K8S入门学习的难点是集群搭建,集群搭建的难点是tls证书
Kubeadm 部署的集群证书默认是一年,所以在证书到期之前需要进行手动更新(生产环境这样可能有风险)
这里我把证书生成的过程全部用脚本自动生成,默认有效期10年,希望能帮助各位快速入门。
参考的官网文档(官方文档是最权威,也是最原滋原味的解释,希望你先理解下面3个链接内容,也都是中文的,还有疑问可以私信我)
ansible_k8s]# ansible-playbook -i example/hosts.multi-node 02.cert.yml
PLAY [localhost] ********************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Install cfssl] ********************************************************************************************************************************************
ok: [localhost] => (item=cfssl)
ok: [localhost] => (item=cfssljson)
TASK [cert : Create Local SSL Directory] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create Etcd CA config] ********************************************************************************************************************************************
ok: [localhost] => (item=etcd)
TASK [cert : Create Etcd CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=EtcdCA)
TASK [cert : Create etcd-ca.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create etcd-server CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)
TASK [cert : Create etcd-server.pem] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)
TASK [cert : Create etcd-client CSR] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create etcd-client.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-client-key.pem)
TASK [cert : Create Local SSL Directory] ********************************************************************************************************************************************
ok: [localhost] => (item=kubernetes)
ok: [localhost] => (item=front-proxy)
TASK [cert : Create Control-plane CA config] ********************************************************************************************************************************************
ok: [localhost] => (item=kubernetes)
ok: [localhost] => (item=front-proxy)
TASK [cert : Create kubernetes-ca CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=KubernetesCA)
TASK [cert : Create kubernetes-front-proxy-ca CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=KubernetesFrontProxyCA)
TASK [cert : Create kubernetes ca.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create front-proxy-ca.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create front-proxy-client CSR] ********************************************************************************************************************************************
ok: [localhost] => (item={u'cn': u'front-proxy-client', u'file': u'front-proxy-client-csr.json'})
TASK [cert : Create front-proxy-client.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create kube-apiserver CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)
TASK [Create kube-apiserver cert] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)
TASK [cert : Create kube-scheduler / kube-controller-manager / apiserver-kubelet-client CSR] *****************************************************************************************************
ok: [localhost] => (item={u'cn': u'system:kube-scheduler', u'file': u'kube-scheduler-csr.json'})
ok: [localhost] => (item={u'cn': u'system:kube-controller-manager', u'file': u'kube-controller-manager-csr.json'})
ok: [localhost] => (item={u'group': u'system:masters', u'cn': u'apiserver-kubelet-client', u'file': u'apiserver-kubelet-client-csr.json'})
TASK [Create kube-scheduler / kube-controller-manager / apiserver-kubelet-client cert] ***********************************************************************************************************
