|
| 1 | +--- |
| 2 | +title: 使用 CertificateSigningRequest 为 Kubernetes API 客户端颁发证书 |
| 3 | +api_metadata: |
| 4 | +- apiVersion: "certificates.k8s.io/v1" |
| 5 | + kind: "CertificateSigningRequest" |
| 6 | + override_link_text: "CSR v1" |
| 7 | +weight: 80 |
| 8 | + |
| 9 | +# 文档维护说明 |
| 10 | +# |
| 11 | +# 如果将来新增页面 /docs/tasks/tls/certificate-issue-client-manually/ |
| 12 | +# 那么需要在此页面添加新的交叉引用链接,而新增的页面也应链接回此页面 |
| 13 | +--- |
| 14 | +<!-- |
| 15 | +title: Issue a Certificate for a Kubernetes API Client Using A CertificateSigningRequest |
| 16 | +api_metadata: |
| 17 | +- apiVersion: "certificates.k8s.io/v1" |
| 18 | + kind: "CertificateSigningRequest" |
| 19 | + override_link_text: "CSR v1" |
| 20 | +weight: 80 |
| 21 | +
|
| 22 | +# Docs maintenance note |
| 23 | +# |
| 24 | +# If there is a future page /docs/tasks/tls/certificate-issue-client-manually/ then this page |
| 25 | +# should link there, and the new page should link back to this one. |
| 26 | +--> |
| 27 | + |
| 28 | +<!-- overview --> |
| 29 | + |
| 30 | +<!-- |
| 31 | +Kubernetes lets you use a public key infrastructure (PKI) to authenticate to your cluster |
| 32 | +as a client. |
| 33 | +
|
| 34 | +A few steps are required in order to get a normal user to be able to |
| 35 | +authenticate and invoke an API. First, this user must have an [X.509](https://www.itu.int/rec/T-REC-X.509) certificate |
| 36 | +issued by an authority that your Kubernetes cluster trusts. The client must then present that certificate to the Kubernetes API. |
| 37 | +--> |
| 38 | +Kubernetes 允许你使用公钥基础设施 (PKI) 对你的集群进行身份认证,这类似于对客户端进行身份认证。 |
| 39 | + |
| 40 | +为了能够对普通用户进行身份认证并调用 API,需要执行几个步骤。首先,此用户必须拥有由你的 |
| 41 | +Kubernetes 集群所信任的权威机构颁发的 [X.509](https://www.itu.int/rec/T-REC-X.509) |
| 42 | +证书。之后客户端必须向 Kubernetes API 提交该证书。 |
| 43 | + |
| 44 | +<!-- |
| 45 | +You use a [CertificateSigningRequest](/concepts/security/certificate-signing-requests/) |
| 46 | +as part of this process, and either you or some other principal must approve the request. |
| 47 | +
|
| 48 | +You will create a private key, and then get a certificate issued, and finally configure |
| 49 | +that private key for a client. |
| 50 | +--> |
| 51 | +在这个过程中,你需要使用 |
| 52 | +[CertificateSigningRequest](/zh-cn/concepts/security/certificate-signing-requests/),并且你或其他主体必须批准此请求。 |
| 53 | + |
| 54 | +你将创建私钥,然后获取颁发的证书,最后为客户端配置该私钥。 |
| 55 | + |
| 56 | +## {{% heading "prerequisites" %}} |
| 57 | + |
| 58 | +* {{< include "task-tutorial-prereqs.md" >}} |
| 59 | + |
| 60 | +<!-- |
| 61 | +* You need the `kubectl`, `openssl` and `base64` utilities. |
| 62 | +
|
| 63 | +This page assumes you are using Kubernetes {{< glossary_tooltip term_id="rbac" text="role based access control" >}} (RBAC). |
| 64 | +If you have alternative or additional security mechanisms around authorization, you need to account for those as well. |
| 65 | +--> |
| 66 | +* 你需要 `kubectl`、`openssl` 和 `base64` 等工具。 |
| 67 | + |
| 68 | +此页面假设你使用的是 Kubernetes {{< glossary_tooltip term_id="rbac" text="基于角色的访问控制" >}} (RBAC)。 |
