关于证书
关于cfssl工具:
cfssl :证书签发的主要工具
cfssl-json :将cfssl生成的证书( json格式)变为文件承载式证书
cfssl-certinfo :验证证书的信息
cfssl-certinfo -cert 证书名称
可以查看证书的信息
CN: Common Name ,浏览器使用该字段验证网站是否合法, 一般写的是域名。非常重要。浏览器使用该字段验证网站是否合法 C: Country,国家ST:State,州,省L: Locality ,地区,城市O: Organization Name ,组织名称,公司名称OU: Organization Unit Name ,组织单位名称,公司部门
查看域名证书
[root@alice001 ~]# cfssl-certinfo -domain www.dkaiyun.com
{
"subject": {
"common_name": "www.dkaiyun.com",
"names": [
"www.dkaiyun.com"
]
},
"issuer": {
"common_name": "Encryption Everywhere DV TLS CA - G1",
"country": "US",
"organization": "DigiCert Inc",
"organizational_unit": "www.digicert.com",
"names": [
"US",
"DigiCert Inc",
"www.digicert.com",
"Encryption Everywhere DV TLS CA - G1"
]
},
"serial_number": "7884455399703283302427254215251353882",
"sans": [
"www.dkaiyun.com",
"dkaiyun.com"
],
"not_before": "2020-05-15T00:00:00Z",
"not_after": "2021-05-15T12:00:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "55:74:4F:B2:72:4F:F5:60:BA:50:D1:D7:E6:51:5C:9A:1:87:1A:D7",
"subject_key_id": "1B:1:E3:17:14:7:2C:35:47:F3:20:B:AA:1C:45:CE:1B:71:4D:4A",
"pem": "-----BEGIN CERTIFICATE-----\nMIIFlTCCBH2gAwIBAgIQBe59qfsFlqpqZ73o+rBhGjANBgkqhkiG9w0BAQsFADBu\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg\nRFYgVExTIENBIC0gRzEwHhcNMjAwNTE1MDAwMDAwWhcNMjEwNTE1MTIwMDAwWjAa\nMRgwFgYDVQQDEw93d3cuZGthaXl1bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQCHE+9Y3yoVnrI1HRMB6VFPx/xf6qiFWNKmY4xvwcYw6x+Ateue\n9SlJe7HuWpFn+chqqbBIIaCKUvcpu3zAE7vySfT5p6gYpTZytWCV9lMRahAaNhvu\nF9GV8y6PTZEbCDzq7i/wUFi/IcfoWFkanGO2OW6lr2gaEEio0Yp9d7dKZuS1ecoW\n8SHV/VKmVcBeoC6h97LWr0qgp2gYbzLItaIeozdcsHPe4QKLmJGBrQVeDXC05DhE\nedM+EpxOdlofFHME0Z+LIwOuYYa++Fo8QNwLaICljxK9B/maajZhDM1cff4k3Ytr\nJEc45eJ1Z2DhMEJJE0F0JuwpFozFNrB095L7AgMBAAGjggKBMIICfTAfBgNVHSME\nGDAWgBRVdE+yck/1YLpQ0dfmUVyaAYca1zAdBgNVHQ4EFgQUGwHjFxQHLDVH8yAL\nqhxFzhtxTUowJwYDVR0RBCAwHoIPd3d3LmRrYWl5dW4uY29tggtka2FpeXVuLmNv\nbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMEwGA1UdIARFMEMwNwYJYIZIAYb9bAECMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v\nd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIBMIGABggrBgEFBQcBAQR0MHIw\nJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBKBggrBgEFBQcw\nAoY+aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0VuY3J5cHRpb25FdmVyeXdo\nZXJlRFZUTFNDQS1HMS5jcnQwCQYDVR0TBAIwADCCAQUGCisGAQQB1nkCBAIEgfYE\ngfMA8QB2APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABchbQEl0A\nAAQDAEcwRQIhAOgQ3WLSg/MM65NCw/KqT6s/h8WFJopHDEZVZlJGbJzMAiB9yPeR\nDJsDMzfo8kFGrqCTtwslqNf17ZAASQLSVAc0CAB3AFzcQ5L+5qtFRLFemtRW5hA3\n+9X6R9yhc5SyXub2xw7KAAABchbQEnMAAAQDAEgwRgIhAKZHTFNCgTAPlEY4uBMt\nYIc8Z/fvAYZ+VG3AeoY7zklSAiEA9BCOW7Vxjhi1lY4gMpCm1rKw5Gt9vsgcXfiP\nhbU2hlwwDQYJKoZIhvcNAQELBQADggEBAK7mdNnCPEoXtftZQbRvXL4HzmcnS2Fa\nGWiEvudYNIAc5+iS50a2pGLaoumptikzNYHcUMIrHUelZCX5bNW+07fCF5S6gWKC\n9NvbdQujz92BM9z2cmm8aeHHr4cCF0HRe8RsPJ09jZg71FH+NZZICg9LROdJyrak\nwWm27TBpJiKxo/VfNck9WUfKmPFhhsByCsdNfYc/SXhktvIE4DqCtV+og/c9V7c0\npsUQZGgWE/eKE+E88IAQLO8egWz6nM/n5C0MHj+kdqh+n7ukN8G/wJddEbPv7ffY\nposLY2D8vbP8s2/GPzLhsu4b47NfvxDa9lTXoMnJGzbHCeTQ+MwhRNM=\n-----END CERTIFICATE-----\n"
}
关于kubeconfig文件: .
这是一个K8S用户的配置文件
它里面含有证书信息
证书过期或更换,需要同步替换该文件
kubelet.kubeconfig 可以反解出ca.pem 详细操作如下
[root@alice002 conf]# cat kubelet.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBRUdJTiBDRQ0FURRUdJTiBDRR0RENDQXB5Z0F3SUJBZ0lVT2F6RW9lQ1FFTnQxaGpIdmRTekRNaDFSL0Zzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjJKbGFXcHBibWN4RURBT0JnTlZCQWNUQjJKbAphV3BwYm1jeEN6QUpCZ05WQkFvVEFtOWtNUXd3Q2dZRFZRUUxFd052Y0hNeEVqQVFCZ05WQkFNVENVOXNaR0p2CmVVVmtkVEFlRncweU1UQXhNekF3TWpJNE1EQmFGdzAwTVRBeE1qVXdNakk0TURCYU1HQXhDekFKQmdOVkJBWVQKQWtOT01SQXdEZ1lEVlFRSUV3ZGlaV2xxYVc1bk1SQXdEZ1lEVlFRSEV3ZGlaV2xxYVc1bk1Rc3dDUVlEVlFRSwpFd0p2WkRFTU1Bb0dBMVVFQ3hNRGIzQnpNUkl3RUFZRFZRUURFd2xQYkdSaWIzbEZaSFV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNzbE1kcW95VVhma2NOYVl1WFpaTllwOFU0ejJBRUdyUmcKQnF3Qm0zVXBNZ0pxWVFNNHhpczJUSXV1MEJyeXdubmN0VThHdGJ6TXl2c0lESnlNRWVsdVRTRk1FbW5odGt3aQpZWG1MMGZ4MmxVZlJJVFZOdzM2Q3ROSTVIaUNnWTBxOFp0MVRtNGMrYWRJNHFTRDRhTXFuOEVlNlA4aTdtRUdtClZmcVdBc2ZjaElGL1ExUUtNSWUyWTBSSm9ZaisxVlo5aWxyVERLVDB5ZjBoZml3LzVFN3pMelFldm5IaWxkdVMKSmhOa2pCSGJxMXMzOFBDalpyUFI4N01ERGRJckUrTmVsTy8wdHozeitVUVNvcFA5WnNaUE9uYXNTaWJSRkw3NgpRc0RnMm1xbHJURERqQUxibkxHemF0aVRRYVhEYWJ4T2xRSUhTejdQK0ppcVBkSGRXM0RKQWdNQkFBR2paakJrCk1BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUTgKOGdQUjkyc05CWTVnRE4yWEk0NWRva2N2bnpBZkJnTlZIU01FR0RBV2dCUTg4Z1BSOTJzTkJZNWdETjJYSTQ1ZApva2N2bnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVRCbVh0Y0ZLdGI4MVFSemhuOGVmTnB2bGdOWEM5aDRjCldGUmRzN1Uya1V3OHlHb3JHdXVWbFoxYXZwYzFYSmhsQVBsMnZsQXBiNi9lcXUza2xtMC9LL0gvcGVYZDJkak8KVFNVdGZmb2RqbnlEZHJTV2NKS3JRaTViWjZacmVxbTAxUzRCRXVGRE4xTk9vR1E0SWQ1Mk10bWRmOG53eWIxcgpIOWh6MDlFNVlsU0JRWk8zVXI0OEtRcHlHa1VVbWR3eTBxSzRIMEdaVjZhcE9jang3SHdSY3NkdWNvYXZGWmk2Cm9XT2hGeFRZSGhvdE5nc3EwWTRuQjhjbkJIZmhFc0xjUDRqMHkxdkpKS2FLaVNSQ0lVbnBpZnNIcFdnWEhHblEKa21PZm9PRmRlZXhOME1OU3A3WVdRUmhjR09UVU83aWhrNDFwRUkwQmNUZXJzSW1Hak9QK0h3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://172.23.187.175:7443