ok: [localhost] => (item=kube-scheduler)
ok: [localhost] => (item=kube-controller-manager)
ok: [localhost] => (item=apiserver-kubelet-client)
TASK [cert : Create sa.key] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create sa.pub] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-client-key.pem)
TASK [cert : chmod sa.key] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : gather facts on kube_node hosts] ********************************************************************************************************************************************
ok: [localhost -> 192.168.36.151] => (item=192.168.36.151)
ok: [localhost -> 192.168.36.152] => (item=192.168.36.152)
ok: [localhost -> 192.168.36.153] => (item=192.168.36.153)
ok: [localhost -> 192.168.36.154] => (item=192.168.36.154)
ok: [localhost -> 192.168.36.155] => (item=192.168.36.155)
TASK [cert : Create tls CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)
TASK [cert : Create tls.pem] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)
TASK [cert : Create kube-proxy CSR] ********************************************************************************************************************************************
ok: [localhost] => (item={u'cn': u'system:kube-proxy', u'file': u'kube-proxy-csr.json'})
TASK [cert : Create kube-proxy.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin-key.pem)
TASK [cert : Create admin CSR] ********************************************************************************************************************************************
ok: [localhost] => (item={u'group': u'system:masters', u'cn': u'admin', u'file': u'admin-csr.json'})
TASK [cert : Create admin.pem] ********************************************************************************************************************************************
ok: [localhost] => (item={u'cn': u'admin', u'file': u'admin-csr.json'})
TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin-key.pem)
TASK [cert : Create Local SSL Directory] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create metrics-server CA config] ********************************************************************************************************************************************
ok: [localhost] => (item=metrics-server)
TASK [cert : Create metrics-server-ca CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=MetricsServerCA)
TASK [cert : Create metrics-server-ca.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create metrics-server CSR] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : Create metrics-server.pem] ********************************************************************************************************************************************
ok: [localhost]
TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server-ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server-ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server-key.pem)
PLAY RECAP ********************************************************************************************************************************************
localhost : ok=43 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ansible_k8s]# tree example/pki/
example/pki/
├── etcd
│?? ├── ca-config.json
│?? ├── ca-csr.json
│?? ├── etcd-ca.csr
│?? ├── etcd-ca-key.pem
│?? ├── etcd-ca.pem
│?? ├── etcd-client.csr
│?? ├── etcd-client-csr.json
