kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[zh] Sync tasks/tls/managing-tls-in-a-cluster.md

This commit is contained in:
Qiming Teng 2020-11-23 13:37:04 +08:00
parent fd65678baa
commit 50178b017d
1 changed files with 116 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

293
content/zh/docs/tasks/tls/managing-tls-in-a-cluster.md
View File

@ -1,25 +1,18 @@
---
title: 管理集群中的 TLS 认证
content_type: task
reviewers:
- mikedanese
- beacham
- liggit
---
<!--
---
title: Manage TLS Certificates in a Cluster
content_type: task
reviewers:
- mikedanese
- beacham
- liggit
---
-->
<!-- overview -->
<!--
Kubernetes provides a `certificates.k8s.io` API, which lets you provision TLS
certificates signed by a Certificate Authority (CA) that you control. These CA
and certificates can be used by your workloads to establish trust.
@ -27,12 +20,11 @@ and certificates can be used by your workloads to establish trust.
`certificates.k8s.io` API uses a protocol that is similar to the [ACME
draft](https://github.com/ietf-wg-acme/acme/).
-->
Kubernetes 提供 `certificates.k8s.io` API可让你配置由你控制的证书颁发机构CA
签名的 TLS 证书。 你的工作负载可以使用这些 CA 和证书来建立信任。
Kubernetes提供一个 `certificates.k8s.io` API可让您配置
由您控制的证书颁发机构CA签名的TLS证书。 您的工作负载可以使用这些CA和证书来建立信任。
`certificates.k8s.io` API使用的协议类似于[ACME
草稿](https://github.com/ietf-wg-acme/acme/)。
`certificates.k8s.io` API使用的协议类似于
[ACME 草案](https://github.com/ietf-wg-acme/acme/)。
{{< note >}}
<!--
@ -41,46 +33,42 @@ dedicated CA. It is possible to configure your cluster to use the cluster root
CA for this purpose, but you should never rely on this. Do not assume that
these certificates will validate against the cluster root CA.
-->
使用`certificates.k8s.io` API创建的证书由
指定 CA 颁发。 将集群配置为使用集群根目录
CA 可以达到这个目的,但是您永远不要依赖它。不要以为
使用 `certificates.k8s.io` API 创建的证书由指定 CA 颁发。将集群配置为使用集群根目录
CA 可以达到这个目的,但是你永远不要依赖这一假定。不要以为
这些证书将针对群根目录 CA 进行验证。
{{< /note >}}
## {{% heading "prerequisites" %}}
{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
<!-- steps -->
<!--
## Trusting TLS in a Cluster
Trusting the custom CA from an application running as a pod usually requires
some extra application configuration. You will need to add the CA certificate
bundle to the list of CA certificates that the TLS client or server trusts. For
example, you would do this with a golang TLS config by parsing the certificate
chain and adding the parsed certificates to the `RootCAs` field in the
[`tls.Config`](https://godoc.org/crypto/tls#Config) struct.
Trusting the cluster root CA from an application running as a pod usually
requires some extra application configuration. You will need to add the CA
certificate bundle to the list of CA certificates that the TLS client or server
trusts. For example, you would do this with a golang TLS config by parsing the
certificate chain and adding the parsed certificates to the `RootCAs` field
in the [`tls.Config`](https://godoc.org/crypto/tls#Config) struct.
The CA certificate bundle is automatically mounted into pods using the default
service account at the path `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
If you are not using the default service account, ask a cluster administrator to
build a configmap containing the certificate bundle that you have access to use.
You can distribute the CA certificate as a
[ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap) that your
pods have access to use.
