真题环境模拟

安装 CFSSL

# 下载地址：
https://github.com/cloudflare/cfssl/releases

# 访问页面并下载 cfssl 和 cfssljson

# 授权
mv cfssl* /usr/local/bin
chmod +x /usr/local/bin/cfssl*

生成私钥和证书签名请求 (CSR)

分步骤生成

mkdir myCrt && cd myCrt

# 创建 JSON 配置文件
cat > csr_config.json <<EOF
{
  "hosts": [
    "wakanda.local",
    "wakanda.local.default.svc",
    "wakanda.local.default.svc.cluster.local",
    "wakanda.local.default.pod.cluster.local"
  ],
  "CN": "system:node:image-bouncer-webhook.default.pod.cluster.local",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "O": "system:nodes"
    }
  ]
}
EOF

# 使用 CFSSL 生成私钥和 CSR
cfssl genkey csr_config.json > server.csr.json

# 使用 CFSSLJSON 解析生成的 JSON 文件，前缀为 server
cfssljson -bare server < server.csr.json

一步生成

echo '{
  "hosts": [
    "wakanda.local",
    "wakanda.local.default.svc",
    "wakanda.local.default.svc.cluster.local",
    "wakanda.local.default.pod.cluster.local"
  ],
  "CN": "system:node:image-bouncer-webhook.default.pod.cluster.local",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "O": "system:nodes"
    }
  ]
}' | cfssl genkey - | cfssljson -bare server

K8s 操作证书

创建 CSR

cat <<EOF | kubectl apply -f - 
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: wakanda.local
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment

  - server auth
EOF

批准证书

kubectl get csr

kubectl certificate approve wakanda.local

导出证书

kubectl get csr wakanda.local -o jsonpath='{.status.certificate}' | base64 --decode > server.crt

将证书放置 K8s pki 目录

cp server.crt /etc/kubernetes/pki/

配置 hosts

echo "127.0.0.1 wakanda.local" >> /etc/hosts

cat /etc/hosts

创建准入控制器的配置文件

mkdir -p /etc/kubernetes/epconfig/

vim /etc/kubernetes/epconfig/admission_configuration.json
{
  "imagePolicy": {
    "kubeConfigFile": "/etc/kubernetes/epconfig/kubeconfig.yaml",
    "allowTTL": 50,
    "denyTTL": 50,
    "retryBackoff": 500,
    "defaultAllow": true
  }
}

vim /etc/kubernetes/epconfig/kubeconfig.yaml
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/server.crt
    server:
  name: bouncer_webhook
contexts:
- context:
    cluster: bouncer_webhook
    user: api-server
  name: bouncer_validator
current-context: bouncer_validator
preferences: {}
users:
- name: api-server
  user:
    client-certificate: /etc/kubernetes/pki/apiserver.crt
    client-key: /etc/kubernetes/pki/apiserver.key

Previous真题解析

Last updated 1 year ago

hashtag安装 CFSSL

hashtag生成私钥和证书签名请求 (CSR)

hashtag分步骤生成

hashtag一步生成

hashtagK8s 操作证书

hashtag创建 CSR

hashtag批准证书

hashtag导出证书

hashtag将证书放置 K8s pki 目录

hashtag配置 hosts

安装 CFSSL

生成私钥和证书签名请求 (CSR)

分步骤生成

一步生成

K8s 操作证书

创建 CSR

批准证书

导出证书

将证书放置 K8s pki 目录

配置 hosts