│?? ├── etcd-client-key.pem
│?? ├── etcd-client.pem
│?? ├── etcd-server-192.168.36.153.csr
│?? ├── etcd-server-192.168.36.153-key.pem
│?? ├── etcd-server-192.168.36.153.pem
│?? ├── etcd-server-192.168.36.154.csr
│?? ├── etcd-server-192.168.36.154-key.pem
│?? ├── etcd-server-192.168.36.154.pem
│?? ├── etcd-server-192.168.36.155.csr
│?? ├── etcd-server-192.168.36.155-key.pem
│?? ├── etcd-server-192.168.36.155.pem
│?? ├── etcd-server-csr-192.168.36.153.json
│?? ├── etcd-server-csr-192.168.36.154.json
│?? └── etcd-server-csr-192.168.36.155.json
├── front-proxy
│?? ├── ca-config.json
│?? ├── ca-csr.json
│?? ├── front-proxy-ca.csr
│?? ├── front-proxy-ca-key.pem
│?? ├── front-proxy-ca.pem
│?? ├── front-proxy-client.csr
│?? ├── front-proxy-client-csr.json
│?? ├── front-proxy-client-key.pem
│?? └── front-proxy-client.pem
├── kubernetes
│?? ├── admin.conf
│?? ├── admin.csr
│?? ├── admin-csr.json
│?? ├── admin-key.pem
│?? ├── admin-kubeconfig.sh
│?? ├── admin.pem
│?? ├── apiserver-kubelet-client.csr
│?? ├── apiserver-kubelet-client-csr.json
│?? ├── apiserver-kubelet-client-key.pem
│?? ├── apiserver-kubelet-client.pem
│?? ├── ca-config.json
│?? ├── ca.csr
│?? ├── ca-csr.json
│?? ├── ca-key.pem
│?? ├── ca.pem
│?? ├── kube-apiserver-192.168.36.151.csr
│?? ├── kube-apiserver-192.168.36.151-key.pem
│?? ├── kube-apiserver-192.168.36.151.pem
│?? ├── kube-apiserver-192.168.36.152.csr
│?? ├── kube-apiserver-192.168.36.152-key.pem
│?? ├── kube-apiserver-192.168.36.152.pem
│?? ├── kube-apiserver-csr-192.168.36.151.json
│?? ├── kube-apiserver-csr-192.168.36.152.json
│?? ├── kube-controller-manager.csr
│?? ├── kube-controller-manager-csr.json
│?? ├── kube-controller-manager-key.pem
│?? ├── kube-controller-manager.pem
│?? ├── kube-proxy.csr
│?? ├── kube-proxy-csr.json
│?? ├── kube-proxy-key.pem
│?? ├── kube-proxy.pem
│?? ├── kube-scheduler.csr
│?? ├── kube-scheduler-csr.json
│?? ├── kube-scheduler-key.pem
│?? ├── kube-scheduler.pem
│?? ├── sa.key
│?? ├── sa.pub
│?? ├── tls-192.168.36.151.csr
│?? ├── tls-192.168.36.151-key.pem
│?? ├── tls-192.168.36.151.pem
│?? ├── tls-192.168.36.152.csr
│?? ├── tls-192.168.36.152-key.pem
│?? ├── tls-192.168.36.152.pem
│?? ├── tls-192.168.36.153.csr
│?? ├── tls-192.168.36.153-key.pem
│?? ├── tls-192.168.36.153.pem
│?? ├── tls-192.168.36.154.csr
│?? ├── tls-192.168.36.154-key.pem
│?? ├── tls-192.168.36.154.pem
│?? ├── tls-192.168.36.155.csr
│?? ├── tls-192.168.36.155-key.pem
│?? ├── tls-192.168.36.155.pem
│?? ├── tls-csr-192.168.36.151.json
│?? ├── tls-csr-192.168.36.152.json
│?? ├── tls-csr-192.168.36.153.json
│?? ├── tls-csr-192.168.36.154.json
│?? └── tls-csr-192.168.36.155.json
└── metrics-server
├── ca-config.json
├── ca-csr.json
├── metrics-server-ca.csr
├── metrics-server-ca-key.pem
├── metrics-server-ca.pem
├── metrics-server.csr
├── metrics-server-csr.json
├── metrics-server-key.pem
└── metrics-server.pem
4 directories, 96 files
# 通过以下命令可查看证书的具体信息和有效期
ansible_k8s]# openssl x509 -text -in example/pki/kubernetes/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:48:3e:0f:d2:f1:89:7c:6f:0c:26:9b:aa:04:10:04:3e:e2:b3:60
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=KubernetesCA
Validity
Not Before: Dec 14 09:01:00 2023 GMT
Not After : Dec 11 09:01:00 2033 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=KubernetesCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:36:e6:1f:c4:e7:87:76:9f:0a:1a:90:6d:ea:
86:bd:7b:e4:4b:b1:72:85:cc:a6:0e:14:05:37:c3:
