Manage TLS Certificates in a Cluster |
您所在的位置:网站首页 › configuring a registry › Manage TLS Certificates in a Cluster |
|
Manage TLS Certificates in a Cluster Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust. certificates.k8s.io API uses a protocol that is similar to the ACME draft. Note: Certificates created using the certificates.k8s.io API are signed by a dedicated CA. It is possible to configure your cluster to use the cluster root CA for this purpose, but you should never rely on this. Do not assume that these certificates will validate against the cluster root CA.Before you beginYou need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds: KillercodaPlay with KubernetesYou need the cfssl tool. You can download cfssl from https://github.com/cloudflare/cfssl/releases. Some steps in this page use the jq tool. If you don't have jq, you can install it via your operating system's software sources, or fetch it from https://stedolan.github.io/jq/. Trusting TLS in a clusterTrusting the custom CA from an application running as a pod usually requires some extra application configuration. You will need to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts. For example, you would do this with a golang TLS config by parsing the certificate chain and adding the parsed certificates to the RootCAs field in the tls.Config struct. Note:Even though the custom CA certificate may be included in the filesystem (in the ConfigMap kube-root-ca.crt), you should not use that certificate authority for any purpose other than to verify internal Kubernetes endpoints. An example of an internal Kubernetes endpoint is the Service named kubernetes in the default namespace. If you want to use a custom certificate authority for your workloads, you should generate that CA separately, and distribute its CA certificate using a ConfigMap that your pods have access to read. Requesting a certificateThe following section demonstrates how to create a TLS certificate for a Kubernetes service accessed through DNS. Note: This tutorial uses CFSSL: Cloudflare's PKI and TLS toolkit click here to know more.Create a certificate signing requestGenerate a private key and certificate signing request (or CSR) by running the following command: cat |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |