mirrors/kubernetes-the-hard-way
1
0
Fork 0
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way.git synced 2025-12-15 17:28:58 +03:00
Code Issues Projects Releases Wiki Activity

Apply Markdown best practices (block code language specification, spacing between lines, spacing between char, ...

Browse Source
This commit is contained in:
Nemo
2020-06-20 09:24:03 +02:00
parent 0d07e90828
commit acbb8958e6
15 changed files with 193 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/04-certificate-authority.md
View File

@@ -8,7 +8,7 @@ In this section you will provision a Certificate Authority that can be used to g
Generate the CA configuration file, certificate, and private key:
```
```bash
{
cat > ca-config.json <<EOF
@@ -53,7 +53,7 @@ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
Results:
```
```bash
ca-key.pem
ca.pem
```
@@ -66,7 +66,7 @@ In this section you will generate client and server certificates for each Kubern
Generate the `admin` client certificate and private key:
```
```bash
{
cat > admin-csr.json <<EOF
@@ -100,7 +100,7 @@ cfssl gencert \
Results:
```
```bash
admin-key.pem
admin.pem
```
@@ -111,7 +111,7 @@ Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/doc
Generate a certificate and private key for each Kubernetes worker node:
```
```bash
for instance in worker-0 worker-1 worker-2; do
cat > ${instance}-csr.json <<EOF
{
@@ -150,7 +150,7 @@ done
Results:
```
```bash
worker-0-key.pem
worker-0.pem
worker-1-key.pem
@@ -163,7 +163,7 @@ worker-2.pem
Generate the `kube-controller-manager` client certificate and private key:
```
```bash
{
cat > kube-controller-manager-csr.json <<EOF
@@ -197,17 +197,16 @@ cfssl gencert \
Results:
```
```bash
kube-controller-manager-key.pem
kube-controller-manager.pem
```
### The Kube Proxy Client Certificate
Generate the `kube-proxy` client certificate and private key:
```
```bash
{
cat > kube-proxy-csr.json <<EOF
@@ -241,7 +240,7 @@ cfssl gencert \
Results:
```
```bash
kube-proxy-key.pem
kube-proxy.pem
```
@@ -250,7 +249,7 @@ kube-proxy.pem
Generate the `kube-scheduler` client certificate and private key:
```
```bash
{
cat > kube-scheduler-csr.json <<EOF
@@ -284,19 +283,18 @@ cfssl gencert \
Results:
```
```bash
kube-scheduler-key.pem
kube-scheduler.pem
```
### The Kubernetes API Server Certificate
The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
Generate the Kubernetes API Server certificate and private key:
```
```bash
{
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
@@ -339,7 +337,7 @@ cfssl gencert \
Results:
```
```bash
kubernetes-key.pem
kubernetes.pem
```
@@ -350,7 +348,7 @@ The Kubernetes Controller Manager leverages a key pair to generate and sign serv
Generate the `service-account` certificate and private key:
```
```bash
{
cat > service-account-csr.json <<EOF
@@ -384,17 +382,16 @@ cfssl gencert \
Results:
```
```bash
service-account-key.pem
service-account.pem
```
## Distribute the Client and Server Certificates
Copy the appropriate certificates and private keys to each worker instance:
```
```bash
for instance in worker-0 worker-1 worker-2; do
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
done
@@ -402,7 +399,7 @@ done
Copy the appropriate certificates and private keys to each controller instance:
```
```bash
for instance in controller-0 controller-1 controller-2; do
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem ${instance}:~/