5.2.2.2. Сертификаты
Сертификаты — это цифровые документы, удостоверяющие подлинность компонентов внутри кластера Kubernetes. Они обеспечивают безопасную коммуникацию, аутентификацию и шифрование при взаимодействии между узлами, компонентами управления и пользователями.
Все сертификаты создаются на основе инфраструктуры открытых ключей (PKI) и содержат информацию о владельце, сроке действия и удостоверяющем центре (CA), выдавшем сертификат.
В этом разделе формируются сертификаты, необходимые для различных компонентов Kubernetes (API-сервер, kubelet, controller-manager и др.).
- Init
- Join
Создание сертификатов приложений
● Обязателен к применению
Создание сертификатов приложений
● Обязателен к применению
- Kubelet Server
- API -> Etcd
- API -> Kubelet
- API Server
- Proxy -> API
- Etcd Client
- Etcd Server
- Etcd Peer
Kubelet server
Kubelet server
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export BASE_DOMAIN=example.com
export CLUSTER_DOMAIN=cluster.local
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export MACHINE_LOCAL_ADDRESS=$(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
mkdir -p /var/lib/kubelet/pki
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/kubelet-server.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = ${HOST_NAME}
DNS.3 = ${FULL_HOST_NAME}
IP.1 = 127.0.0.1
IP.2 = 0:0:0:0:0:0:0:1
IP.3 = ${MACHINE_LOCAL_ADDRESS}
[ dn ]
CN = "system:node:${FULL_HOST_NAME}
O = "system:nodes"
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /var/lib/kubelet/pki/kubelet-server-key.pem 2048
Генерация CSR
openssl req \
-new \
-key /var/lib/kubelet/pki/kubelet-server-key.pem \
-out /etc/kubernetes/openssl/csr/kubelet-server.csr \
-config /etc/kubernetes/openssl/kubelet-server.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-outform PEM \
-CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/kubelet-server.csr \
-out /var/lib/kubelet/pki/kubelet-server.pem \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/kubelet-server.conf
cat /var/lib/kubelet/pki/kubelet-server.pem /var/lib/kubelet/pki/kubelet-server-key.pem >> /var/lib/kubelet/pki/kubelet-server-$(date '+%Y-%m-%d-%H-%M-%S').pem
ln -s /var/lib/kubelet/pki/kubelet-server-$(date '+%Y-%m-%d-%H-%M-%S').pem /var/lib/kubelet/pki/kubelet-server-current.pem
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /var/lib/kubelet/pki/kubelet-server.pem
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
kubelet-server-current Oct 22, 2025 22:06 UTC 364d kubernetes no
kubeadm
не управляет серверным сертификатом, используемым компонентом kubelet
.
При запуске systemd-юнита kubelet
происходит инициализация запроса на выпуск сертификата.
Для завершения процесса требуется ручное подтверждение с помощью команды:
kubectl certificate approve $CERT_NAME
.
RotateKubeletServerCertificate
Для автоматической ротации сертификатовkubelet
требуется произвести дополнительные настройки:Конфигурация Kube-Apiserver
spec:
containers:
- command:
- --feature-gates=RotateKubeletServerCertificate=true
apiServer:
extraArgs:
feature-gates: "RotateKubeletServerCertificate=true"
Конфигурация Kube-Controller-Manager
spec:
containers:
- command:
- --feature-gates=RotateKubeletServerCertificate=true
controllerManager:
extraArgs:
feature-gates: "RotateKubeletServerCertificate=true"
Конфигурация Kubelet
rotateCertificates: true
featureGates:
RotateKubeletServerCertificate: true
Если вы используете Cloud Controller Manager (CCM), сертификат не будет выдан до тех пор,
пока CCM
не назначит для Node
адрес в поле INTERNAL_IP
.
Проверка готовности сертификата
kubeadm не отображает статус сертификата, используемого компонентом kubelet
.
