@@ -4,249 +4,6 @@ content_type: concept
44weight : 20
55---
66
7-
87<!-- overview -->
98
10- When using client certificate authentication, you can generate certificates
11- manually through ` easyrsa ` , ` openssl ` or ` cfssl ` .
12-
13-
14-
15-
16- <!-- body -->
17-
18- ### easyrsa
19-
20- ** easyrsa** can manually generate certificates for your cluster.
21-
22- 1 . Download, unpack, and initialize the patched version of easyrsa3.
23-
24- curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
25- tar xzf easy-rsa.tar.gz
26- cd easy-rsa-master/easyrsa3
27- ./easyrsa init-pki
28- 1 . Generate a new certificate authority (CA). ` --batch ` sets automatic mode;
29- ` --req-cn ` specifies the Common Name (CN) for the CA's new root certificate.
30-
31- ./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
32- 1 . Generate server certificate and key.
33- The argument ` --subject-alt-name ` sets the possible IPs and DNS names the API server will
34- be accessed with. The ` MASTER_CLUSTER_IP ` is usually the first IP from the service CIDR
35- that is specified as the ` --service-cluster-ip-range ` argument for both the API server and
36- the controller manager component. The argument ` --days ` is used to set the number of days
37- after which the certificate expires.
38- The sample below also assumes that you are using ` cluster.local ` as the default
39- DNS domain name.
40-
41- ./easyrsa --subject-alt-name="IP:${MASTER_IP},"\
42- "IP:${MASTER_CLUSTER_IP},"\
43- "DNS:kubernetes,"\
44- "DNS:kubernetes.default,"\
45- "DNS:kubernetes.default.svc,"\
46- "DNS:kubernetes.default.svc.cluster,"\
47- "DNS:kubernetes.default.svc.cluster.local" \
48- --days=10000 \
49- build-server-full server nopass
50- 1 . Copy ` pki/ca.crt ` , ` pki/issued/server.crt ` , and ` pki/private/server.key ` to your directory.
51- 1 . Fill in and add the following parameters into the API server start parameters:
52-
53- --client-ca-file=/yourdirectory/ca.crt
54- --tls-cert-file=/yourdirectory/server.crt
55- --tls-private-key-file=/yourdirectory/server.key
56-
57- ### openssl
58-
59- ** openssl** can manually generate certificates for your cluster.
60-
61- 1 . Generate a ca.key with 2048bit:
62-
63- openssl genrsa -out ca.key 2048
64- 1 . According to the ca.key generate a ca.crt (use -days to set the certificate effective time):
65-
66- openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
67- 1 . Generate a server.key with 2048bit:
68-
69- openssl genrsa -out server.key 2048
70- 1 . Create a config file for generating a Certificate Signing Request (CSR).
71- Be sure to substitute the values marked with angle brackets (e.g. ` <MASTER_IP> ` )
72- with real values before saving this to a file (e.g. ` csr.conf ` ).
73- Note that the value for ` MASTER_CLUSTER_IP ` is the service cluster IP for the
74- API server as described in previous subsection.
75- The sample below also assumes that you are using ` cluster.local ` as the default
76- DNS domain name.
77-
78- [ req ]
79- default_bits = 2048
80- prompt = no
81- default_md = sha256
82- req_extensions = req_ext
83- distinguished_name = dn
84-
85- [ dn ]
86- C = <country>
87- ST = <state>
88- L = <city>
89- O = <organization>
90- OU = <organization unit>
91- CN = <MASTER_IP>
92-
93- [ req_ext ]
94- subjectAltName = @alt_names
95-
96- [ alt_names ]
97- DNS.1 = kubernetes
98- DNS.2 = kubernetes.default
99- DNS.3 = kubernetes.default.svc
100- DNS.4 = kubernetes.default.svc.cluster
101- DNS.5 = kubernetes.default.svc.cluster.local
102- IP.1 = <MASTER_IP>
103- IP.2 = <MASTER_CLUSTER_IP>
104-
105- [ v3_ext ]
106- authorityKeyIdentifier=keyid,issuer:always
107- basicConstraints=CA:FALSE
108- keyUsage=keyEncipherment,dataEncipherment
109- extendedKeyUsage=serverAuth,clientAuth
110- subjectAltName=@alt_names
111- 1 . Generate the certificate signing request based on the config file:
112-
113- openssl req -new -key server.key -out server.csr -config csr.conf
114- 1 . Generate the server certificate using the ca.key, ca.crt and server.csr:
115-
116- openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
117- -CAcreateserial -out server.crt -days 10000 \
118- -extensions v3_ext -extfile csr.conf
119- 1 . View the certificate:
120-
121- openssl x509 -noout -text -in ./server.crt
122-
123- Finally, add the same parameters into the API server start parameters.
124-
125- ### cfssl
126-
127- ** cfssl** is another tool for certificate generation.
128-
129- 1 . Download, unpack and prepare the command line tools as shown below.
130- Note that you may need to adapt the sample commands based on the hardware
131- architecture and cfssl version you are using.
132-
133- curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl
134- chmod +x cfssl
135- curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o cfssljson
136- chmod +x cfssljson
137- curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 -o cfssl-certinfo
138- chmod +x cfssl-certinfo
139- 1 . Create a directory to hold the artifacts and initialize cfssl:
140-
141- mkdir cert
142- cd cert
143- ../cfssl print-defaults config > config.json
144- ../cfssl print-defaults csr > csr.json
145- 1 . Create a JSON config file for generating the CA file, for example, ` ca-config.json ` :
146-
147- {
148- "signing": {
149- "default": {
150- "expiry": "8760h"
151- },
152- "profiles": {
153- "kubernetes": {
154- "usages": [
155- "signing",
156- "key encipherment",
157- "server auth",
158- "client auth"
159- ],
160- "expiry": "8760h"
161- }
162- }
163- }
164- }
165- 1 . Create a JSON config file for CA certificate signing request (CSR), for example,
166- ` ca-csr.json ` . Be sure to replace the values marked with angle brackets with
167- real values you want to use.
168-
169- {
170- "CN": "kubernetes",
171- "key": {
172- "algo": "rsa",
173- "size": 2048
174- },
175- "names":[{
176- "C": "<country>",
177- "ST": "<state>",
178- "L": "<city>",
179- "O": "<organization>",
180- "OU": "<organization unit>"
181- }]
182- }
183- 1 . Generate CA key (` ca-key.pem ` ) and certificate (` ca.pem ` ):
184-
185- ../cfssl gencert -initca ca-csr.json | ../cfssljson -bare ca
186- 1 . Create a JSON config file for generating keys and certificates for the API
187- server, for example, ` server-csr.json ` . Be sure to replace the values in angle brackets with
188- real values you want to use. The ` MASTER_CLUSTER_IP ` is the service cluster
189- IP for the API server as described in previous subsection.
190- The sample below also assumes that you are using ` cluster.local ` as the default
191- DNS domain name.
192-
193- {
194- "CN": "kubernetes",
195- "hosts": [
196- "127.0.0.1",
197- "<MASTER_IP>",
198- "<MASTER_CLUSTER_IP>",
199- "kubernetes",
200- "kubernetes.default",
201- "kubernetes.default.svc",
202- "kubernetes.default.svc.cluster",
203- "kubernetes.default.svc.cluster.local"
204- ],
205- "key": {
206- "algo": "rsa",
207- "size": 2048
208- },
209- "names": [{
210- "C": "<country>",
211- "ST": "<state>",
212- "L": "<city>",
213- "O": "<organization>",
214- "OU": "<organization unit>"
215- }]
216- }
217- 1 . Generate the key and certificate for the API server, which are by default
218- saved into file ` server-key.pem ` and ` server.pem ` respectively:
219-
220- ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
221- --config=ca-config.json -profile=kubernetes \
222- server-csr.json | ../cfssljson -bare server
223-
224-
225- ## Distributing Self-Signed CA Certificate
226-
227- A client node may refuse to recognize a self-signed CA certificate as valid.
228- For a non-production deployment, or for a deployment that runs behind a company
229- firewall, you can distribute a self-signed CA certificate to all clients and
230- refresh the local list for valid certificates.
231-
232- On each client, perform the following operations:
233-
234- ``` bash
235- sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
236- sudo update-ca-certificates
237- ```
238-
239- ```
240- Updating certificates in /etc/ssl/certs...
241- 1 added, 0 removed; done.
242- Running hooks in /etc/ca-certificates/update.d....
243- done.
244- ```
245-
246- ## Certificates API
247-
248- You can use the ` certificates.k8s.io ` API to provision
249- x509 certificates to use for authentication as documented
250- [ here] ( /docs/tasks/tls/managing-tls-in-a-cluster ) .
251-
252-
9+ To learn how to generate certificates for your cluster, see [ Certificates] ( /docs/tasks/administer-cluster/certificates/ ) .
0 commit comments