为什么要使用kubeadm手动生成证书? [英] Using kubeadm why would you want to manually generate certs?

问题描述

我正在尝试遵循此

自行生成证书而不是依赖kubeadm的好处是什么?

如果您自己创建证书，那么从kubeadm设置集群后是否会自动旋转?

谢谢！

推荐答案

1. 没有主要优势. kubeadm的作用相同:生成自签名证书.唯一的迷你优势是您可以在 CSR 中添加一些自定义值，例如城市，组织等.

1. No major advantage. kubeadm does the same: generate self-signed certs. The only mini advantage is that you could add some custom values in the CSR, such as a City, Organization, etc.

不是真的.

• 有一个 kubelet证书旋转标记--rotate-certificates需要启用.

• 还有来自主证书的证书轮换，kubeadm可以通过这些

• There's a kubelet certificate rotation flag --rotate-certificates that needs to be enabled.

• There's also the certificate rotation from the masters and kubeadm can help with that with these commands:

mkdir /etc/kubernetes/pkibak
mv /etc/kubernetes/pki/* /etc/kubernetes/pkibak
rm /etc/kubernetes/pki/*
kubeadm init phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=x.x.x.x,x.x.x.x
systemctl restart docker

如果要重新生成admin.conf文件，也可以使用kubeadm:

If you'd like to regenerate the admin.conf file, you can also use kubeadm:

$ kubeadm init phase kubeconfig admin \
  --cert-dir /etc/kubernetes/pki \
  --kubeconfig-dir /tmp/.

这篇关于为什么要使用kubeadm手动生成证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！