| 69 | +如果你在鉴权方面有替代的或额外的安全机制,也需要将其考虑在内。 |
| 70 | + |
| 71 | +<!-- steps --> |
| 72 | + |
| 73 | +<!-- |
| 74 | +## Create private key |
| 75 | +
|
| 76 | +In this step, you create a private key. You need to keep this document secret; anyone who has it can impersonate the user. |
| 77 | +
|
| 78 | +```shell |
| 79 | +# Create a private key |
| 80 | +openssl genrsa -out myuser.key 3072 |
| 81 | +``` |
| 82 | +--> |
| 83 | +## 创建私钥 {#create-private-key} |
| 84 | + |
| 85 | +在这一步中,你将创建一个私钥。你将此文件作为秘密保管起来,因为任何拥有该私钥的人都可以伪装成对应的用户。 |
| 86 | + |
| 87 | +```shell |
| 88 | +# 创建一个私钥 |
| 89 | +openssl genrsa -out myuser.key 3072 |
| 90 | +``` |
| 91 | + |
| 92 | +<!-- |
| 93 | +## Create an X.509 certificate signing request {#create-x.509-certificatessigningrequest} |
| 94 | +--> |
| 95 | +## 创建 X.509 证书签名请求 {#create-x.509-certificatessigningrequest} |
| 96 | + |
| 97 | +{{< note >}} |
| 98 | +<!-- |
| 99 | +This is not the same as the similarly-named CertificateSigningRequest API; the file you generate here goes into the |
| 100 | +CertificateSigningRequest. |
| 101 | +--> |
| 102 | +这与类似名称的 CertificateSigningRequest API 不同; |
| 103 | +你在此处生成的文件将被放入 CertificateSigningRequest 对象中。 |
| 104 | +{{< /note >}} |
| 105 | + |
| 106 | +<!-- |
| 107 | +It is important to set CN and O attribute of the CSR. CN is the name of the user and O is the group that this user will belong to. |
| 108 | +You can refer to [RBAC](/docs/reference/access-authn-authz/rbac/) for standard groups. |
| 109 | +
|
| 110 | +```shell |
| 111 | +# Change the common name "myuser" to the actual username that you want to use |
| 112 | +openssl req -new -key myuser.key -out myuser.csr -subj "/CN=myuser" |
| 113 | +``` |
| 114 | +--> |
| 115 | +设置 CSR 的 CN 和 O 属性非常重要。CN 是用户的名称,O 是此用户所属的组。 |
| 116 | +你可以参阅 [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/) 了解标准的组。 |
| 117 | + |
| 118 | +```shell |
| 119 | +# 将通用名称 "myuser" 更改为你要使用的实际用户名 |
| 120 | +openssl req -new -key myuser.key -out myuser.csr -subj "/CN=myuser" |
| 121 | +``` |
| 122 | + |
| 123 | +<!-- |
| 124 | +## Create a Kubernetes CertificateSigningRequest {#create-k8s-certificatessigningrequest} |
| 125 | +
|
| 126 | +Encode the CSR document using this command: |
| 127 | +--> |
| 128 | +## 创建 Kubernetes CertificateSigningRequest {#create-k8s-certificatessigningrequest} |
| 129 | + |
| 130 | +使用以下命令对 CSR 文档进行编码: |
| 131 | + |
| 132 | +```shell |
| 133 | +cat myuser.csr | base64 | tr -d "\n" |
| 134 | +``` |
| 135 | + |
| 136 | +<!-- |
| 137 | +Create a [CertificateSigningRequest](/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1/) |
| 138 | +and submit it to a Kubernetes Cluster via kubectl. Below is a snippet of shell that you can use to generate the |
| 139 | +CertificateSigningRequest. |
| 140 | +--> |
| 141 | +创建 [CertificateSigningRequest](/zh-cn/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1/) |
| 142 | +并通过 kubectl 将其提交到 Kubernetes 集群。以下是你可以用于生成 CertificateSigningRequest 的 Shell 片段。 |
| 143 | + |
| 144 | +<!-- |
| 145 | +# example |