-->
## 集群中的 TLS 信任
让 Pod 中运行的应用程序信任集群根 CA 通常需要一些额外的应用程序配置。您将需要将 CA 证书包添加到 TLS 客户端或服务器信任的 CA 证书列表中。例如,您可以使用 golang TLS 配置通过解析证书链并将解析的证书添加到 [`tls.Config`](https://godoc.org/crypto/tls#Config) 结构中的 `RootCAs` 字段中。
信任 Pod 中运行的应用程序所提供的 CA 通常需要一些额外的应用程序配置。
你需要将 CA 证书包添加到 TLS 客户端或服务器信任的 CA 证书列表中。
例如,你可以使用 Golang TLS 配置通过解析证书链并将解析的证书添加到
[`tls.Config`](https://godoc.org/crypto/tls#Config) 结构中的 `RootCAs`
字段中。
CA 证书捆绑包将使用默认服务账户自动加载到 pod 中,路径为 `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`。如果您没有使用默认服务账户,请请求集群管理员构建包含您有权访问使用的证书包的 configmap。
你可以用你的应用能够访问到的
[ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap)
的形式来发布 CA 证书。
<!--
## Requesting a Certificate
@ -92,12 +80,13 @@ Kubernetes service accessed through DNS.
This tutorial uses CFSSL: Cloudflare's PKI and TLS toolkit [click here](https://blog.cloudflare.com/introducing-cfssl/) to know more.
{{< /note >}}
-->
## 请求
## 请求证
以下部分演示如何为通过 DNS 访问的 Kubernetes 服务创建 TLS 证书。
{{< note >}}
本教程使用 CFSSLCloudflare's PKI 和 TLS 工具包[点击此处](https://blog.cloudflare.com/introducing-cfssl/)了解更多信息。
本教程使用 CFSSLCloudflare's PKI 和 TLS 工具包
[点击此处](https://blog.cloudflare.com/introducing-cfssl/)了解更多信息。
{{< /note >}}
<!--
@ -115,41 +104,6 @@ The cfssl tools used in this example can be downloaded at
Generate a private key and certificate signing request (or CSR) by running
the following command:
```shell
cat <<EOF | cfssl genkey - | cfssljson -bare server
{
"hosts": [
"my-svc.my-namespace.svc.cluster.local",
"my-pod.my-namespace.pod.cluster.local",
"172.168.0.24",
"10.0.34.2"
],
"CN": "my-pod.my-namespace.pod.cluster.local",
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
```
Where `172.168.0.24` is the service's cluster IP,
`my-svc.my-namespace.svc.cluster.local` is the service's DNS name,
`10.0.34.2` is the pod's IP and `my-pod.my-namespace.pod.cluster.local`
is the pod's DNS name. You should see the following output:
```
2017/03/21 06:48:17 [INFO] generate received request
2017/03/21 06:48:17 [INFO] received CSR
2017/03/21 06:48:17 [INFO] generating key: ecdsa-256
2017/03/21 06:48:17 [INFO] encoded CSR
```
This command generates two files; it generates `server.csr` containing the PEM
encoded [pkcs#10](https://tools.ietf.org/html/rfc2986) certification request,
and `server-key.pem` containing the PEM encoded key to the certificate that
is still to be created.