K8S-API client > Etcd server
K8S-API client > Etcd server
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/apiserver-etcd-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = kube-apiserver-etcd-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/apiserver-etcd-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/apiserver-etcd-client.key \
-out /etc/kubernetes/openssl/csr/apiserver-etcd-client.csr \
-config /etc/kubernetes/openssl/apiserver-etcd-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/apiserver-etcd-client.csr \
-out /etc/kubernetes/pki/apiserver-etcd-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/apiserver-etcd-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/apiserver-etcd-client.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-etcd-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
Генерация сертификатов
kubeadm init phase certs apiserver-etcd-client \
--config=/var/run/kubeadm/kubeadm.yaml
После выполнения команд получаем следующий вывод.
#### Генерация сертификатов
[certs] Generating "apiserver-etcd-client" certificate and key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-etcd-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
K8S-API client > Kubelet server
K8S-API client > Kubelet server
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/apiserver-kubelet-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = kube-apiserver-kubelet-client
O = kubeadm:cluster-admins
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/apiserver-kubelet-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/apiserver-kubelet-client.key \
-out /etc/kubernetes/openssl/csr/apiserver-kubelet-client.csr \
-config /etc/kubernetes/openssl/apiserver-kubelet-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/apiserver-kubelet-client.csr \
-out /etc/kubernetes/pki/apiserver-kubelet-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/apiserver-kubelet-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/apiserver.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-kubelet-client Oct 22, 2025 22:06 UTC 364d ca no
Генерация сертификатов
kubeadm init phase certs apiserver-kubelet-client \
--config=/var/run/kubeadm/kubeadm.yaml
После выполнения команд получаем следующий вывод.
#### Генерация сертификатов
[certs] Generating "apiserver-kubelet-client" certificate and key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-kubelet-client Oct 22, 2025 22:06 UTC 364d ca no
K8S-API server
K8S-API server
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export BASE_DOMAIN=example.com
export CLUSTER_DOMAIN=cluster.local
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export CLUSTER_API_ENDPOINT=api.my-first-cluster.example.com
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/apiserver.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.${CLUSTER_DOMAIN}
DNS.5 = ${FULL_HOST_NAME}
DNS.6 = ${CLUSTER_API_ENDPOINT}
IP.1 = $(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
IP.2 = 127.0.0.1
[ dn ]
CN = kube-apiserver
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/apiserver.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/apiserver.key \
-out /etc/kubernetes/openssl/csr/apiserver.csr \
-config /etc/kubernetes/openssl/apiserver.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/apiserver.csr \
-out /etc/kubernetes/pki/apiserver.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/apiserver.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/apiserver.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver Oct 22, 2025 22:06 UTC 364d ca no
Генерация сертификатов
kubeadm init phase certs apiserver \
--config=/var/run/kubeadm/kubeadm.yaml
После выполнения команд получаем следующий вывод.
#### Генерация сертификатов
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local master-1.my-first-cluster.example.com] and IPs [29.64.0.1 10.0.0.16]
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver Oct 22, 2025 22:06 UTC 364d ca no
FrontProxy client > K8S-API
FrontProxy client > K8S-API
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/front-proxy-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = front-proxy-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/front-proxy-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/front-proxy-client.key \
-out /etc/kubernetes/openssl/csr/front-proxy-client.csr \
-config /etc/kubernetes/openssl/front-proxy-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/front-proxy-ca.crt \
-CAkey /etc/kubernetes/pki/front-proxy-ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/front-proxy-client.csr \
-out /etc/kubernetes/pki/front-proxy-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/front-proxy-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/front-proxy-client.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
front-proxy-client Oct 22, 2025 22:06 UTC 364d front-proxy-ca no
Генерация сертификатов
kubeadm init phase certs front-proxy-client \
--config=/var/run/kubeadm/kubeadm.yaml
После выполнения команд получаем следующий вывод.
#### Генерация сертификатов
[certs] Generating "front-proxy-client" certificate and key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
front-proxy-client Oct 22, 2025 22:06 UTC 364d front-proxy-ca no
Etcd client > Etcd
Etcd client > Etcd
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki/etcd
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/healthcheck-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = kube-etcd-healthcheck-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/etcd/healthcheck-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/etcd/healthcheck-client.key \
-out /etc/kubernetes/openssl/csr/etcd-client.csr \
-config /etc/kubernetes/openssl/healthcheck-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/etcd-client.csr \
-out /etc/kubernetes/pki/etcd/healthcheck-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/healthcheck-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/etcd/healthcheck-client.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-healthcheck-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
Генерация сертификатов
kubeadm init phase certs etcd-healthcheck-client \
--config=/var/run/kubeadm/kubeadm.yaml
После выполнения команды мы получаем следующий вывод.