| 146 | +# This is an encoded CSR. Change this to the base64-encoded contents of myuser.csr |
| 147 | +# one day |
| 148 | +--> |
| 149 | +```shell |
| 150 | +cat <<EOF | kubectl apply -f - |
| 151 | +apiVersion: certificates.k8s.io/v1 |
| 152 | +kind: CertificateSigningRequest |
| 153 | +metadata: |
| 154 | + name: myuser # 示例 |
| 155 | +spec: |
| 156 | + # 这是已编码的 CSR。将此更改为 myuser.csr 的经 base64 编码的内容 |
| 157 | + request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= |
| 158 | + signerName: kubernetes.io/kube-apiserver-client |
| 159 | + expirationSeconds: 86400 # 一天 |
| 160 | + usages: |
| 161 | + - client auth |
| 162 | +EOF |
| 163 | +``` |
| 164 | + |
| 165 | +<!-- |
| 166 | +Some points to note: |
| 167 | +
|
| 168 | +- `usages` has to be `client auth` |
| 169 | +- `expirationSeconds` could be made longer (i.e. `864000` for ten days) or shorter (i.e. `3600` for one hour). |
| 170 | + You cannot request a duration shorter than 10 minutes. |
| 171 | +- `request` is the base64 encoded value of the CSR file content. |
| 172 | +--> |
| 173 | +一些注意点: |
| 174 | + |
| 175 | +- `usages` 必须是 `client auth` |
| 176 | +- `expirationSeconds` 可以设置得更长(例如 `864000` 表示十天)或更短(例如 `3600` 表示一小时)。 |
| 177 | + 你所请求的时长不能短于 10 分钟。 |
| 178 | +- `request` 值是 CSR 文件内容的 base64 编码值。 |
| 179 | + |
| 180 | +<!-- |
| 181 | +## Approve the CertificateSigningRequest {#approve-certificate-signing-request} |
| 182 | +
|
| 183 | +Use kubectl to find the CSR you made, and manually approve it. |
| 184 | +
|
| 185 | +Get the list of CSRs: |
| 186 | +--> |
| 187 | +## 批准 CertificateSigningRequest {#approve-certificate-signing-request} |
| 188 | + |
| 189 | +使用 kubectl 找到你创建的 CSR,并手动批准它。 |
| 190 | + |
| 191 | +获取 CSR 列表: |
| 192 | + |
| 193 | +```shell |
| 194 | +kubectl get csr |
| 195 | +``` |
| 196 | + |
| 197 | +<!-- |
| 198 | +Approve the CSR: |
| 199 | +--> |
| 200 | +批准 CSR: |
| 201 | + |
| 202 | +```shell |
| 203 | +kubectl certificate approve myuser |
| 204 | +``` |
| 205 | + |
| 206 | +<!-- |
| 207 | +## Get the certificate |
| 208 | +
|
| 209 | +Retrieve the certificate from the CSR, to check it looks OK. |
| 210 | +--> |
| 211 | +## 获取证书 {#get-the-certificate} |
| 212 | + |
| 213 | +从 CSR 中检索证书,以检查其是否正常。 |
| 214 | + |
| 215 | +```shell |
| 216 | +kubectl get csr/myuser -o yaml |
| 217 | +``` |
| 218 | + |
| 219 | +<!-- |
| 220 | +The certificate value is in Base64-encoded format under `.status.certificate`. |
| 221 | +
|
| 222 | +Export the issued certificate from the CertificateSigningRequest. |
| 223 | +--> |
| 224 | +证书值以 Base64 编码格式显示在 `.status.certificate` 下。 |
| 225 | + |
| 226 | +从 CertificateSigningRequest 导出已颁发的证书。 |
| 227 | + |
| 228 | +```shell |
| 229 | +kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt |
| 230 | +``` |
| 231 | + |
| 232 | +<!-- |
| 233 | +## Configure the certificate into kubeconfig |
| 234 | +
|
| 235 | +The next step is to add this user into the kubeconfig file. |
| 236 | +
|
| 237 | +First, you need to add new credentials: |
| 238 | +--> |
| 239 | +## 将证书配置到 kubeconfig 中 {#configure-the-certificate-into-kubeconfig} |
| 240 | + |
| 241 | +下一步是将此用户添加到 kubeconfig 文件中。 |
| 242 | + |
| 243 | +首先,你需要添加新的凭证: |
| 244 | + |
| 245 | +```shell |
| 246 | +kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true |
| 247 | +``` |
| 248 | + |
| 249 | +<!-- |
| 250 | +Then, you need to add the context: |
| 251 | +--> |
| 252 | +然后,你需要添加上下文: |
| 253 | + |
| 254 | +```shell |
| 255 | +kubectl config set-context myuser --cluster=kubernetes --user=myuser |
| 256 | +``` |
| 257 | + |
| 258 | +<!-- |
| 259 | +To test it: |
| 260 | +--> |
| 261 | +对其执行测试: |
| 262 | + |
| 263 | +```shell |
| 264 | +kubectl --context myuser auth whoami |
| 265 | +``` |
| 266 | + |
| 267 | +<!-- |
| 268 | +You should see output confirming that you are “myuser“. |
| 269 | +
|
| 270 | +## Create Role and RoleBinding |
| 271 | +--> |
| 272 | +你应该看到确认你是 “myuser” 的输出。 |
| 273 | + |
| 274 | +## 创建 Role 和 RoleBinding {#create-role-and-rolebinding} |
| 275 | + |
| 276 | +{{< note >}} |
| 277 | +<!-- |
| 278 | +If you don't use Kubernetes RBAC, skip this step and make the appropriate changes for the authorization mechanism |
| 279 | +your cluster actually uses. |
| 280 | +--> |
| 281 | +如果你不使用 Kubernetes RBAC,请跳过这一步,并对集群实际使用的鉴权机制进行适当更改。 |
| 282 | +{{< /note >}} |
| 283 | + |
| 284 | +<!-- |
| 285 | +With the certificate created it is time to define the Role and RoleBinding for |
| 286 | +this user to access Kubernetes cluster resources. |
| 287 | +
|
| 288 | +This is a sample command to create a Role for this new user: |
| 289 | +--> |
| 290 | +创建证书之后,就可以为此用户定义 Role 和 RoleBinding,以访问 Kubernetes 集群资源。 |
| 291 | + |
| 292 | +这是为新用户创建 Role 的示例命令: |
| 293 | + |
| 294 | +```shell |
| 295 | +kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods |
| 296 | +``` |
| 297 | + |
| 298 | +<!-- |
| 299 | +This is a sample command to create a RoleBinding for this new user: |
| 300 | +--> |
| 301 | +这是为新用户创建 RoleBinding 的示例命令: |
| 302 | + |
| 303 | +```shell |
| 304 | +kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser |
| 305 | +``` |
| 306 | + |
| 307 | +## {{% heading "whatsnext" %}} |
| 308 | + |
| 309 | +<!-- |
| 310 | +* Read [Manage TLS Certificates in a Cluster](/docs/tasks/tls/managing-tls-in-a-cluster/) |
| 311 | +* For details of X.509 itself, refer to [RFC 5280](https://tools.ietf.org/html/rfc5280#section-3.1) section 3.1 |
| 312 | +* For information on the syntax of PKCS#10 certificate signing requests, refer to [RFC 2986](https://tools.ietf.org/html/rfc2986) |
| 313 | +* Read about [ClusterTrustBundles](/docs/reference/access-authn-authz/certificate-signing-requests/#cluster-trust-bundles) |
| 314 | +--> |
| 315 | +* 阅读[管理集群中的 TLS 证书](/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/) |
| 316 | +* 有关 X.509 本身的细节,参阅 [RFC 5280](https://tools.ietf.org/html/rfc5280#section-3.1) 第 3.1 节 |
| 317 | +* 有关 PKCS#10 证书签名请求的语法信息,请参阅 [RFC 2986](https://tools.ietf.org/html/rfc2986) |
| 318 | +* 参阅 [ClusterTrustBundles](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#cluster-trust-bundles) |
0 commit comments