-->
## 创建证书签名请求
@ -161,19 +115,33 @@ cat <<EOF | cfssl genkey - | cfssljson -bare server
"hosts": [
"my-svc.my-namespace.svc.cluster.local",
"my-pod.my-namespace.pod.cluster.local",
"172.168.0.24",
"192.0.2.24",
"10.0.34.2"
],
"CN": "my-pod.my-namespace.pod.cluster.local",
"CN": "system:node:my-pod.my-namespace.pod.cluster.local",
"key": {
"algo": "ecdsa",
"size": 256
}
},
"names": [
{
"O": "system:nodes"
}
]
}
EOF
```
其中 `172.168.0.24` 是服务的集群 IP`my-svc.my-namespace.svc.cluster.local` 是服务的 DNS 名称,`10.0.34.2` 是 pod 的 IP 和 `my-pod.my-namespace.pod.cluster.local` 是 pod 的 DNS 名称。您能看到以下的输出:
<!--
Where `192.0.2.24` is the service's cluster IP,
`my-svc.my-namespace.svc.cluster.local` is the service's DNS name,
`10.0.34.2` is the pod's IP and `my-pod.my-namespace.pod.cluster.local`
is the pod's DNS name. You should see the following output:
-->
其中 `192.0.2.24` 是服务的集群 IP`my-svc.my-namespace.svc.cluster.local`
是服务的 DNS 名称,`10.0.34.2` 是 Pod 的 IP
`my-pod.my-namespace.pod.cluster.local` 是 Pod 的 DNS 名称。
你能看到以下的输出:
```
2017/03/21 06:48:17 [INFO] generate received request
@ -182,77 +150,35 @@ EOF
2017/03/21 06:48:17 [INFO] encoded CSR
```
该命令生成两个文件;它生成包含 PEM 编码 [pkcs#10](https://tools.ietf.org/html/rfc2986) 认证请求的 `server.csr`,以及包含证书的 PEM 编码密钥的 `server-key.pem` 还有待生成。
<!--
This command generates two files; it generates `server.csr` containing the PEM
encoded [pkcs#10](https://tools.ietf.org/html/rfc2986) certification request,
and `server-key.pem` containing the PEM encoded key to the certificate that
is still to be created.
-->
此命令生成两个文件;它生成包含 PEM 编码
[pkcs#10](https://tools.ietf.org/html/rfc2986) 证书请求的 `server.csr`
以及 PEM 编码密钥的 `server-key.pem`,用于待生成的证书。
<!--
## Create a Certificate Signing Request object to send to the Kubernetes API
Generate a CSR yaml blob and send it to the apiserver by running the following
command:
```shell
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: my-svc.my-namespace
spec:
groups:
- system:authenticated
request: $(cat server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
```
Notice that the `server.csr` file created in step 1 is base64 encoded
and stashed in the `.spec.request` field. We are also requesting a
certificate with the "digital signature", "key encipherment", and "server
auth" key usages. We support all key usages and extended key usages listed
[here](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)
so you can request client certificates and other certificates using this
same API.
The CSR should now be visible from the API in a Pending state. You can see
it by running:
```shell
kubectl describe csr my-svc.my-namespace
```
```none
Name: my-svc.my-namespace
Labels: <none>
Annotations: <none>
CreationTimestamp: Tue, 21 Mar 2017 07:03:51 -0700
Requesting User: yourname@example.com
Status: Pending
Subject:
Common Name: my-svc.my-namespace.svc.cluster.local
Serial Number:
Subject Alternative Names:
DNS Names: my-svc.my-namespace.svc.cluster.local
IP Addresses: 172.168.0.24
10.0.34.2
Events: <none>
```
-->
## 创建证书签名请求对象发送到 Kubernetes API
使用以下命令创建 CSR yaml 文件,并发送到 API server
使用以下命令创建 CSR YAML 文件,并发送到 API 服务器:
```shell
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: my-svc.my-namespace
spec:
groups:
- system:authenticated
request: $(cat server.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kubelet-serving
usages:
- digital signature
- key encipherment
@ -260,9 +186,26 @@ spec:
EOF
```
请注意在步骤1中创建的 `server.csr` 文件是 base64 编码并存储在 `.spec.request` 字段中的,我们还要求提供 “数字签名”,“密钥加密” 和 “服务器身份验证” 密钥用途的证书。我们[这里](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)支持列出的所有关键用途和扩展的关键用途,以便您可以使用相同的 API 请求客户端证书和其他证书。
<!--
Notice that the `server.csr` file created in step 1 is base64 encoded
and stashed in the `.spec.request` field. We are also requesting a
certificate with the "digital signature", "key encipherment", and "server
auth" key usages, signed by the `kubernetes.io/kubelet-serving` signer.
A specific `signerName` must be requested.
View documentation for [supported signer names](/docs/reference/access-authn-authz/certificate-signing-requests/#signers)
for more information.
