Introduction to generating Kubernetes certificates using OpenSSL

Kubernetes supports three types of authentication: Base authentication, Token authentication, and CA authentication. This article is used to record the simplest commands required for CA authentication.

Kubernetes composition

The tested version is 1.10, but it is not limited to this version. It is a common method for OpenSSL certificates.

Required certificates

The required certificate-related documents are as follows:

CA Certificate

CA certificate private key

Command: openssl genrsa -out ca.key 2048

[root@host121 k8scert]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
........................................................+++
..................+++
e is 65537 (0x10001)
[root@host121 k8scert]#

CA Certificate

Command: openssl genrsa -out ca.key 2048

[root@host121 k8scert]# openssl req -x509 -new -nodes -key ca.key -subj "/CN=host121" -days 5000 -out ca.crt
[root@host121 k8scert]# ls
archive ca.crt ca.key
[root@host121 k8scert]#

XXX certificate

The certificates required by apiserver/ControllerManager/kublet can be created as follows

Certificate private key

Command: openssl genrsa -out server.key 2048

[root@host121 k8scert]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
........................................................................+++
e is 65537 (0x10001)
[root@host121 k8scert]#

Certificate Signing Request File

Command: openssl req -new -key server.key -subj "/CN=host121" -out server.csr

[root@host121 k8scert]# openssl req -new -key server.key -subj "/CN=host121" -out server.csr
[root@host121 k8scert]#

The subject information set in subj is the user's own data. Generally, CN is set to the domain name/machine name/or IP name. For example, kubelet can be the IP of the node where it is located.

Certificate

Command: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000

[root@host121 k8scert]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000
Signature ok
subject=/CN=host121
Getting CA Private Key
[root@host121 k8scert]#

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM. If you want to learn more about this, please check out the following links