## 生成API_SERVER证书 ``` # 编辑 Kubernetes CA 配置文件 vi /opt/k8s/ssl/k8s-ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "cbx", "OU": "cbxhome" } ] } vi /opt/k8s/ssl/k8s_apiserver.json { "CN": "kubernetes", "hosts": [ "127.0.0.1", "10.10.10.230", "10.253.0.1", "api.k8s.cbxhome.local", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cbxhome", "kubernetes.default.svc.cbxhome.local" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "cbx", "OU": "cbxhome" } ] } vi /opt/k8s/ssl/front-proxy-ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 } } vi /opt/k8s/ssl/front-proxy-client-csr.json { "CN": "front-proxy-client", "key": { "algo": "rsa", "size": 2048 } } ​ cd /opt/k8s/ssl/ ​ # 生成 Kubernetes CA证书和私钥 cfssl gencert -initca /opt/k8s/ssl/k8s-ca-csr.json | cfssljson -bare k8s-ca # 创建 Kubernetes ApiServer 证书和私钥证书 cfssl gencert -ca=k8s-ca.pem -ca-key=k8s-ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=kubernetes /opt/k8s/ssl/k8s_apiserver.json | cfssljson -bare k8s_server ​ # 生成 Kubernetes Front Proxy CA证书和私钥 cfssl gencert -initca /opt/k8s/ssl/front-proxy-ca-csr.json | cfssljson -bare k8s-front-proxy-ca # 创建 Kubernetes Front Proxy 证书和私钥证书 cfssl gencert -ca=k8s-front-proxy-ca.pem -ca-key=k8s-front-proxy-ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=kubernetes /opt/k8s/ssl/front-proxy-client-csr.json | cfssljson -bare k8s_front_proxy_client # 生成 Service Account 键值对 openssl genrsa -out /opt/ssl/k8s/sa.key 2048 openssl rsa -in /opt/ssl/k8s/sa.key -pubout -out /opt/ssl/k8s/sa.pub # 放置证书 mkdir -p /opt/ssl/k8s cp ca-key.pem /opt/ssl/k8s/ cp ca.pem /opt/ssl/k8s/ cp k8s_server.pem /opt/ssl/k8s/ cp k8s_server-key.pem /opt/ssl/k8s/ cp client.pem /opt/ssl/k8s/ cp client-key.pem /opt/ssl/k8s/ ```