206 lines
5.7 KiB
Plaintext
206 lines
5.7 KiB
Plaintext
[req]
|
|
distinguished_name = req_distinguished_name
|
|
prompt = no
|
|
x509_extensions = ca_x509_extensions
|
|
|
|
[ca_x509_extensions]
|
|
basicConstraints = CA:TRUE
|
|
keyUsage = cRLSign, keyCertSign
|
|
|
|
[req_distinguished_name]
|
|
C = US
|
|
ST = Washington
|
|
L = Seattle
|
|
CN = CA
|
|
|
|
[admin]
|
|
distinguished_name = admin_distinguished_name
|
|
prompt = no
|
|
req_extensions = default_req_extensions
|
|
|
|
[admin_distinguished_name]
|
|
CN = admin
|
|
O = system:masters
|
|
|
|
# Service Accounts
|
|
#
|
|
# The Kubernetes Controller Manager leverages a key pair to generate
|
|
# and sign service account tokens as described in the
|
|
# [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/)
|
|
# documentation.
|
|
|
|
[service-accounts]
|
|
distinguished_name = service-accounts_distinguished_name
|
|
prompt = no
|
|
req_extensions = default_req_extensions
|
|
|
|
[service-accounts_distinguished_name]
|
|
CN = service-accounts
|
|
|
|
# Worker Nodes
|
|
#
|
|
# Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/)
|
|
# called Node Authorizer, that specifically authorizes API requests made
|
|
# by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet).
|
|
# In order to be authorized by the Node Authorizer, Kubelets must use a credential
|
|
# that identifies them as being in the `system:nodes` group, with a username
|
|
# of `system:node:<nodeName>`.
|
|
|
|
[node-0]
|
|
distinguished_name = node-0_distinguished_name
|
|
prompt = no
|
|
req_extensions = node-0_req_extensions
|
|
|
|
[node-0_req_extensions]
|
|
basicConstraints = CA:FALSE
|
|
extendedKeyUsage = clientAuth, serverAuth
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
nsCertType = client
|
|
nsComment = "Node-0 Certificate"
|
|
subjectAltName = DNS:node-0, IP:127.0.0.1
|
|
subjectKeyIdentifier = hash
|
|
|
|
[node-0_distinguished_name]
|
|
CN = system:node:node-0
|
|
O = system:nodes
|
|
C = US
|
|
ST = Washington
|
|
L = Seattle
|
|
|
|
[node-1]
|
|
distinguished_name = node-1_distinguished_name
|
|
prompt = no
|
|
req_extensions = node-1_req_extensions
|
|
|
|
[node-1_req_extensions]
|
|
basicConstraints = CA:FALSE
|
|
extendedKeyUsage = clientAuth, serverAuth
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
nsCertType = client
|
|
nsComment = "Node-1 Certificate"
|
|
subjectAltName = DNS:node-1, IP:127.0.0.1
|
|
subjectKeyIdentifier = hash
|
|
|
|
[node-1_distinguished_name]
|
|
CN = system:node:node-1
|
|
O = system:nodes
|
|
C = US
|
|
ST = Washington
|
|
L = Seattle
|
|
|
|
|
|
# Kube Proxy Section
|
|
[kube-proxy]
|
|
distinguished_name = kube-proxy_distinguished_name
|
|
prompt = no
|
|
req_extensions = kube-proxy_req_extensions
|
|
|
|
[kube-proxy_req_extensions]
|
|
basicConstraints = CA:FALSE
|
|
extendedKeyUsage = clientAuth, serverAuth
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
nsCertType = client
|
|
nsComment = "Kube Proxy Certificate"
|
|
subjectAltName = DNS:kube-proxy, IP:127.0.0.1
|
|
subjectKeyIdentifier = hash
|
|
|
|
[kube-proxy_distinguished_name]
|
|
CN = system:kube-proxy
|
|
O = system:node-proxier
|
|
C = US
|
|
ST = Washington
|
|
L = Seattle
|
|
|
|
|
|
# Controller Manager
|
|
[kube-controller-manager]
|
|
distinguished_name = kube-controller-manager_distinguished_name
|
|
prompt = no
|
|
req_extensions = kube-controller-manager_req_extensions
|
|
|
|
[kube-controller-manager_req_extensions]
|
|
basicConstraints = CA:FALSE
|
|
extendedKeyUsage = clientAuth, serverAuth
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
nsCertType = client
|
|
nsComment = "Kube Controller Manager Certificate"
|
|
subjectAltName = DNS:kube-proxy, IP:127.0.0.1
|
|
subjectKeyIdentifier = hash
|
|
|
|
[kube-controller-manager_distinguished_name]
|
|
CN = system:kube-controller-manager
|
|
O = system:kube-controller-manager
|
|
C = US
|
|
ST = Washington
|
|
L = Seattle
|
|
|
|
|
|
# Scheduler
|
|
[kube-scheduler]
|
|
distinguished_name = kube-scheduler_distinguished_name
|
|
prompt = no
|
|
req_extensions = kube-scheduler_req_extensions
|
|
|
|
[kube-scheduler_req_extensions]
|
|
basicConstraints = CA:FALSE
|
|
extendedKeyUsage = clientAuth, serverAuth
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
nsCertType = client
|
|
nsComment = "Kube Scheduler Certificate"
|
|
subjectAltName = DNS:kube-scheduler, IP:127.0.0.1
|
|
subjectKeyIdentifier = hash
|
|
|
|
[kube-scheduler_distinguished_name]
|
|
CN = system:kube-scheduler
|
|
O = system:system:kube-scheduler
|
|
C = US
|
|
ST = Washington
|
|
L = Seattle
|
|
|
|
|
|
# API Server
|
|
#
|
|
# The Kubernetes API server is automatically assigned the `kubernetes`
|
|
# internal dns name, which will be linked to the first IP address (`10.32.0.1`)
|
|
# from the address range (`10.32.0.0/24`) reserved for internal cluster
|
|
# services.
|
|
|
|
[kube-api-server]
|
|
distinguished_name = kube-api-server_distinguished_name
|
|
prompt = no
|
|
req_extensions = kube-api-server_req_extensions
|
|
|
|
[kube-api-server_req_extensions]
|
|
basicConstraints = CA:FALSE
|
|
extendedKeyUsage = clientAuth, serverAuth
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
nsCertType = client
|
|
nsComment = "Kube Scheduler Certificate"
|
|
subjectAltName = @kube-api-server_alt_names
|
|
subjectKeyIdentifier = hash
|
|
|
|
[kube-api-server_alt_names]
|
|
IP.0 = 127.0.0.1
|
|
IP.1 = 10.32.0.1
|
|
DNS.0 = kubernetes
|
|
DNS.1 = kubernetes.default
|
|
DNS.2 = kubernetes.default.svc
|
|
DNS.3 = kubernetes.default.svc.cluster
|
|
DNS.4 = kubernetes.svc.cluster.local
|
|
DNS.5 = server.kubernetes.local
|
|
DNS.6 = api-server.kubernetes.local
|
|
|
|
[kube-api-server_distinguished_name]
|
|
CN = kubernetes
|
|
C = US
|
|
ST = Washington
|
|
L = Seattle
|
|
|
|
|
|
[default_req_extensions]
|
|
basicConstraints = CA:FALSE
|
|
extendedKeyUsage = clientAuth
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
nsCertType = client
|
|
nsComment = "Admin Client Certificate"
|
|
subjectKeyIdentifier = hash |