#### Генерация сертификатов
[certs] Generating "etcd/healthcheck-client" certificate and key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-healthcheck-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
Etcd server
Etcd server
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export BASE_DOMAIN=example.com
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export MACHINE_LOCAL_ADDRESS=$(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/etcd-server.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = ${HOST_NAME}
DNS.3 = ${FULL_HOST_NAME}
IP.1 = 127.0.0.1
IP.2 = 0:0:0:0:0:0:0:1
IP.3 = ${MACHINE_LOCAL_ADDRESS}
[ dn ]
CN = ${FULL_HOST_NAME}
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/etcd/server.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/etcd/server.key \
-out /etc/kubernetes/openssl/csr/etcd-server.csr \
-config /etc/kubernetes/openssl/etcd-server.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/etcd-server.csr \
-out /etc/kubernetes/pki/etcd/server.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/etcd-server.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/etcd/server.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-server Oct 22, 2025 22:06 UTC 364d etcd-ca no
Генерация сертификатов
kubeadm init phase certs etcd-server \
--config=/var/run/kubeadm/kubeadm.yaml
После выполнения команды получаем следующий вывод.
#### Генерация сертификатов
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com] and IPs [192.168.10.27 127.0.0.1 ::1]
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-server Oct 22, 2025 22:06 UTC 364d etcd-ca no
Etcd peer > Etcd
Etcd peer > Etcd
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export MACHINE_LOCAL_ADDRESS=$(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/etcd-peer.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = ${HOST_NAME}
DNS.3 = ${FULL_HOST_NAME}
IP.1 = 127.0.0.1
IP.2 = 0:0:0:0:0:0:0:1
IP.3 = ${MACHINE_LOCAL_ADDRESS}
[ dn ]
CN = ${FULL_HOST_NAME}
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/etcd/peer.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/etcd/peer.key \
-out /etc/kubernetes/openssl/csr/etcd-peer.csr \
-config /etc/kubernetes/openssl/etcd-peer.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/etcd-peer.csr \
-out /etc/kubernetes/pki/etcd/peer.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/etcd-peer.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/etcd/peer.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-peer Oct 22, 2025 22:06 UTC 364d etcd-ca no
Генерация сертификатов
kubeadm init phase certs etcd-peer \
--config=/var/run/kubeadm/kubeadm.yaml
После выполнения команды получаем следующий вывод.
#### Генерация сертификатов
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com] and IPs [192.168.10.27 127.0.0.1 ::1]
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-peer Oct 22, 2025 22:06 UTC 364d etcd-ca no
Создание сертификатов приложений
● Обязателен к применению
Создание сертификатов приложений
● Обязателен к применению
- Kubelet Server
- API -> Etcd
- API -> Kubelet
- API Server
- Proxy -> API
- Etcd Client
- Etcd Server
- Etcd Peer
Kubelet server
Kubelet server
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export BASE_DOMAIN=example.com
export CLUSTER_DOMAIN=cluster.local
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export MACHINE_LOCAL_ADDRESS=$(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
mkdir -p /var/lib/kubelet/pki
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/kubelet-server.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = ${HOST_NAME}
DNS.3 = ${FULL_HOST_NAME}
IP.1 = 127.0.0.1
IP.2 = 0:0:0:0:0:0:0:1
IP.3 = ${MACHINE_LOCAL_ADDRESS}
[ dn ]
CN = "system:node:${FULL_HOST_NAME}
O = "system:nodes"
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /var/lib/kubelet/pki/kubelet-server-key.pem 2048
Генерация CSR
openssl req \
-new \
-key /var/lib/kubelet/pki/kubelet-server-key.pem \
-out /etc/kubernetes/openssl/csr/kubelet-server.csr \
-config /etc/kubernetes/openssl/kubelet-server.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-outform PEM \
-CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/kubelet-server.csr \
-out /var/lib/kubelet/pki/kubelet-server.pem \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/kubelet-server.conf
cat /var/lib/kubelet/pki/kubelet-server.pem /var/lib/kubelet/pki/kubelet-server-key.pem >> /var/lib/kubelet/pki/kubelet-server-$(date '+%Y-%m-%d-%H-%M-%S').pem
ln -s /var/lib/kubelet/pki/kubelet-server-$(date '+%Y-%m-%d-%H-%M-%S').pem /var/lib/kubelet/pki/kubelet-server-current.pem
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /var/lib/kubelet/pki/kubelet-server.pem
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
kubelet-server-current Oct 22, 2025 22:06 UTC 364d kubernetes no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
kubeadm не отображает статус сертификата, используемого компонентом kubelet
.
