K8s-pki: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
Строка 26: | Строка 26: | ||
File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and <B>--tls-cert-file</B> and <B>--tls-private-key-file</B> are not provided, a self-signed certificate and key are generated for the public address and saved to /var/run/kubernetes. |
File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and <B>--tls-cert-file</B> and <B>--tls-private-key-file</B> are not provided, a self-signed certificate and key are generated for the public address and saved to /var/run/kubernetes. |
||
− | * < |
+ | * <B> --tls-private-key-file</B>string |
File containing the default x509 private key matching <B>--tls-cert-file.</B> |
File containing the default x509 private key matching <B>--tls-cert-file.</B> |
Версия 15:25, 27 октября 2021
- https://kubernetes.io/docs/setup/best-practices/certificates/
- https://gist.github.com/detiber/81b515df272f5911959e81e39137a8bb
How certificates are used by your cluster
Kubernetes requires PKI for the following operations:
- Client certificates for the kubelet to authenticate to the API server
- Server certificate for the API server endpoint
- Client certificates for administrators of the cluster to authenticate to the API server
- Client certificates for the API server to talk to the kubelets
- Client certificate for the API server to talk to etcd
- Client certificate/kubeconfig for the controller manager to talk to the API server
- Client certificate/kubeconfig for the scheduler to talk to the API server.
- Client and server certificates for the front-proxy
Note: front-proxy certificates are required only if you run kube-proxy to support an extension API server. etcd also implements mutual TLS to authenticate clients and peers.
The API server’s TLS certificate (and certificate authority)
- --tls-cert-file string
File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to /var/run/kubernetes.
- --tls-private-key-filestring
File containing the default x509 private key matching --tls-cert-file.