K8s-pki: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
Строка 19: Строка 19:
 
Note: front-proxy certificates are required only if you run kube-proxy to support an extension API server.
 
Note: front-proxy certificates are required only if you run kube-proxy to support an extension API server.
 
etcd also implements mutual TLS to authenticate clients and peers.
 
etcd also implements mutual TLS to authenticate clients and peers.
  +
  +
  +
  +
=The API server’s TLS certificate (and certificate authority)=
  +
* <B>--tls-cert-file</B> string
  +
File containing the default x509 Certificate for HTTPS. (CA cert, if any,
  +
concatenated after server cert). If HTTPS serving is enabled, and
  +
--tls-cert-file and --tls-private-key-file are not provided, a self-signed
  +
certificate and key are generated for the public address and saved to
  +
/var/run/kubernetes.
  +
* </B> --tls-private-key-file</B>string
  +
File containing the default x509 private key matching --tls-cert-file.

Версия 15:24, 27 октября 2021


How certificates are used by your cluster

Kubernetes requires PKI for the following operations:

  • Client certificates for the kubelet to authenticate to the API server
  • Server certificate for the API server endpoint
  • Client certificates for administrators of the cluster to authenticate to the API server
  • Client certificates for the API server to talk to the kubelets
  • Client certificate for the API server to talk to etcd
  • Client certificate/kubeconfig for the controller manager to talk to the API server
  • Client certificate/kubeconfig for the scheduler to talk to the API server.
  • Client and server certificates for the front-proxy

Note: front-proxy certificates are required only if you run kube-proxy to support an extension API server. etcd also implements mutual TLS to authenticate clients and peers.


The API server’s TLS certificate (and certificate authority)

  • --tls-cert-file string
   File containing the default x509 Certificate for HTTPS. (CA cert, if any,
   concatenated after server cert). If HTTPS serving is enabled, and
   --tls-cert-file and --tls-private-key-file are not provided, a self-signed
   certificate and key are generated for the public address and saved to
   /var/run/kubernetes.
  • --tls-private-key-filestring
   File containing the default x509 private key matching --tls-cert-file.