K8S-API client > Etcd server
K8S-API client > Etcd server
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/apiserver-etcd-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = kube-apiserver-etcd-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/apiserver-etcd-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/apiserver-etcd-client.key \
-out /etc/kubernetes/openssl/csr/apiserver-etcd-client.csr \
-config /etc/kubernetes/openssl/apiserver-etcd-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/apiserver-etcd-client.csr \
-out /etc/kubernetes/pki/apiserver-etcd-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/apiserver-etcd-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/apiserver-etcd-client.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-etcd-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-etcd-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
K8S-API client > Kubelet server
K8S-API client > Kubelet server
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/apiserver-kubelet-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = kube-apiserver-kubelet-client
O = kubeadm:cluster-admins
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/apiserver-kubelet-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/apiserver-kubelet-client.key \
-out /etc/kubernetes/openssl/csr/apiserver-kubelet-client.csr \
-config /etc/kubernetes/openssl/apiserver-kubelet-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/apiserver-kubelet-client.csr \
-out /etc/kubernetes/pki/apiserver-kubelet-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/apiserver-kubelet-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/apiserver.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-kubelet-client Oct 22, 2025 22:06 UTC 364d ca no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver-kubelet-client Oct 22, 2025 22:06 UTC 364d ca no
K8S-API server
K8S-API server
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export BASE_DOMAIN=example.com
export CLUSTER_DOMAIN=cluster.local
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export CLUSTER_API_ENDPOINT=api.my-first-cluster.example.com
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/apiserver.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.${CLUSTER_DOMAIN}
DNS.5 = ${FULL_HOST_NAME}
DNS.6 = ${CLUSTER_API_ENDPOINT}
IP.1 = $(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
IP.2 = 127.0.0.1
[ dn ]
CN = kube-apiserver
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/apiserver.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/apiserver.key \
-out /etc/kubernetes/openssl/csr/apiserver.csr \
-config /etc/kubernetes/openssl/apiserver.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/apiserver.csr \
-out /etc/kubernetes/pki/apiserver.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/apiserver.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/apiserver.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver Oct 22, 2025 22:06 UTC 364d ca no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver Oct 22, 2025 22:06 UTC 364d ca no
FrontProxy client > K8S-API
FrontProxy client > K8S-API
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/front-proxy-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = front-proxy-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/front-proxy-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/front-proxy-client.key \
-out /etc/kubernetes/openssl/csr/front-proxy-client.csr \
-config /etc/kubernetes/openssl/front-proxy-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/front-proxy-ca.crt \
-CAkey /etc/kubernetes/pki/front-proxy-ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/front-proxy-client.csr \
-out /etc/kubernetes/pki/front-proxy-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/front-proxy-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/front-proxy-client.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
front-proxy-client Oct 22, 2025 22:06 UTC 364d front-proxy-ca no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
front-proxy-client Oct 22, 2025 22:06 UTC 364d front-proxy-ca no
Etcd client > Etcd
Etcd client > Etcd
- HardWay
- Kubeadm
Рабочая директория
mkdir -p /etc/kubernetes/pki/etcd
