03.生成Kubernetes集群证书文件

发布时间:2023年12月28日

K8S入门学习的难点是集群搭建,集群搭建的难点是tls证书

Kubeadm 部署的集群证书默认是一年,所以在证书到期之前需要进行手动更新(生产环境这样可能有风险)

这里我把证书生成的过程全部用脚本自动生成,默认有效期10年,希望能帮助各位快速入门。

参考的官网文档(官方文档是最权威,也是最原滋原味的解释,希望你先理解下面3个链接内容,也都是中文的,还有疑问可以私信我

1、生成证书文件

ansible_k8s]# ansible-playbook -i example/hosts.multi-node  02.cert.yml 

PLAY [localhost] ********************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Install cfssl] ********************************************************************************************************************************************
ok: [localhost] => (item=cfssl)
ok: [localhost] => (item=cfssljson)

TASK [cert : Create Local SSL Directory] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create Etcd CA config] ********************************************************************************************************************************************
ok: [localhost] => (item=etcd)

TASK [cert : Create Etcd CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=EtcdCA)

TASK [cert : Create etcd-ca.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create etcd-server CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)

TASK [cert : Create etcd-server.pem] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)

TASK [cert : Create etcd-client CSR] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create etcd-client.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-server-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/etcd/etcd-client-key.pem)

TASK [cert : Create Local SSL Directory] ********************************************************************************************************************************************
ok: [localhost] => (item=kubernetes)
ok: [localhost] => (item=front-proxy)

TASK [cert : Create Control-plane CA config] ********************************************************************************************************************************************
ok: [localhost] => (item=kubernetes)
ok: [localhost] => (item=front-proxy)

TASK [cert : Create kubernetes-ca CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=KubernetesCA)

TASK [cert : Create kubernetes-front-proxy-ca CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=KubernetesFrontProxyCA)

TASK [cert : Create kubernetes ca.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create front-proxy-ca.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create front-proxy-client CSR] ********************************************************************************************************************************************
ok: [localhost] => (item={u'cn': u'front-proxy-client', u'file': u'front-proxy-client-csr.json'})

TASK [cert : Create front-proxy-client.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create kube-apiserver CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)

TASK [Create kube-apiserver cert] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)

TASK [cert : Create kube-scheduler / kube-controller-manager / apiserver-kubelet-client CSR] *****************************************************************************************************
ok: [localhost] => (item={u'cn': u'system:kube-scheduler', u'file': u'kube-scheduler-csr.json'})
ok: [localhost] => (item={u'cn': u'system:kube-controller-manager', u'file': u'kube-controller-manager-csr.json'})
ok: [localhost] => (item={u'group': u'system:masters', u'cn': u'apiserver-kubelet-client', u'file': u'apiserver-kubelet-client-csr.json'})

TASK [Create kube-scheduler / kube-controller-manager / apiserver-kubelet-client cert] ***********************************************************************************************************
ok: [localhost] => (item=kube-scheduler)
ok: [localhost] => (item=kube-controller-manager)
ok: [localhost] => (item=apiserver-kubelet-client)

TASK [cert : Create sa.key] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create sa.pub] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/front-proxy/front-proxy-client-key.pem)

TASK [cert : chmod sa.key] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : gather facts on kube_node hosts] ********************************************************************************************************************************************
ok: [localhost -> 192.168.36.151] => (item=192.168.36.151)
ok: [localhost -> 192.168.36.152] => (item=192.168.36.152)
ok: [localhost -> 192.168.36.153] => (item=192.168.36.153)
ok: [localhost -> 192.168.36.154] => (item=192.168.36.154)
ok: [localhost -> 192.168.36.155] => (item=192.168.36.155)

TASK [cert : Create tls CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)

TASK [cert : Create tls.pem] ********************************************************************************************************************************************
ok: [localhost] => (item=192.168.36.151)
ok: [localhost] => (item=192.168.36.152)
ok: [localhost] => (item=192.168.36.153)
ok: [localhost] => (item=192.168.36.154)
ok: [localhost] => (item=192.168.36.155)

TASK [cert : Create kube-proxy CSR] ********************************************************************************************************************************************
ok: [localhost] => (item={u'cn': u'system:kube-proxy', u'file': u'kube-proxy-csr.json'})

TASK [cert : Create kube-proxy.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin-key.pem)

TASK [cert : Create admin CSR] ********************************************************************************************************************************************
ok: [localhost] => (item={u'group': u'system:masters', u'cn': u'admin', u'file': u'admin-csr.json'})

TASK [cert : Create admin.pem] ********************************************************************************************************************************************
ok: [localhost] => (item={u'cn': u'admin', u'file': u'admin-csr.json'})

TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-apiserver-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-scheduler-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-controller-manager-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/apiserver-kubelet-client-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.151-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.152-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.153-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.154-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/tls-192.168.36.155-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/kube-proxy-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/kubernetes/admin-key.pem)

TASK [cert : Create Local SSL Directory] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create metrics-server CA config] ********************************************************************************************************************************************
ok: [localhost] => (item=metrics-server)

TASK [cert : Create metrics-server-ca CA CSR] ********************************************************************************************************************************************
ok: [localhost] => (item=MetricsServerCA)

TASK [cert : Create metrics-server-ca.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create metrics-server CSR] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : Create metrics-server.pem] ********************************************************************************************************************************************
ok: [localhost]

TASK [cert : chmod 0644 pem] ********************************************************************************************************************************************
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server-ca.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server-ca-key.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server.pem)
ok: [localhost] => (item=/root/k8s-ansible/example/pki/metrics-server/metrics-server-key.pem)

PLAY RECAP ********************************************************************************************************************************************
localhost                  : ok=43   changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

2、查看生成的证书文件及有效期

ansible_k8s]# tree example/pki/
example/pki/
├── etcd
│?? ├── ca-config.json
│?? ├── ca-csr.json
│?? ├── etcd-ca.csr
│?? ├── etcd-ca-key.pem
│?? ├── etcd-ca.pem
│?? ├── etcd-client.csr
│?? ├── etcd-client-csr.json
│?? ├── etcd-client-key.pem
│?? ├── etcd-client.pem
│?? ├── etcd-server-192.168.36.153.csr
│?? ├── etcd-server-192.168.36.153-key.pem
│?? ├── etcd-server-192.168.36.153.pem
│?? ├── etcd-server-192.168.36.154.csr
│?? ├── etcd-server-192.168.36.154-key.pem
│?? ├── etcd-server-192.168.36.154.pem
│?? ├── etcd-server-192.168.36.155.csr
│?? ├── etcd-server-192.168.36.155-key.pem
│?? ├── etcd-server-192.168.36.155.pem
│?? ├── etcd-server-csr-192.168.36.153.json
│?? ├── etcd-server-csr-192.168.36.154.json
│?? └── etcd-server-csr-192.168.36.155.json
├── front-proxy
│?? ├── ca-config.json
│?? ├── ca-csr.json
│?? ├── front-proxy-ca.csr
│?? ├── front-proxy-ca-key.pem
│?? ├── front-proxy-ca.pem
│?? ├── front-proxy-client.csr
│?? ├── front-proxy-client-csr.json
│?? ├── front-proxy-client-key.pem
│?? └── front-proxy-client.pem
├── kubernetes
│?? ├── admin.conf
│?? ├── admin.csr
│?? ├── admin-csr.json
│?? ├── admin-key.pem
│?? ├── admin-kubeconfig.sh
│?? ├── admin.pem
│?? ├── apiserver-kubelet-client.csr
│?? ├── apiserver-kubelet-client-csr.json
│?? ├── apiserver-kubelet-client-key.pem
│?? ├── apiserver-kubelet-client.pem
│?? ├── ca-config.json
│?? ├── ca.csr
│?? ├── ca-csr.json
│?? ├── ca-key.pem
│?? ├── ca.pem
│?? ├── kube-apiserver-192.168.36.151.csr
│?? ├── kube-apiserver-192.168.36.151-key.pem
│?? ├── kube-apiserver-192.168.36.151.pem
│?? ├── kube-apiserver-192.168.36.152.csr
│?? ├── kube-apiserver-192.168.36.152-key.pem
│?? ├── kube-apiserver-192.168.36.152.pem
│?? ├── kube-apiserver-csr-192.168.36.151.json
│?? ├── kube-apiserver-csr-192.168.36.152.json
│?? ├── kube-controller-manager.csr
│?? ├── kube-controller-manager-csr.json
│?? ├── kube-controller-manager-key.pem
│?? ├── kube-controller-manager.pem
│?? ├── kube-proxy.csr
│?? ├── kube-proxy-csr.json
│?? ├── kube-proxy-key.pem
│?? ├── kube-proxy.pem
│?? ├── kube-scheduler.csr
│?? ├── kube-scheduler-csr.json
│?? ├── kube-scheduler-key.pem
│?? ├── kube-scheduler.pem
│?? ├── sa.key
│?? ├── sa.pub
│?? ├── tls-192.168.36.151.csr
│?? ├── tls-192.168.36.151-key.pem
│?? ├── tls-192.168.36.151.pem
│?? ├── tls-192.168.36.152.csr
│?? ├── tls-192.168.36.152-key.pem
│?? ├── tls-192.168.36.152.pem
│?? ├── tls-192.168.36.153.csr
│?? ├── tls-192.168.36.153-key.pem
│?? ├── tls-192.168.36.153.pem
│?? ├── tls-192.168.36.154.csr
│?? ├── tls-192.168.36.154-key.pem
│?? ├── tls-192.168.36.154.pem
│?? ├── tls-192.168.36.155.csr
│?? ├── tls-192.168.36.155-key.pem
│?? ├── tls-192.168.36.155.pem
│?? ├── tls-csr-192.168.36.151.json
│?? ├── tls-csr-192.168.36.152.json
│?? ├── tls-csr-192.168.36.153.json
│?? ├── tls-csr-192.168.36.154.json
│?? └── tls-csr-192.168.36.155.json
└── metrics-server
    ├── ca-config.json
    ├── ca-csr.json
    ├── metrics-server-ca.csr
    ├── metrics-server-ca-key.pem
    ├── metrics-server-ca.pem
    ├── metrics-server.csr
    ├── metrics-server-csr.json
    ├── metrics-server-key.pem
    └── metrics-server.pem

4 directories, 96 files


# 通过以下命令可查看证书的具体信息和有效期
ansible_k8s]# openssl x509 -text -in example/pki/kubernetes/ca.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:48:3e:0f:d2:f1:89:7c:6f:0c:26:9b:aa:04:10:04:3e:e2:b3:60
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=KubernetesCA
        Validity
            Not Before: Dec 14 09:01:00 2023 GMT
            Not After : Dec 11 09:01:00 2033 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=KubernetesCA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:36:e6:1f:c4:e7:87:76:9f:0a:1a:90:6d:ea:
                    86:bd:7b:e4:4b:b1:72:85:cc:a6:0e:14:05:37:c3:
                    77:3c:24:1f:88:97:db:c5:e2:d0:9e:40:0c:1c:51:
                    2a:46:24:2f:eb:98:98:81:99:68:b1:95:0a:27:08:
                    e8:05:5d:21:a1:db:41:b1:4e:64:44:ec:2c:43:6a:
                    35:6b:a9:2c:91:3c:33:ca:8b:94:65:7e:8f:a2:66:
                    f8:03:b1:86:76:74:c1:d8:a9:e8:49:dc:ab:37:bb:
                    78:64:03:db:5f:d2:12:f0:2c:59:86:6b:36:85:1a:
                    b5:5d:58:78:ba:8d:41:7d:75:20:fa:f4:4f:5e:a9:
                    b2:62:98:04:a1:75:19:cb:ed:74:9d:53:e4:e0:e8:
                    e4:6b:59:40:63:b4:d9:43:3d:5f:b0:4e:fa:64:8e:
                    61:19:19:9a:c1:8a:b7:7a:5a:ca:7d:32:f7:41:5c:
                    b5:ac:9e:d8:82:2a:81:10:86:a1:1c:3d:1c:b3:26:
                    b1:83:33:db:ce:5a:64:79:1e:a0:85:1a:85:52:40:
                    73:df:cc:6d:39:22:8f:76:f5:c9:6c:c1:c5:69:aa:
                    b3:1e:dd:dc:50:92:79:9b:58:11:47:47:59:c7:20:
                    8f:39:04:10:ba:31:bf:5d:e4:f4:e5:21:2d:ae:5f:
                    0b:51
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:2
            X509v3 Subject Key Identifier: 
                BE:A5:B5:B1:69:11:DF:CC:90:26:7F:00:99:81:F2:60:C2:40:2D:FE
            X509v3 Authority Key Identifier: 
                keyid:BE:A5:B5:B1:69:11:DF:CC:90:26:7F:00:99:81:F2:60:C2:40:2D:FE

    Signature Algorithm: sha256WithRSAEncryption
         38:70:32:93:22:7e:eb:a1:ae:a6:1f:27:e8:5a:e1:6b:62:30:
         77:72:0f:53:b1:f9:aa:d5:c7:3b:1d:07:f9:46:9e:28:01:cb:
         ca:d1:f1:c4:c1:ba:25:92:87:65:6c:07:b8:eb:fa:af:7a:f2:
         cc:4e:25:46:c8:49:4c:28:3d:94:69:80:97:97:3d:9b:87:e1:
         68:73:b4:b7:3f:5a:3d:55:d6:38:43:ac:20:e9:04:a1:94:9c:
         2f:ad:94:f5:9a:76:3c:d6:c8:3d:63:9e:21:bb:58:fc:d5:14:
         97:7d:08:8b:ed:df:d6:eb:8b:e3:57:e1:0a:27:de:7a:c5:1b:
         89:9c:90:f5:a8:85:d5:61:3f:37:98:58:c5:b0:f3:2b:94:3c:
         39:53:4d:a4:8e:bf:c7:22:4c:4d:a5:ed:c1:0f:30:26:7a:c5:
         92:46:16:3f:d6:65:b0:6e:84:43:3c:37:22:5c:a9:95:ef:02:
         99:c7:27:3d:23:fd:1b:3a:2a:75:e7:0b:71:65:cd:7a:8e:b1:
         0f:d0:00:de:15:28:3f:41:d0:a7:3f:09:c9:1f:c4:c5:48:10:
         f7:20:69:5f:f6:b6:c9:8c:7e:f9:ed:7a:de:ea:8a:38:28:92:
         a8:4d:5a:1b:38:ca:fc:46:9b:c8:04:08:44:f2:3b:42:f1:28:
         41:c6:d5:0a
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUFEg+D9LxiXxvDCabqgQQBD7is2AwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxDzANBgNVBAsTBlN5c3RlbTEVMBMGA1UEAxMMS3ViZXJuZXRlc0NBMB4X
DTIzMTIxNDA5MDEwMFoXDTMzMTIxMTA5MDEwMFowWTELMAkGA1UEBhMCQ04xEDAO
BgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDzANBgNVBAsTBlN5c3Rl
bTEVMBMGA1UEAxMMS3ViZXJuZXRlc0NBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqjbmH8Tnh3afChqQbeqGvXvkS7FyhcymDhQFN8N3PCQfiJfbxeLQ
nkAMHFEqRiQv65iYgZlosZUKJwjoBV0hodtBsU5kROwsQ2o1a6kskTwzyouUZX6P
omb4A7GGdnTB2KnoSdyrN7t4ZAPbX9IS8CxZhms2hRq1XVh4uo1BfXUg+vRPXqmy
YpgEoXUZy+10nVPk4Ojka1lAY7TZQz1fsE76ZI5hGRmawYq3elrKfTL3QVy1rJ7Y
giqBEIahHD0csyaxgzPbzlpkeR6ghRqFUkBz38xtOSKPdvXJbMHFaaqzHt3cUJJ5
m1gRR0dZxyCPOQQQujG/XeT05SEtrl8LUQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUvqW1sWkR38yQJn8AmYHy
YMJALf4wHwYDVR0jBBgwFoAUvqW1sWkR38yQJn8AmYHyYMJALf4wDQYJKoZIhvcN
AQELBQADggEBADhwMpMifuuhrqYfJ+ha4WtiMHdyD1Ox+arVxzsdB/lGnigBy8rR
8cTBuiWSh2VsB7jr+q968sxOJUbISUwoPZRpgJeXPZuH4WhztLc/Wj1V1jhDrCDp
BKGUnC+tlPWadjzWyD1jniG7WPzVFJd9CIvt39bri+NX4Qon3nrFG4mckPWohdVh
PzeYWMWw8yuUPDlTTaSOv8ciTE2l7cEPMCZ6xZJGFj/WZbBuhEM8NyJcqZXvApnH
Jz0j/Rs6KnXnC3FlzXqOsQ/QAN4VKD9B0Kc/CckfxMVIEPcgaV/2tsmMfvntet7q
ijgokqhNWhs4yvxGm8gECETyO0LxKEHG1Qo=
-----END CERTIFICATE-----

ansible_k8s]# openssl x509 -text -in example/pki/kubernetes/kube-apiserver-192.168.36.151.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            57:63:52:4a:c8:1c:9d:28:9b:fd:72:09:ae:b3:4e:57:25:52:eb:32
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=KubernetesCA
        Validity
            Not Before: Dec 14 09:01:00 2023 GMT
            Not After : Dec 11 09:01:00 2033 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, OU=System, CN=kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:68:8a:ff:80:70:a0:fe:b9:1e:6f:cb:0e:19:
                    71:5e:f6:7c:f2:46:03:90:5f:ce:ca:16:1a:db:f6:
                    25:27:2d:70:14:56:df:47:75:26:a2:36:06:27:89:
                    2e:1b:38:a5:3c:1b:b5:df:3e:db:94:75:8a:40:b9:
                    b4:fc:95:9c:de:25:d3:95:6c:c8:ca:e6:8c:64:69:
                    52:e5:49:6f:0c:ee:c3:be:8f:65:84:fb:ee:ef:e1:
                    99:72:04:f8:50:9d:23:f5:a6:87:02:31:a4:ec:65:
                    cb:79:47:30:e7:c6:c3:b2:4e:51:24:f3:6d:d8:2e:
                    de:7d:7d:24:10:91:2a:75:12:df:db:f1:95:c9:1c:
                    73:8f:8b:36:c8:c2:27:05:6e:2b:ad:53:2a:10:d7:
                    04:a1:19:94:07:d1:95:bf:ee:37:80:3d:e4:9d:2f:
                    1a:60:b8:bf:f3:97:1d:7a:c7:64:e5:37:7f:51:26:
                    04:87:b6:49:d4:f4:41:07:75:cd:fb:7d:be:21:f8:
                    e9:1e:7f:a5:a0:c7:5a:f8:88:37:0f:20:12:39:00:
                    11:11:7b:6b:6e:7d:a3:9e:a9:10:fd:ae:21:c2:10:
                    f3:76:50:93:23:db:09:a8:11:f9:ef:73:a5:3b:41:
                    d2:62:11:a2:9f:34:13:e0:eb:35:2f:e7:e1:40:71:
                    bf:29
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                17:E4:0A:2A:28:1D:87:74:EE:07:B4:F3:0B:54:0F:D9:38:99:8B:EC
            X509v3 Authority Key Identifier: 
                keyid:BE:A5:B5:B1:69:11:DF:CC:90:26:7F:00:99:81:F2:60:C2:40:2D:FE

            X509v3 Subject Alternative Name: 
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.36.151, IP Address:172.20.0.1
    Signature Algorithm: sha256WithRSAEncryption
         82:84:15:46:70:2f:c9:96:47:47:32:8f:35:47:ab:c9:5e:ce:
         7b:ff:07:c5:6b:eb:a8:e3:71:50:ef:3b:e8:cc:ef:62:80:5d:
         ff:a8:c7:17:23:5f:66:6a:5a:27:b4:9d:52:10:b8:09:e3:4a:
         30:e6:03:be:16:3c:11:38:1e:36:cf:0f:41:16:bd:16:22:9b:
         05:29:ef:19:26:6f:98:e4:97:d4:2f:b2:f1:ce:80:71:57:a3:
         07:ca:5d:6c:90:78:b2:9e:87:92:59:e4:e7:eb:a3:c6:58:25:
         3e:3a:90:cd:09:2b:2a:99:51:64:cf:71:2b:46:58:94:1a:22:
         bd:05:30:53:43:e8:d0:2b:95:68:87:6e:7c:6a:40:62:f3:85:
         bd:15:9e:a9:69:bc:8f:43:06:1d:f0:1e:9f:47:c5:13:88:c6:
         4b:4c:26:bc:2f:68:ab:ec:bd:f8:e6:30:74:f8:5e:4c:1f:01:
         42:ad:1b:6f:8f:a2:dc:bf:fb:2e:dd:68:4f:14:a7:7c:95:6b:
         7b:a1:33:0b:5e:cb:5f:6d:f5:0f:1b:38:59:d3:e7:ee:0d:4e:
         36:03:69:8c:14:70:05:39:53:df:2b:20:bc:cc:e6:c3:54:88:
         13:3b:7c:d9:4e:d9:ae:b0:7f:d1:03:ae:a4:b4:f7:d8:6b:d3:
         d7:5d:65:0d
-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugAwIBAgIUV2NSSsgcnSib/XIJrrNOVyVS6zIwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxDzANBgNVBAsTBlN5c3RlbTEVMBMGA1UEAxMMS3ViZXJuZXRlc0NBMB4X
DTIzMTIxNDA5MDEwMFoXDTMzMTIxMTA5MDEwMFowWzELMAkGA1UEBhMCQ04xEDAO
BgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDzANBgNVBAsTBlN5c3Rl
bTEXMBUGA1UEAxMOa3ViZS1hcGlzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC9aIr/gHCg/rkeb8sOGXFe9nzyRgOQX87KFhrb9iUnLXAUVt9H
dSaiNgYniS4bOKU8G7XfPtuUdYpAubT8lZzeJdOVbMjK5oxkaVLlSW8M7sO+j2WE
++7v4ZlyBPhQnSP1pocCMaTsZct5RzDnxsOyTlEk823YLt59fSQQkSp1Et/b8ZXJ
HHOPizbIwicFbiutUyoQ1wShGZQH0ZW/7jeAPeSdLxpguL/zlx16x2TlN39RJgSH
tknU9EEHdc37fb4h+Okef6Wgx1r4iDcPIBI5ABERe2tufaOeqRD9riHCEPN2UJMj
2wmoEfnvc6U7QdJiEaKfNBPg6zUv5+FAcb8pAgMBAAGjggEfMIIBGzAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFBfkCiooHYd07ge08wtUD9k4mYvsMB8GA1UdIwQYMBaA
FL6ltbFpEd/MkCZ/AJmB8mDCQC3+MIGbBgNVHREEgZMwgZCCCmt1YmVybmV0ZXOC
Emt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3Vi
ZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQu
c3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBMCoJJeHBKwUAAEwDQYJKoZIhvcNAQEL
BQADggEBAIKEFUZwL8mWR0cyjzVHq8leznv/B8Vr66jjcVDvO+jM72KAXf+oxxcj
X2ZqWie0nVIQuAnjSjDmA74WPBE4HjbPD0EWvRYimwUp7xkmb5jkl9QvsvHOgHFX
owfKXWyQeLKeh5JZ5Ofro8ZYJT46kM0JKyqZUWTPcStGWJQaIr0FMFND6NArlWiH
bnxqQGLzhb0VnqlpvI9DBh3wHp9HxROIxktMJrwvaKvsvfjmMHT4XkwfAUKtG2+P
oty/+y7daE8Up3yVa3uhMwtey19t9Q8bOFnT5+4NTjYDaYwUcAU5U98rILzM5sNU
iBM7fNlO2a6wf9EDrqS099hr09ddZQ0=
-----END CERTIFICATE-----
文章来源:https://blog.csdn.net/yxydde/article/details/135220102
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。