Last active
February 5, 2020 05:43
-
-
Save leoh0/33cfc6c4bac235fbfc596cda331ad6b9 to your computer and use it in GitHub Desktop.
regenerate k8s admin user from ca.crt and ca.key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 마스터의 ca.crt 와 ca.key | |
| cp ca.crt ca.key ~/temp | |
| cd ~/temp | |
| # openssl이 미리 설치 필요 | |
| cat > openssl.cnf << EOF | |
| [ req ] | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| [ v3_ca ] | |
| basicConstraints = critical, CA:TRUE | |
| keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign | |
| [ v3_req_server ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| [ v3_req_client ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = clientAuth | |
| [ v3_req_apiserver ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names_cluster | |
| [ v3_req_etcd ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth, clientAuth | |
| subjectAltName = @alt_names_etcd | |
| [ alt_names_cluster ] | |
| DNS.1 = kubernetes | |
| DNS.2 = kubernetes.default | |
| DNS.3 = kubernetes.default.svc | |
| DNS.4 = kubernetes.default.svc.cluster.local | |
| DNS.5 = k8s-controller-1 | |
| DNS.6 = k8s-controller-2 | |
| # DNS.7 = ${KUBERNETES_PUBLIC_ADDRESS} | |
| IP.1 = ${CONTROLLER1_IP} | |
| IP.2 = ${CONTROLLER2_IP} | |
| IP.3 = ${SERVICE_IP} | |
| # IP.4 = ${KUBERNETES_PUBLIC_IP} | |
| [ alt_names_etcd ] | |
| DNS.1 = k8s-controller-1 | |
| DNS.2 = k8s-controller-2 | |
| IP.1 = ${CONTROLLER1_IP} | |
| IP.2 = ${CONTROLLER2_IP} | |
| EOF | |
| # admin key, crt 생성 | |
| openssl ecparam -name secp521r1 -genkey -noout -out admin.key | |
| chmod 0600 admin.key | |
| openssl req -new -key admin.key -subj "/CN=kubernetes-admin/O=system:masters" \ | |
| | openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial \ | |
| -out admin.crt -days 365 -extensions v3_req_client \ | |
| -extfile ./openssl.cnf | |
| # 현재 kubectl 이 참고하는 config의 서버 주소 확인 | |
| SERVER=$(kubectl config view | awk '/ server: /{print $2}') | |
| # 생성한 키들로 접근 가능한지 확인 | |
| curl ${SERVER}/api --key admin.key --cert admin.crt --cacert ca.crt -k | |
| # 해당 정보로 kubeconfig 생성 | |
| cat > kubeconfig << EOF | |
| apiVersion: v1 | |
| clusters: | |
| - cluster: | |
| certificate-authority: $HOME/temp/ca.crt | |
| server: $SERVER | |
| name: test | |
| contexts: | |
| - context: | |
| cluster: test | |
| user: kubernetes-admin | |
| name: kubernetes-admin@test | |
| current-context: kubernetes-admin@test | |
| kind: Config | |
| preferences: {} | |
| users: | |
| - name: kubernetes-admin | |
| user: | |
| client-certificate: $HOME/temp/admin.crt | |
| client-key: $HOME/temp/admin.key | |
| EOF | |
| # 해당 kubeconfig로 테스트 | |
| kubectl --kubeconfig=kubeconfig get nodes | |
| # 이후 kubeconfig와 cert들을 원하는 위치로 옮겨서 사용 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment