Skip to content

Commit b83b925

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #33959 from Sea-n/zh-reviewer-setup-bp
[zh] Remove reviewer for best-practices
2 parents b05bcc9 + 6e7c8bb commit b83b925

File tree

2 files changed

+113
-56
lines changed

2 files changed

+113
-56
lines changed

content/zh/docs/setup/best-practices/certificates.md

Lines changed: 60 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,5 @@
11
---
22
title: PKI 证书和要求
3-
reviewers:
4-
- sig-cluster-lifecycle
53
content_type: concept
64
weight: 40
75
---
@@ -18,7 +16,7 @@ weight: 40
1816
<!--
1917
Kubernetes requires PKI certificates for authentication over TLS.
2018
If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/), the certificates that your cluster requires are automatically generated.
21-
You can also generate your own certificates - for example, to keep your private keys more secure by not storing them on the API server.
19+
You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server.
2220
This page explains the certificates that your cluster requires.
2321
-->
2422
Kubernetes 需要 PKI 证书才能进行基于 TLS 的身份验证。如果你是使用
@@ -33,7 +31,7 @@ Kubernetes 需要 PKI 证书才能进行基于 TLS 的身份验证。如果你
3331
3432
Kubernetes requires PKI for the following operations:
3533
-->
36-
## 集群是如何使用证书的
34+
## 集群是如何使用证书的 {#how-certificates-are-used-by-your-cluster}
3735

3836
Kubernetes 需要 PKI 才能执行以下操作:
3937

@@ -61,7 +59,7 @@ Kubernetes 需要 PKI 才能执行以下操作:
6159
* [前端代理](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/) 的客户端及服务端证书
6260

6361
<!--
64-
`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/).
62+
`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
6563
-->
6664
{{< note >}}
6765
只有当你运行 kube-proxy 并要支持
@@ -79,7 +77,7 @@ etcd 还实现了双向 TLS 来对客户端和对其他对等节点进行身份
7977
8078
If you install Kubernetes with kubeadm, most certificates are stored in `/etc/kubernetes/pki`. All paths in this documentation are relative to that directory, with the exception of user account certificates which kubeadm places in `/etc/kubernetes`.
8179
-->
82-
## 证书存放的位置
80+
## 证书存放的位置 {#where-certificates-are-stored}
8381

8482
假如通过 kubeadm 安装 Kubernetes,大多数证书都存储在 `/etc/kubernetes/pki`
8583
本文档中的所有路径都是相对于该目录的,但用户账户证书除外,kubeadm 将其放在 `/etc/kubernetes` 中。
@@ -90,7 +88,7 @@ If you install Kubernetes with kubeadm, most certificates are stored in `/etc/ku
9088
If you don't want kubeadm to generate the required certificates, you can create them using a single root CA or by providing all certificates. See [Certificates](/docs/tasks/administer-cluster/certificates/) for details on creating your own certificate authority.
9189
See [Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/) for more on managing certificates.
9290
-->
93-
## 手动配置证书
91+
## 手动配置证书 {#configure-certificates-manually}
9492

9593
如果你不想通过 kubeadm 生成这些必需的证书,你可以使用一个单一的根 CA
9694
来创建这些证书或者直接提供所有证书。
@@ -102,14 +100,14 @@ See [Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm
102100
103101
You can create a single root CA, controlled by an administrator. This root CA can then create multiple intermediate CAs, and delegate all further creation to Kubernetes itself.
104102
-->
105-
### 单根 CA
103+
### 单根 CA {#single-root-ca}
106104

107105
你可以创建一个单根 CA,由管理员控制器它。该根 CA 可以创建多个中间 CA,并将所有进一步的创建委托给 Kubernetes。
108106

109107
<!--
110108
Required CAs:
111109
112-
| 路径 | 默认 CN | 描述 |
110+
| path | Default CN | description |
113111
|------------------------|---------------------------|----------------------------------|
114112
| ca.crt,key | kubernetes-ca | Kubernetes general CA |
115113
| etcd/ca.crt,key | etcd-ca | For all etcd-related functions |
@@ -148,13 +146,24 @@ If you don't wish to copy the CA private keys to your cluster, you can generate
148146
149147
Required certificates:
150148
-->
151-
### 所有的证书
149+
### 所有的证书 {#all-certificates}
152150

153151
如果你不想将 CA 的私钥拷贝至你的集群中,你也可以自己生成全部的证书。
154152

155153
需要这些证书:
156154

157-
| 默认 CN | 父级 CA | O (位于 Subject 中) | 类型 | 主机 (SAN) |
155+
<!--
156+
| Default CN | Parent CA | O (in Subject) | kind | hosts (SAN) |
157+
|-------------------------------|---------------------------|----------------|----------------------------------------|---------------------------------------------|
158+
| kube-etcd | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
159+
| kube-etcd-peer | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
160+
| kube-etcd-healthcheck-client | etcd-ca | | client | |
161+
| kube-apiserver-etcd-client | etcd-ca | system:masters | client | |
162+
| kube-apiserver | kubernetes-ca | | server | `<hostname>`, `<Host_IP>`, `<advertise_IP>`, `[1]` |
163+
| kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | |
164+
| front-proxy-client | kubernetes-front-proxy-ca | | client | |
165+
-->
166+
| 默认 CN | 父级 CA | O (位于 Subject 中) | 类型 | 主机 (SAN) |
158167
|-------------------------------|---------------------------|----------------|----------------------------------------|---------------------------------------------|
159168
| kube-etcd | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
160169
| kube-etcd-peer | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
@@ -165,7 +174,8 @@ Required certificates:
165174
| front-proxy-client | kubernetes-front-proxy-ca | | client | |
166175

