mirrors/kubernetes-the-hard-way
1
0
Fork 0
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way.git synced 2025-12-15 17:28:58 +03:00
Code Issues Projects Releases Wiki Activity

update docs

Browse Source
This commit is contained in:
Kelsey Hightower
2018-05-12 21:47:31 +00:00
parent 2958e721cd
commit 997d905b3d
4 changed files with 192 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
docs/04-certificate-authority.md
View File

@@ -163,6 +163,50 @@ worker-2-key.pem
worker-2.pem
```
### The kube-controller-manager Client Certificate
Create the `kube-controller-manager` client certificate signing request:
```
cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:kube-controller-manager",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
```
Generate the `kube-controller-manager` client certificate and private key:
```
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
```
Results:
```
kube-controller-manager-key.pem
kube-controller-manager.pem
```
### The kube-proxy Client Certificate
Create the `kube-proxy` client certificate signing request:
@@ -206,6 +250,50 @@ kube-proxy-key.pem
kube-proxy.pem
```
### The kube-scheduler Client Certificate
Create the `kube-scheduler` client certificate signing request:
```
cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:kube-scheduler",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
```
Generate the `kube-scheduler` client certificate and private key:
```
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
```
Results:
```
kube-scheduler-key.pem
kube-scheduler.pem
```
### The Kubernetes API Server Certificate
The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
@@ -278,6 +366,6 @@ for instance in controller-0 controller-1 controller-2; do
done
```
> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
> The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)