所有组件用一个client证书找其他server证书的组件通讯
PS: apiserver拿着client证书 用于和etcd kubelete kube-proxy的server 通讯
[root@rstx-53 certs]# cat client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
验证
[root@rstx-53 certs]# ls client*
client.csr client-csr.json client-key.pem client.pem
[root@rstx-53 certs]# cfssl-certinfo -cert client.pem
{
"subject": {
"common_name": "k8s-node",
"country": "CN",
"organization": "od",
"organizational_unit": "ops",
"locality": "beijing",
"province": "beijing",
"names": [
"CN",
"beijing",
"beijing",
"od",
"ops",
"k8s-node"
]
},