真题环境模拟

安装 CFSSL

# 下载地址:
https://github.com/cloudflare/cfssl/releases

# 访问页面并下载 cfssl 和 cfssljson

# 授权
mv cfssl* /usr/local/bin
chmod +x /usr/local/bin/cfssl*

生成私钥和证书签名请求 (CSR)

分步骤生成

mkdir myCrt && cd myCrt
# 创建 JSON 配置文件
cat > csr_config.json <<EOF
{
  "hosts": [
    "wakanda.local",
    "wakanda.local.default.svc",
    "wakanda.local.default.svc.cluster.local",
    "wakanda.local.default.pod.cluster.local"
  ],
  "CN": "system:node:image-bouncer-webhook.default.pod.cluster.local",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "O": "system:nodes"
    }
  ]
}
EOF
# 使用 CFSSL 生成私钥和 CSR
cfssl genkey csr_config.json > server.csr.json
# 使用 CFSSLJSON 解析生成的 JSON 文件,前缀为 server
cfssljson -bare server < server.csr.json

一步生成

echo '{
  "hosts": [
    "wakanda.local",
    "wakanda.local.default.svc",
    "wakanda.local.default.svc.cluster.local",
    "wakanda.local.default.pod.cluster.local"
  ],
  "CN": "system:node:image-bouncer-webhook.default.pod.cluster.local",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "O": "system:nodes"
    }
  ]
}' | cfssl genkey - | cfssljson -bare server

K8s 操作证书

创建 CSR

cat <<EOF | kubectl apply -f - 
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: wakanda.local
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment

  - server auth
EOF

批准证书

kubectl get csr

kubectl certificate approve wakanda.local

导出证书

kubectl get csr wakanda.local -o jsonpath='{.status.certificate}' | base64 --decode > server.crt

将证书放置 K8s pki 目录

cp server.crt /etc/kubernetes/pki/

配置 hosts

echo "127.0.0.1 wakanda.local" >> /etc/hosts

cat /etc/hosts

创建准入控制器的配置文件

mkdir -p /etc/kubernetes/epconfig/

vim /etc/kubernetes/epconfig/admission_configuration.json
{
  "imagePolicy": {
    "kubeConfigFile": "/etc/kubernetes/epconfig/kubeconfig.yaml",
    "allowTTL": 50,
    "denyTTL": 50,
    "retryBackoff": 500,
    "defaultAllow": true
  }
}

vim /etc/kubernetes/epconfig/kubeconfig.yaml
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/server.crt
    server:
  name: bouncer_webhook
contexts:
- context:
    cluster: bouncer_webhook
    user: api-server
  name: bouncer_validator
current-context: bouncer_validator
preferences: {}
users:
- name: api-server
  user:
    client-certificate: /etc/kubernetes/pki/apiserver.crt
    client-key: /etc/kubernetes/pki/apiserver.key
Previous真题解析

Last updated