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/healthcheck-client.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = kube-etcd-healthcheck-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/etcd/healthcheck-client.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/etcd/healthcheck-client.key \
-out /etc/kubernetes/openssl/csr/etcd-client.csr \
-config /etc/kubernetes/openssl/healthcheck-client.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/etcd-client.csr \
-out /etc/kubernetes/pki/etcd/healthcheck-client.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/healthcheck-client.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/etcd/healthcheck-client.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-healthcheck-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-healthcheck-client Oct 22, 2025 22:06 UTC 364d etcd-ca no
Etcd server
Etcd server
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export BASE_DOMAIN=example.com
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export MACHINE_LOCAL_ADDRESS=$(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/etcd-server.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = ${HOST_NAME}
DNS.3 = ${FULL_HOST_NAME}
IP.1 = 127.0.0.1
IP.2 = 0:0:0:0:0:0:0:1
IP.3 = ${MACHINE_LOCAL_ADDRESS}
[ dn ]
CN = ${FULL_HOST_NAME}
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/etcd/server.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/etcd/server.key \
-out /etc/kubernetes/openssl/csr/etcd-server.csr \
-config /etc/kubernetes/openssl/etcd-server.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/etcd-server.csr \
-out /etc/kubernetes/pki/etcd/server.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/etcd-server.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/etcd/server.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-server Oct 22, 2025 22:06 UTC 364d etcd-ca no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-server Oct 22, 2025 22:06 UTC 364d etcd-ca no
Etcd peer > Etcd
Etcd peer > Etcd
- HardWay
- Kubeadm
Переменные окружения
export CLUSTER_NAME=my-first-cluster
export FULL_HOST_NAME=${HOST_NAME}.${CLUSTER_NAME}.${BASE_DOMAIN}
export MACHINE_LOCAL_ADDRESS=$(ip -4 addr show scope global | awk '/inet/ {print $2; exit}' | cut -d/ -f1)
Рабочая директория
mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
Конфигурация
cat <<EOF > /etc/kubernetes/openssl/etcd-peer.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = ${HOST_NAME}
DNS.3 = ${FULL_HOST_NAME}
IP.1 = 127.0.0.1
IP.2 = 0:0:0:0:0:0:0:1
IP.3 = ${MACHINE_LOCAL_ADDRESS}
[ dn ]
CN = ${FULL_HOST_NAME}
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
Генерация приватного ключа
openssl genrsa \
-out /etc/kubernetes/pki/etcd/peer.key 2048
Генерация CSR
openssl req \
-new \
-key /etc/kubernetes/pki/etcd/peer.key \
-out /etc/kubernetes/openssl/csr/etcd-peer.csr \
-config /etc/kubernetes/openssl/etcd-peer.conf
Подпись CSR
openssl x509 \
-req \
-days 365 \
-sha256 \
-CA /etc/kubernetes/pki/etcd/ca.crt \
-CAkey /etc/kubernetes/pki/etcd/ca.key \
-CAcreateserial \
-in /etc/kubernetes/openssl/csr/etcd-peer.csr \
-out /etc/kubernetes/pki/etcd/peer.crt \
-extensions v3_ext \
-extfile /etc/kubernetes/openssl/etcd-peer.conf
Проверка готовности сертификата
Данный раздел зависит от следующих разделов:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/etcd/peer.crt
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-peer Oct 22, 2025 22:06 UTC 364d etcd-ca no
Имейте в виду: на этапе Join нельзя выбрать, какие сертификаты генерировать — kubeadm создаёт их все сразу, в полном объёме.
Генерация сертификатов
kubeadm join phase control-plane-prepare certs \
--config=/var/run/kubeadm/kubeadm.yaml
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master-1.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [217.114.0.145 127.0.0.1 ::1 31.129.111.153]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [api.my-first-cluster.example.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.my-first-cluster.example.com master-3.my-first-cluster.example.com] and IPs [29.64.0.1 217.114.0.145 31.129.111.153 127.0.0.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
Проверка готовности сертификата
Данная команда не способна отображать статус конкретного сертификата, только список доступных.
kubeadm certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
etcd-peer Oct 22, 2025 22:06 UTC 364d etcd-ca no