167176
<!--
168-
[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/) the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
177+
[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)
178+
the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
169179
`kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)
170180
171181
where `kind` maps to one or more of the [x509 key usage](https://pkg.go.dev/k8s.io/api/certificates/v1beta1#KeyUsage) types:
@@ -213,12 +223,32 @@ For kubeadm users only:
213223
<!--
214224
### Certificate paths
215225
216-
Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)). Paths should be specified using the given argument regardless of location.
226+
Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)).
227+
Paths should be specified using the given argument regardless of location.
217228
-->
218-
### 证书路径
229+
### 证书路径 {#certificate-paths}
219230

220-
证书应放置在建议的路径中(以便 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/)使用)。无论使用什么位置,都应使用给定的参数指定路径。
231+
证书应放置在建议的路径中(以便 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/)
232+
使用)。无论使用什么位置,都应使用给定的参数指定路径。
221233

234+
<!--
235+
| Default CN | recommended key path | recommended cert path | command | key argument | cert argument |
236+
|------------------------------|------------------------------|-----------------------------|----------------|------------------------------|-------------------------------------------|
237+
| etcd-ca | etcd/ca.key | etcd/ca.crt | kube-apiserver | | --etcd-cafile |
238+
| kube-apiserver-etcd-client | apiserver-etcd-client.key | apiserver-etcd-client.crt | kube-apiserver | --etcd-keyfile | --etcd-certfile |
239+
| kubernetes-ca | ca.key | ca.crt | kube-apiserver | | --client-ca-file |
240+
| kubernetes-ca | ca.key | ca.crt | kube-controller-manager | --cluster-signing-key-file | --client-ca-file, --root-ca-file, --cluster-signing-cert-file |
241+
| kube-apiserver | apiserver.key | apiserver.crt | kube-apiserver | --tls-private-key-file | --tls-cert-file |
242+
| kube-apiserver-kubelet-client| apiserver-kubelet-client.key | apiserver-kubelet-client.crt| kube-apiserver | --kubelet-client-key | --kubelet-client-certificate |
243+
| front-proxy-ca | front-proxy-ca.key | front-proxy-ca.crt | kube-apiserver | | --requestheader-client-ca-file |
244+
| front-proxy-ca | front-proxy-ca.key | front-proxy-ca.crt | kube-controller-manager | | --requestheader-client-ca-file |
245+
| front-proxy-client | front-proxy-client.key | front-proxy-client.crt | kube-apiserver | --proxy-client-key-file | --proxy-client-cert-file |
246+
| etcd-ca | etcd/ca.key | etcd/ca.crt | etcd | | --trusted-ca-file, --peer-trusted-ca-file |
247+
| kube-etcd | etcd/server.key | etcd/server.crt | etcd | --key-file | --cert-file |
248+
| kube-etcd-peer | etcd/peer.key | etcd/peer.crt | etcd | --peer-key-file | --peer-cert-file |
249+
| etcd-ca | | etcd/ca.crt | etcdctl | | --cacert |
250+
| kube-etcd-healthcheck-client | etcd/healthcheck-client.key | etcd/healthcheck-client.crt | etcdctl | --key | --cert |
251+
-->
222252
| 默认 CN | 建议的密钥路径 | 建议的证书路径 | 命令 | 密钥参数 | 证书参数 |
223253
|------------------------------|------------------------------|-----------------------------|----------------|------------------------------|-------------------------------------------|
224254
| etcd-ca | etcd/ca.key | etcd/ca.crt | kube-apiserver | | --etcd-cafile |
@@ -241,6 +271,12 @@ Same considerations apply for the service account key pair:
241271
-->
242272
注意事项同样适用于服务帐户密钥对:
243273

274+
<!--
275+
| private key path | public key path | command | argument |
276+
|------------------------------|-----------------------------|-------------------------|--------------------------------------|
277+
| sa.key | | kube-controller-manager | --service-account-private-key-file |
278+
| | sa.pub | kube-apiserver | --service-account-key-file |
279+
-->
244280
| 私钥路径 | 公钥路径 | 命令 | 参数 |
245281
|------------------------------|-----------------------------|-------------------------|--------------------------------------|
246282
| sa.key | | kube-controller-manager | --service-account-private-key-file |
@@ -282,10 +318,18 @@ The following example illustrates the file paths [from the previous tables](/doc
282318
283319
You must manually configure these administrator account and service accounts:
284320
-->
285-
## 为用户帐户配置证书
321+
## 为用户帐户配置证书 {#configure-certificates-for-user-accounts}
286322

287323
你必须手动配置以下管理员帐户和服务帐户:
288324

325+
<!--
326+
| filename | credential name | Default CN | O (in Subject) |
327+
|-------------------------|----------------------------|--------------------------------|----------------|
328+
| admin.conf | default-admin | kubernetes-admin | system:masters |
329+
| kubelet.conf | default-auth | system:node:`<nodeName>` (see note) | system:nodes |
330+
| controller-manager.conf | default-controller-manager | system:kube-controller-manager | |
331+
| scheduler.conf | default-scheduler | system:kube-scheduler | |
332+
-->
289333
| 文件名 | 凭据名称 | 默认 CN | O (位于 Subject 中) |
290334
|-------------------------|----------------------------|--------------------------------|---------------------|
291335
| admin.conf | default-admin | kubernetes-admin | system:masters |

0 commit comments

Comments
 (0)