1.安装 CFSSL
[root@master01 ~]# chmod +x cfssl*
[root@master01 ~]# mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo
[root@master01 ~]# mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson
[root@master01 ~]# mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl
2.初始化cfssl
[root@master01 ~]# mkdir ssl && cd ssl
[root@master01 ~]# cfssl print-defaults config > ca-config.json
[root@master01 ~]# cfssl print-defaults csr > ca-csr.json
3.创建用来生成 CA 文件的 JSON 配置文件
[root@master01 ~]# vim ca-config.json
{ "signing": { "default": {
"expiry": "26280h"
}, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ],
"expiry": "26280h"
} } } }
4.创建用来生成 CA 证书签名请求(CSR)的 JSON 配置文件
[root@master01 ~]# vim ca-csr.json
{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ShenZheng", "L": "ShenZheng", "O": "k8s", "OU": "System" } ] }
5.生成CA证书(ca.pem)和密钥(ca-key.pem)
[root@master01 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@master01 ssl]# ls -l ca* -rw-r--r-- 1 root root 292 Oct 25 15:08 ca-config.json -rw-r--r-- 1 root root 1005 Oct 25 15:10 ca.csr -rw-r--r-- 1 root root 212 Oct 25 15:10 ca-csr.json -rw------- 1 root root 1675 Oct 25 15:10 ca-key.pem -rw-r--r-- 1 root root 1371 Oct 25 15:10 ca.pem
6.分发证书
# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl SCP证书到各节点
# scp ca.csr ca.pem ca-key.pem ca-config.json master02:/opt/kubernetes/ssl
# scp ca.csr ca.pem ca-key.pem ca-config.json node01:/opt/kubernetes/ssl
# scp ca.csr ca.pem ca-key.pem ca-config.json node02:/opt/kubernetes/ssl
# scp ca.csr ca.pem ca-key.pem ca-config.json node03:/opt/kubernetes/ssl