsbjByQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTdUNWaVM4UUF5U3R0YnZYOTdnL2JNTEJKUG56QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ2ZjQVBrTEt0SgpNNHJZbHNWWFlTY3JjYUh6QnBDMWs0MVNiWjluVFAya2c0ZVhoY0pDQ0loZFZPcVEyTXJ2SGxxMXpNTVlFUlBpClBlajlvclpGaGliU0YvN0hGeUx2NjhhT1FnSVpUcVhGUi8xUUM1Z0FXL3d1b0NXNFIwR0V5cUR6VnQ4aEVYOWcKM2NyT3dVeVYwS2RsUWR1bGhZR0pIbVd4VS9oQTJ1cmhXVExIV3F3RldtRU1yUm1uZk12YkI2eXZBVzJkZ1pGRAp2VkFSYit5TkpmbW5QL2FrMFBvNXg5dFBXK3lxQy9MMnlGNlNwUEk4b0NqVjFuYk5PYi9RRGJXOWdMZmo3eksxCkZJbEQ4L2VOZjRpWEsyZ1VsT0VOdVozdFRvZnhUOWJNZlo0Y0c5THpndndTSEtSZlFzRm9GaGNvS2RSSnBYZ3MKc2gwYjd4WGdqb0k4Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.1.65:16443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: system:node:master01
name: system:node:master01@kubernetes
current-context: system:node:master01@kubernetes
kind: Config
preferences: {}
users:
- name: system:node:master01
user:
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
这个certificate-authority-data对应的数据和上面几个组件一样。而最下面的user配置段里有client-certificate和client-key,为kubelet作为客户端时用的CA证书。
二、续签证书
1、查看证书有效期,可见证书有效期为1年。
[root@master01 ~]# openssl x509 -noout -dates -in /etc/kubernetes/pki/apiserver.crt
notBefore=Nov 1 09:14:01 2023 GMT
notAfter=Oct 31 09:19:01 2024 GMT
如果你的Kubernetes集群是由kubeadm搭建,那么还有一种方法,使用kubeadm查看整个集群所有证书有效期:
[root@master01 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 31, 2024 09:19 UTC 364d ca no
apiserver Oct 31, 2024 09:19 UTC 364d ca no
apiserver-etcd-client Oct 31, 2024 09:19 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 31, 2024 09:19 UTC 364d ca no
controller-manager.conf Oct 31, 2024 09:19 UTC 364d ca no
etcd-healthcheck-client Oct 31, 2024 09:19 UTC 364d etcd-ca no
etcd-peer Oct 31, 2024 09:19 UTC 364d etcd-ca no
etcd-server Oct 31, 2024 09:19 UTC 364d etcd-ca no
front-proxy-client Oct 31, 2024 09:19 UTC 364d front-proxy-ca no
scheduler.conf Oct 31, 2024 09:19 UTC 364d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 29, 2033 09:19 UTC 9y no
etcd-ca Oct 29, 2033 09:19 UTC 9y no
front-proxy-ca Oct 29, 2033 09:19 UTC 9y no
2、续签证书
[root@master01 ~]# kubeadm certs renew all
正常输出消息包含以下内容:You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
需要重启这些服务:kube-apiserver, kube-controller-manager, kube-scheduler and etcd
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容