k3s-cert
Contents
K3s 证书
k3s 根CA证书默认10年,签署的证书有效期默认1年,在到期前的90天内需要重启,重启后会自动轮转证书。
参考文档:
一、手动轮转证书
1、检查证书有效期
# server
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
# agent
for i in `ls /var/lib/rancher/k3s/agent/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
2、设置环境变量
echo CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS="3600" >> /etc/default/k3s
3、轮转证书
server
# 停止 K3s
systemctl stop k3s
# 轮换证书
k3s certificate rotate
# 启动 K3s
systemctl start k3s
agent
systemctl restart k3s-agent
4、检查证书有效期
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
kubectl get secret -n kube-system k3s-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
二、修改源码方式
k3s 是引用dynamiclistener 这个库来生成证书的,可以修改源码实现百年证书
三、自定义证书
k3s 官方有提供脚本用于在创建集群前先创建证书
wget https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/generate-custom-ca-certs.sh
sed -ri 's/7300/36500/g' generate-custom-ca-certs.sh
sed -ri 's/3700/36500/g' generate-custom-ca-certs.sh
echo CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS="36500" > /etc/default/k3s
bash generate-custom-ca-certs.sh
curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn INSTALL_K3S_EXEC="--disable=traefik --disable=servicelb --kube-proxy-arg proxy-mode=ipvs --write-kubeconfig ~/.kube/config --write-kubeconfig-mode 644 " sh -s - --docker
check
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
kubectl get secret -n kube-system k3s-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
四、RBAC 管理
1、创建证书和签名请求
[root@dev ~]# openssl genrsa -out dev.key 2048
[root@dev ~]# openssl req -new -key dev.key -out dev.csr -subj "/CN=dev/O=dev"
2、创建 csr ,请求签名
[root@dev ~]# cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: dev
spec:
groups:
- system:authenticated
request: $(cat dev.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
[root@dev ~]# kubectl get csr
[root@dev ~]# kubectl certificate approve dev
[root@dev ~]# kubectl get csr dev -o jsonpath='{.status.certificate}' | base64 -d > dev.crt
3、生成证书
# 复制一份当前的证书作为模板
[root@dev ~]# cp ~/.kube/config local-config
[root@dev ~]# kubectl config set-credentials default --client-key=dev.key --client-certificate=dev.crt --embed-certs=true --kubeconfig=local-config
[root@dev ~]# kubectl config set-context default --cluster=default --user=default --kubeconfig=local-config
证书有效期默认是一年
4、rbac 配置
https://github.com/serialt/terraform-module-k8s-rbac
rbac(用于测试)
[root@dev ~]# cat > rbac.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: dev
rules:
- apiGroups: [""] #core api组
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev
namespace: default #授权的命名空间为default
subjects:
- kind: User
name: dev # 绑定dev用户
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev #绑定Role
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f rbac.yaml
[root@dev ~]# export KUBECONFIG=local-config
[root@dev ~]#kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-deployment-6587ffc4b-ws4hm 1/1 Running 2 27d
myapp-deployment-6587ffc4b-zx8g2 1/1 Running 1 27d
[root@master-01 user]# kubectl get ns
Error from server (Forbidden): namespaces is forbidden: User "dev" cannot list resource "namespaces" in API group "" at the cluster scope
[root@dev ~]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "dev" cannot list resource "services" in API group "" in the namespace "default"