77:3c:24:1f:88:97:db:c5:e2:d0:9e:40:0c:1c:51:
2a:46:24:2f:eb:98:98:81:99:68:b1:95:0a:27:08:
e8:05:5d:21:a1:db:41:b1:4e:64:44:ec:2c:43:6a:
35:6b:a9:2c:91:3c:33:ca:8b:94:65:7e:8f:a2:66:
f8:03:b1:86:76:74:c1:d8:a9:e8:49:dc:ab:37:bb:
78:64:03:db:5f:d2:12:f0:2c:59:86:6b:36:85:1a:
b5:5d:58:78:ba:8d:41:7d:75:20:fa:f4:4f:5e:a9:
b2:62:98:04:a1:75:19:cb:ed:74:9d:53:e4:e0:e8:
e4:6b:59:40:63:b4:d9:43:3d:5f:b0:4e:fa:64:8e:
61:19:19:9a:c1:8a:b7:7a:5a:ca:7d:32:f7:41:5c:
b5:ac:9e:d8:82:2a:81:10:86:a1:1c:3d:1c:b3:26:
b1:83:33:db:ce:5a:64:79:1e:a0:85:1a:85:52:40:
73:df:cc:6d:39:22:8f:76:f5:c9:6c:c1:c5:69:aa:
b3:1e:dd:dc:50:92:79:9b:58:11:47:47:59:c7:20:
8f:39:04:10:ba:31:bf:5d:e4:f4:e5:21:2d:ae:5f:
0b:51
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Subject Key Identifier:
BE:A5:B5:B1:69:11:DF:CC:90:26:7F:00:99:81:F2:60:C2:40:2D:FE
X509v3 Authority Key Identifier:
keyid:BE:A5:B5:B1:69:11:DF:CC:90:26:7F:00:99:81:F2:60:C2:40:2D:FE
Signature Algorithm: sha256WithRSAEncryption
38:70:32:93:22:7e:eb:a1:ae:a6:1f:27:e8:5a:e1:6b:62:30:
77:72:0f:53:b1:f9:aa:d5:c7:3b:1d:07:f9:46:9e:28:01:cb:
ca:d1:f1:c4:c1:ba:25:92:87:65:6c:07:b8:eb:fa:af:7a:f2:
cc:4e:25:46:c8:49:4c:28:3d:94:69:80:97:97:3d:9b:87:e1:
68:73:b4:b7:3f:5a:3d:55:d6:38:43:ac:20:e9:04:a1:94:9c:
2f:ad:94:f5:9a:76:3c:d6:c8:3d:63:9e:21:bb:58:fc:d5:14:
97:7d:08:8b:ed:df:d6:eb:8b:e3:57:e1:0a:27:de:7a:c5:1b:
89:9c:90:f5:a8:85:d5:61:3f:37:98:58:c5:b0:f3:2b:94:3c:
39:53:4d:a4:8e:bf:c7:22:4c:4d:a5:ed:c1:0f:30:26:7a:c5:
92:46:16:3f:d6:65:b0:6e:84:43:3c:37:22:5c:a9:95:ef:02:
99:c7:27:3d:23:fd:1b:3a:2a:75:e7:0b:71:65:cd:7a:8e:b1:
0f:d0:00:de:15:28:3f:41:d0:a7:3f:09:c9:1f:c4:c5:48:10:
f7:20:69:5f:f6:b6:c9:8c:7e:f9:ed:7a:de:ea:8a:38:28:92:
a8:4d:5a:1b:38:ca:fc:46:9b:c8:04:08:44:f2:3b:42:f1:28:
41:c6:d5:0a
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUFEg+D9LxiXxvDCabqgQQBD7is2AwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxDzANBgNVBAsTBlN5c3RlbTEVMBMGA1UEAxMMS3ViZXJuZXRlc0NBMB4X
DTIzMTIxNDA5MDEwMFoXDTMzMTIxMTA5MDEwMFowWTELMAkGA1UEBhMCQ04xEDAO
BgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDzANBgNVBAsTBlN5c3Rl
bTEVMBMGA1UEAxMMS3ViZXJuZXRlc0NBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqjbmH8Tnh3afChqQbeqGvXvkS7FyhcymDhQFN8N3PCQfiJfbxeLQ
nkAMHFEqRiQv65iYgZlosZUKJwjoBV0hodtBsU5kROwsQ2o1a6kskTwzyouUZX6P
omb4A7GGdnTB2KnoSdyrN7t4ZAPbX9IS8CxZhms2hRq1XVh4uo1BfXUg+vRPXqmy
YpgEoXUZy+10nVPk4Ojka1lAY7TZQz1fsE76ZI5hGRmawYq3elrKfTL3QVy1rJ7Y
giqBEIahHD0csyaxgzPbzlpkeR6ghRqFUkBz38xtOSKPdvXJbMHFaaqzHt3cUJJ5
m1gRR0dZxyCPOQQQujG/XeT05SEtrl8LUQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUvqW1sWkR38yQJn8AmYHy
YMJALf4wHwYDVR0jBBgwFoAUvqW1sWkR38yQJn8AmYHyYMJALf4wDQYJKoZIhvcN
AQELBQADggEBADhwMpMifuuhrqYfJ+ha4WtiMHdyD1Ox+arVxzsdB/lGnigBy8rR
8cTBuiWSh2VsB7jr+q968sxOJUbISUwoPZRpgJeXPZuH4WhztLc/Wj1V1jhDrCDp
BKGUnC+tlPWadjzWyD1jniG7WPzVFJd9CIvt39bri+NX4Qon3nrFG4mckPWohdVh
PzeYWMWw8yuUPDlTTaSOv8ciTE2l7cEPMCZ6xZJGFj/WZbBuhEM8NyJcqZXvApnH
Jz0j/Rs6KnXnC3FlzXqOsQ/QAN4VKD9B0Kc/CckfxMVIEPcgaV/2tsmMfvntet7q
ijgokqhNWhs4yvxGm8gECETyO0LxKEHG1Qo=
-----END CERTIFICATE-----
ansible_k8s]# openssl x509 -text -in example/pki/kubernetes/kube-apiserver-192.168.36.151.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
57:63:52:4a:c8:1c:9d:28:9b:fd:72:09:ae:b3:4e:57:25:52:eb:32
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=KubernetesCA
Validity
Not Before: Dec 14 09:01:00 2023 GMT
Not After : Dec 11 09:01:00 2033 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:68:8a:ff:80:70:a0:fe:b9:1e:6f:cb:0e:19:
71:5e:f6:7c:f2:46:03:90:5f:ce:ca:16:1a:db:f6:
25:27:2d:70:14:56:df:47:75:26:a2:36:06:27:89:
2e:1b:38:a5:3c:1b:b5:df:3e:db:94:75:8a:40:b9:
b4:fc:95:9c:de:25:d3:95:6c:c8:ca:e6:8c:64:69:
52:e5:49:6f:0c:ee:c3:be:8f:65:84:fb:ee:ef:e1:
99:72:04:f8:50:9d:23:f5:a6:87:02:31:a4:ec:65:
cb:79:47:30:e7:c6:c3:b2:4e:51:24:f3:6d:d8:2e:
de:7d:7d:24:10:91:2a:75:12:df:db:f1:95:c9:1c:
73:8f:8b:36:c8:c2:27:05:6e:2b:ad:53:2a:10:d7:
04:a1:19:94:07:d1:95:bf:ee:37:80:3d:e4:9d:2f:
1a:60:b8:bf:f3:97:1d:7a:c7:64:e5:37:7f:51:26:
04:87:b6:49:d4:f4:41:07:75:cd:fb:7d:be:21:f8:
e9:1e:7f:a5:a0:c7:5a:f8:88:37:0f:20:12:39:00:
11:11:7b:6b:6e:7d:a3:9e:a9:10:fd:ae:21:c2:10:
f3:76:50:93:23:db:09:a8:11:f9:ef:73:a5:3b:41:
d2:62:11:a2:9f:34:13:e0:eb:35:2f:e7:e1:40:71:
bf:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
17:E4:0A:2A:28:1D:87:74:EE:07:B4:F3:0B:54:0F:D9:38:99:8B:EC
X509v3 Authority Key Identifier:
keyid:BE:A5:B5:B1:69:11:DF:CC:90:26:7F:00:99:81:F2:60:C2:40:2D:FE
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.36.151, IP Address:172.20.0.1
Signature Algorithm: sha256WithRSAEncryption
82:84:15:46:70:2f:c9:96:47:47:32:8f:35:47:ab:c9:5e:ce:
7b:ff:07:c5:6b:eb:a8:e3:71:50:ef:3b:e8:cc:ef:62:80:5d:
ff:a8:c7:17:23:5f:66:6a:5a:27:b4:9d:52:10:b8:09:e3:4a:
30:e6:03:be:16:3c:11:38:1e:36:cf:0f:41:16:bd:16:22:9b:
05:29:ef:19:26:6f:98:e4:97:d4:2f:b2:f1:ce:80:71:57:a3:
07:ca:5d:6c:90:78:b2:9e:87:92:59:e4:e7:eb:a3:c6:58:25:
3e:3a:90:cd:09:2b:2a:99:51:64:cf:71:2b:46:58:94:1a:22:
bd:05:30:53:43:e8:d0:2b:95:68:87:6e:7c:6a:40:62:f3:85:
bd:15:9e:a9:69:bc:8f:43:06:1d:f0:1e:9f:47:c5:13:88:c6:
4b:4c:26:bc:2f:68:ab:ec:bd:f8:e6:30:74:f8:5e:4c:1f:01:
42:ad:1b:6f:8f:a2:dc:bf:fb:2e:dd:68:4f:14:a7:7c:95:6b:
7b:a1:33:0b:5e:cb:5f:6d:f5:0f:1b:38:59:d3:e7:ee:0d:4e:
36:03:69:8c:14:70:05:39:53:df:2b:20:bc:cc:e6:c3:54:88:
13:3b:7c:d9:4e:d9:ae:b0:7f:d1:03:ae:a4:b4:f7:d8:6b:d3:
d7:5d:65:0d
-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugAwIBAgIUV2NSSsgcnSib/XIJrrNOVyVS6zIwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxDzANBgNVBAsTBlN5c3RlbTEVMBMGA1UEAxMMS3ViZXJuZXRlc0NBMB4X
DTIzMTIxNDA5MDEwMFoXDTMzMTIxMTA5MDEwMFowWzELMAkGA1UEBhMCQ04xEDAO
BgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDzANBgNVBAsTBlN5c3Rl
bTEXMBUGA1UEAxMOa3ViZS1hcGlzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC9aIr/gHCg/rkeb8sOGXFe9nzyRgOQX87KFhrb9iUnLXAUVt9H
dSaiNgYniS4bOKU8G7XfPtuUdYpAubT8lZzeJdOVbMjK5oxkaVLlSW8M7sO+j2WE
++7v4ZlyBPhQnSP1pocCMaTsZct5RzDnxsOyTlEk823YLt59fSQQkSp1Et/b8ZXJ
HHOPizbIwicFbiutUyoQ1wShGZQH0ZW/7jeAPeSdLxpguL/zlx16x2TlN39RJgSH
tknU9EEHdc37fb4h+Okef6Wgx1r4iDcPIBI5ABERe2tufaOeqRD9riHCEPN2UJMj
2wmoEfnvc6U7QdJiEaKfNBPg6zUv5+FAcb8pAgMBAAGjggEfMIIBGzAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFBfkCiooHYd07ge08wtUD9k4mYvsMB8GA1UdIwQYMBaA
FL6ltbFpEd/MkCZ/AJmB8mDCQC3+MIGbBgNVHREEgZMwgZCCCmt1YmVybmV0ZXOC
Emt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3Vi
ZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQu
c3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBMCoJJeHBKwUAAEwDQYJKoZIhvcNAQEL
BQADggEBAIKEFUZwL8mWR0cyjzVHq8leznv/B8Vr66jjcVDvO+jM72KAXf+oxxcj
X2ZqWie0nVIQuAnjSjDmA74WPBE4HjbPD0EWvRYimwUp7xkmb5jkl9QvsvHOgHFX
owfKXWyQeLKeh5JZ5Ofro8ZYJT46kM0JKyqZUWTPcStGWJQaIr0FMFND6NArlWiH
bnxqQGLzhb0VnqlpvI9DBh3wHp9HxROIxktMJrwvaKvsvfjmMHT4XkwfAUKtG2+P
oty/+y7daE8Up3yVa3uhMwtey19t9Q8bOFnT5+4NTjYDaYwUcAU5U98rILzM5sNU
iBM7fNlO2a6wf9EDrqS099hr09ddZQ0=
-----END CERTIFICATE-----