在 API server 中可以看到这些 CSR 处于 pending 状态。执行下面的命令您将可以看到:
The CSR should now be visible from the API in a Pending state. You can see
it by running:
-->
请注意,在步骤 1 中创建的 `server.csr` 文件是 base64 编码并存储在
`.spec.request` 字段中的。我们还要求提供 “digital signature数字签名
“密钥加密key encipherment” 和 “服务器身份验证server auth” 密钥用途,
`kubernetes.io/kubelet-serving` 签名程序签名的证书。
你也可以要求使用特定的 `signerName`。更多信息可参阅
[支持的签署者名称](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#signers)。
在 API server 中可以看到这些 CSR 处于 Pending 状态。执行下面的命令你将可以看到:
```shell
kubectl describe csr my-svc.my-namespace
@ -280,7 +223,7 @@ Subject:
Serial Number:
Subject Alternative Names:
DNS Names: my-svc.my-namespace.svc.cluster.local
IP Addresses: 172.168.0.24
IP Addresses: 192.0.2.24
10.0.34.2
Events: <none>
```
@ -292,38 +235,19 @@ Approving the certificate signing request is either done by an automated
approval process or on a one off basis by a cluster administrator. More
information on what this involves is covered below.
-->
## 获取批准证书签名请求
## 批准证书签名请求
批准证书签名请求是通过自动批准过程完成的,或由集群管理员一次性完成。有关这方面涉及的更多信息,请参见下文。
批准证书签名请求是通过自动批准过程完成的,或由集群管理员一次性完成。
有关这方面涉及的更多信息,请参见下文。
<!--
## Download the Certificate and Use It
Once the CSR is signed and approved you should see the following:
```shell
kubectl get csr
```
```none
NAME AGE REQUESTOR CONDITION
my-svc.my-namespace 10m yourname@example.com Approved,Issued
```
You can download the issued certificate and save it to a `server.crt` file
by running the following:
```shell
kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \
| base64 --decode > server.crt
```
Now you can use `server.crt` and `server-key.pem` as the keypair to start
your HTTPS server.
-->
## 下载证书并使用它
CSR 被签署并获得批准后,应该看到以下内容:
CSR 被签署并获得批准后,你应该看到以下内容:
```shell
kubectl get csr
@ -334,14 +258,22 @@ NAME AGE REQUESTOR CONDITION
my-svc.my-namespace 10m yourname@example.com Approved,Issued
```
您可以通过运行以下命令下载颁发的证书并将其保存到 `server.crt` 文件中:
<!--
You can download the issued certificate and save it to a `server.crt` file
by running the following:
-->
你可以通过运行以下命令下载颁发的证书并将其保存到 `server.crt` 文件中:
```shell
kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \
| base64 --decode > server.crt
```
现在您可以将 `server.crt``server-key.pem` 作为键值对来启动 HTTPS 服务器。
<!--
Now you can use `server.crt` and `server-key.pem` as the keypair to start
your HTTPS server.
-->
现在你可以将 `server.crt``server-key.pem` 作为键值对来启动 HTTPS 服务器。
<!--
## Approving Certificate Signing Requests
@ -351,10 +283,20 @@ A Kubernetes administrator (with appropriate permissions) can manually approve
approve` and `kubectl certificate deny` commands. However if you intend
to make heavy usage of this API, you might consider writing an automated
certificates controller.
-->
## 批准证书签名请求
Kubernetes 管理员(具有适当权限)可以使用 `kubectl certificate approve`
`kubectl certificate deny` 命令手动批准(或拒绝)证书签名请求。
但是,如果你打算大量使用此 API则可以考虑编写自动化的证书控制器。
<!--
Whether a machine or a human using kubectl as above, the role of the approver is
to verify that the CSR satisfies two requirements:
-->
无论上述机器或人使用 kubectl批准者的作用是验证 CSR 满足如下两个要求:
<!--
1. The subject of the CSR controls the private key used to sign the CSR. This
addresses the threat of a third party masquerading as an authorized subject.
