kubelet的tls证书理解记录

kulelet若是有token的方式作认证，只须要生成一次bootstrap-kubeconfig就能够了 生成的方式

BOOTSTRAP_TOKEN='your_token'
HOST_NAME='node_ip'
kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=https://apiserver:port \
  --kubeconfig=bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=bootstrap.kubeconfig
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=bootstrap.kubeconfig
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
mv bootstrap.kubeconfig /etc/kubernetes/

token怎么来，我建议直接用kubeadm作一个出来

kubeadm token create --print-join-command --ttl 0

kubelet启动以后会向apiserver请求认证，若是认证经过，会自动生成一个kubelet的配置kubelet.conf，若是kubelet没有指定这两个参数

tlsCertFile
tlsPrivateKeyFile

默认会自动生成一对，但是若是apiserver配置有问题，可能遇到下面的问题

kubectl logs xxxx
x509: certificate signed by unknown authority
cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

现象就是apiserver上发给kueblet一个请求，tls握手和认证失败 如此，你可能须要本身生成一对证书私钥来显式指定kubelet的tsl参数

#kubelet-csr.json
{
  "CN": "system:node:x.x.x.x",
  "hosts": [
        "x.x.x.x",
        "localhost",
	"127.0.0.1"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "system:nodes"
    }
  ]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssljson -bare kubelet-base

把新做出来的这样指定kubelet的配置

--tlsCertFile=kubelet-base.pem
--tlsPrivateKeyFile=kubelet-base-key.pem