In the above example, this step would be to verify that the pod controls the
@ -363,37 +305,33 @@ to verify that the CSR satisfies two requirements:
addresses the threat of an undesired subject joining the cluster. In the
above example, this step would be to verify that the pod is allowed to
participate in the requested service.
-->
1. CSR 的 subject 控制用于签署 CSR 的私钥。这解决了伪装成授权主体的第三方的威胁。
在上述示例中,此步骤将验证该 Pod 控制了用于生成 CSR 的私钥。
2. CSR 的 subject 被授权在请求的上下文中执行。
这点用于处理不期望的主体被加入集群的威胁。
在上述示例中,此步骤将是验证该 Pod 是否被允许加入到所请求的服务中。
<!--
If and only if these two requirements are met, the approver should approve
the CSR and otherwise should deny the CSR.
-->
## 批准证书签名请求
Kubernetes 管理员(具有适当权限)可以使用 `kubectl certificate approve``kubectl certificate deny` 命令手动批准(或拒绝)证书签名请求。但是,如果您打算大量使用此 API则可以考虑编写自动化的证书控制器。
无论上述机器或人使用 kubectl批准者的作用是验证 CSR 满足如下两个要求:
1. CSR 的主体控制用于签署 CSR 的私钥。这解决了伪装成授权主体的第三方的威胁。在上述示例中,此步骤将验证该 pod 控制了用于生成 CSR 的私钥。
2. CSR 的主体被授权在请求的上下文中执行。这解决了我们加入群集的我们不期望的主体的威胁。在上述示例中,此步骤将是验证该 pod 是否被允许加入到所请求的服务中。
当且仅当满足这两个要求时,审批者应该批准 CSR否则拒绝 CSR。
<!--
## A Word of Warning on the Approval Permission
The ability to approve CSRs decides who trusts who within the cluster. This
includes who the Kubernetes API trusts. The ability to approve CSRs should
not be granted broadly or lightly. The requirements of the challenge
noted in the previous section and the repercussions of issuing a specific
certificate should be fully understood before granting this permission. See
[here](/docs/reference/access-authn-authz/authentication/#x509-client-certs) for information on how
certificates interact with authentication.
certificate should be fully understood before granting this permission.
-->
## 关于批准许可的警告
批准 CSR 的能力决定谁信任群集中的谁。这包括 Kubernetes API 信任的人。批准 CSR 的能力不能过于广泛和轻率。在给予本许可之前,应充分了解上一节中提到的挑战和发布特定证书的后果。有关证书与认证交互的信息,请参阅[此处](/docs/reference/access-authn-authz/authentication/#x509-client-certs)。
## 关于批准权限的警告
批准 CSR 的能力决定了群集中的信任关系。这也包括 Kubernetes API 所信任的人。
批准 CSR 的能力不能过于广泛和轻率。
在给予本许可之前,应充分了解上一节中提到的挑战和发布特定证书的后果。
<!--
## A Note to Cluster Administrators
@ -403,10 +341,11 @@ Kubernetes controller manager provides a default implementation of a signer. To
enable it, pass the `--cluster-signing-cert-file` and
`--cluster-signing-key-file` parameters to the controller manager with paths to
your Certificate Authority's keypair.
-->
## 给集群管理员的一个建议
本教程假设将签名者设置为服务证书 API。Kubernetes controller manager 提供了一个签名者的默认实现。 要启用它,请将`--cluster-signing-cert-file` 和 `--cluster-signing-key-file` 参数传递给 controller manager并配置具有证书颁发机构的密钥对的路径。
本教程假设已经为 certificates API 配置了签名者。Kubernetes 控制器管理器
提供了一个签名者的默认实现。要启用它,请为控制器管理器设置
`--cluster-signing-cert-file``--cluster-signing-key-file` 参数,
使之取值为你的证书机构的密钥对的路径。