name: myk8s
contexts:
- context:
cluster: myk8s
user: k8s-node
name: myk8s-context
current-context: myk8s-context
kind: Config
preferences: {}
users:
- name: k8s-node
user:
client-certificate-data: LS0tLS1CRUdJTiBDRRUdJTiBDRFURS0tLS0tCk1JSUR3akNDQXFxZ0F3SUJBZ0lVUHAxc0JSb3JkUklKZXlnR0c4aExHTlZEZXY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjJKbGFXcHBibWN4RURBT0JnTlZCQWNUQjJKbAphV3BwYm1jeEN6QUpCZ05WQkFvVEFtOWtNUXd3Q2dZRFZRUUxFd052Y0hNeEVqQVFCZ05WQkFNVENVOXNaR0p2CmVVVmtkVEFlRncweU1UQXhNekF3T0RRNU1EQmFGdzAwTVRBeE1qVXdPRFE1TURCYU1GOHhDekFKQmdOVkJBWVQKQWtOT01SQXdEZ1lEVlFRSUV3ZGlaV2xxYVc1bk1SQXdEZ1lEVlFRSEV3ZGlaV2xxYVc1bk1Rc3dDUVlEVlFRSwpFd0p2WkRFTU1Bb0dBMVVFQ3hNRGIzQnpNUkV3RHdZRFZRUURFd2hyT0hNdGJtOWtaVENDQVNJd0RRWUpLb1pJCmh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2VONDF2WHV1WVo5OTJBdmpJNFFCY2poeE1qK2RZUitvVWMKL2piSkpIOTBnaG5USTFmZTJ0dStxUzZFZlhsc1JGY2U2MnJrajNlZDg1ZHVRTUdCZ3JPM1cxejYwM2o3cFc3VgpCQU1sOTZzcXZ3clpZSmg4d0RsSE5hbTAyY0VOV01RamJneFQwRW5lWURaUnJMbURxNjVMNld6TDJGbitPUEEwCllWNVRTaVA2aTFMcDMrek1sOWgwbXpTbFVEQUVhVDJhT3AxalZZS1BlbTlwZ3FlSTVsVWt3RFNFbnptUTYvbzYKQ0NuSWt4czArbU5mOWtXRW0vK21QRFdOZHVBTzJEWDJOSzNtVXdnN2RReGFydTd2TzRkbnlhTDI2a2d2SEpEKwpEa2FQbFdZNmFIenZ5TFJ0UlVOMHJGRDJlUjFudTh3a1MwVzVUZUhoVXUwWXdoRXJqZzBDQXdFQUFhTjFNSE13CkRnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUMKTUFBd0hRWURWUjBPQkJZRUZDQ3J1QkZ3eGlHV2VEaDV6VkQrSWlab1Y1bXhNQjhHQTFVZEl3UVlNQmFBRkR6eQpBOUgzYXcwRmptQU0zWmNqamwyaVJ5K2ZNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFVSE01anBwdHJPdVBuCkpvNFpXcVNKdVlKbXlvcWQxdTdLWm16ekQ4UmlHSklIY1pjQWxFOTkyRU5ZTVBqcnV1ZXFnMFFVVGUyYktYRm4KalNOYzVxa1Fxek9hV0poek42aFdBcUFsUG1RZllCcmNmd2pBU3hpdXYyR0RjNDBEczloQTFyY05TRHdCZ2E4SApVcmc3SXlXNmtlZXVQK3dVSEdPcWJjUGc5TUw3MCtYdTJEWmc1WEtvYTRzWnlJam0wTHFzMUY2S2lmT3U0TVgwCjNENHVYbWZ6ajA1T1h1SjVjN1ZTMkl1czZDbExLd2JHNFpneXhyV0N0RUliQlp6MFkrQytubDd6bEtYanVCTkoKdFRIYk5saS9BVFVaNXE5d3g5bmg1S3poYkpNOWV3MkJ2Y1FQSzg5c2t6bVR1VHJOZE5TQmwxOVY4eWtXengwMApjSnZMTlVuVAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcDQzalc5ZTY1aG4zM1lDK01qaEFGeU9IRXlQNTFoSDZoUnorTnNra2YzU0NHZE1qClY5N2EyNzZwTG9SOWVXeEVWeDdyYXVTUGQ1M3psMjVBd1lHQ3M3ZGJYUHJUZVB1bGJ0VUVBeVgzcXlxL0N0bGcKbUh6QU9VYzFxYlRad1ExWXhDTnVERlBRU2Q1Z05sR3N1WU9ycmt2cGJNdllXZjQ0OERSaFhsTktJL3FMVXVuZgo3TXlYMkhTYk5LVlFNQVJwUFpvNm5XTlZnbzk2YjJtQ3A0am1WU1RBTklTZk9aRHIram9JS2NpVEd6VDZZMS8yClJZU2IvNlk4TlkxMjRBN1lOZlkwcmVaVENEdDFERnF1N3U4N2gyZkpvdmJxU0M4Y2tQNE9SbytWWmpwb2ZPL0kKdEcxRlEzU3NVUFo1SFdlN3pDUkxSYmxONGVGUzdSakNFU3VPRFFJREFRQUJBb0lCQVFDSEZIRytZbDV3RVhGdApwdFF2SW9BdzUxaUhTdEtwRFpkOVoxRmZFNndVQVBhK0lTVDJPMWtRSFZiQmhOaXZZbVI2SkJoQTlnRGZ1M3hkCmtlb3MxdDlyU2FBamhxZWtlcVAxaFZBVnhhODAxR0p1T2ErUlg4bU1vK2NVYVJQQWVxVWNneisrT25mS2hiZmwKTXRWZ1BsSFRVNm5kSnozRjE1bEp0Y0RselpvUkJDWWR4ekZub0h5VVo5MWhHa3BpWWYzUVc3TjlTUDdNQ1oxSQpUOGk3ckV4Ni9lMXhvbERVNnh1TWd0dmh5MzRVbk52VEViU2R0cGxTS0NYaFBsMUJPOENlSEdxRm5xK1lvb203Cml3UkZYOXFCL0xlR1VZZWMzcVl5TGJaQXlKZ0gxeTRaODUwZFFDQkljc2pQR21KL28xNFplb25UNzJ0M1lEaWgKVytXdEpjdlZBb0dCQU1BNXFqelo0blBHM3lzY2p0ZWhnTWc0eXBpZU1VQldLU242dUJuOHFLd012WDNTMmtmawpMTnRLc0lDTmZQc0F0dWkrU1llWU5WRUFmTEQ4Z21wOFBFUlNuc3VTS3VNdC9ONHB6cFNIUGIyWlk4QkdOSlFHCnJadFJqZ3Ardm82L0tCUUlQVFB3V3YvZFV2dTdQQ2NpUEY4RkQ4TGtYZ3NueUlhZG5ZZDlJM3MvQW9HQkFOOGsKMVFhTVY2L0ptYWQvL0krV2ZoWEV6K3liK2dTRkk0dDhkRzVPSDJlSlNOQjRwSkZ6azhUOEtJeTRHSHlnSEdCYwpqU05oSVozTWZQYjRXUTlLRXlNSEcrMU1BUzcvT2xHbFJuR00zRjVKT2hqL2RCVE4wdDhJbzFHNzFidE5Pc0pYClZpdjMyTWVDMldXbC8wOGxnMHV5NVlSL04zbnpFdTR3enVnUllGK3pBb0dBTW1ic1hFaEZPRlpNN2VEdkUxc2wKaVZwYXhPbTF3RWpYUWtxYk96VWtoUGhTTjB1eU1HZUQyM3dhQzVzTnlrTEZzd0V5Qm52Q2Z4ckJseWFlaTQxSAp3Q0pwd0xieXg5Nm5EeG1uTVFyRkJaSFN0ZmV5a1oydXA2c2FzMlhJVVdXTi9MS3NXWklNU2txZUY2TmdnbUpYCnNoS0JyM2h4c0RzZU9TM2F3RXZ2b2NFQ2dZRUFsN01vaDUwZGQ4cHNoVzBEUEhLcElROTk4M05PazRnWDFCbzEKNVUrREZoWkV4RVZnUytueENiZ0xzUzd1cHJzS3o0L2IrN05xOFNZMXhvaXJzek0rczA5Lzh1RDY1UUpxbVZycword0V5UjM4czJoWEF5dXZxY2VvamJjdHUwRGordTJRNGx3ZVYvbnk4WXRocEsxdHJXU2t6MDlIUTJ6MGZINE5iCkJuWFp1UFVDZ1lCV2JUdEs3bkRjR1lySGZhd2prUHBmcWhaYmZhWWhvY3B1OG16NWJPMUNtbEdGNVlhWU5ibU8KcDdTTEJiV0M1UkhxYjRRUnVvZFNsODlxcFFZMVkvam1vNlAzRWIxeWlpZmxWZ1VhV3ZSbG5kQjlzRzV6ZEFFKwp0RHRRZzJmNkJJaXBKQytkWE9NSkZnVVNNWWE4N1g2TGdrZEhXQlpiZXl5cFBkR2JLWWtRdmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
[root@alice002 conf]# # 这里取的是certificate-authority-data:后面的内容
[root@alice002 conf]# echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR0RENDQXB5Z0F3SUJBZ0lVT2F6RW9lQ1FFTnQxaGpIdmRTekRNaDFSL0Zzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjJKbGFXcHBibWN4RURBT0JnTlZCQWNUQjJKbAphV3BwYm1jeEN6QUpCZ05WQkFvVEFtOWtNUXd3Q2dZRFZRUUxFd052Y0hNeEVqQVFCZ05WQkFNVENVOXNaR0p2CmVVVmtkVEFlRncweU1UQXhNekF3TWpJNE1EQmFGdzAwTVRBeE1qVXdNakk0TURCYU1HQXhDekFKQmdOVkJBWVQKQWtOT01SQXdEZ1lEVlFRSUV3ZGlaV2xxYVc1bk1SQXdEZ1lEVlFRSEV3ZGlaV2xxYVc1bk1Rc3dDUVlEVlFRSwpFd0p2WkRFTU1Bb0dBMVVFQ3hNRGIzQnpNUkl3RUFZRFZRUURFd2xQYkdSaWIzbEZaSFV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNzbE1kcW95VVhma2NOYVl1WFpaTllwOFU0ejJBRUdyUmcKQnF3Qm0zVXBNZ0pxWVFNNHhpczJUSXV1MEJyeXdubmN0VThHdGJ6TXl2c0lESnlNRWVsdVRTRk1FbW5odGt3aQpZWG1MMGZ4MmxVZlJJVFZOdzM2Q3ROSTVIaUNnWTBxOFp0MVRtNGMrYWRJNHFTRDRhTXFuOEVlNlA4aTdtRUdtClZmcVdBc2ZjaElGL1ExUUtNSWUyWTBSSm9ZaisxVlo5aWxyVERLVDB5ZjBoZml3LzVFN3pMelFldm5IaWxkdVMKSmhOa2pCSGJxMXMzOFBDalpyUFI4N01ERGRJckUrTmVsTy8wdHozeitVUVNvcFA5WnNaUE9uYXNTaWJSRkw3NgpRc0RnMm1xbHJURERqQUxibkxHemF0aVRRYVhEYWJ4T2xRSUhTejdQK0ppcVBkSGRXM0RKQWdNQkFBR2paakJrCk1BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUTgKOGdQUjkyc05CWTVnRE4yWEk0NWRva2N2bnpBZkJnTlZIU01FR0RBV2dCUTg4Z1BSOTJzTkJZNWdETjJYSTQ1ZApva2N2bnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVRCbVh0Y0ZLdGI4MVFSemhuOGVmTnB2bGdOWEM5aDRjCldGUmRzN1Uya1V3OHlHb3JHdXVWbFoxYXZwYzFYSmhsQVBsMnZsQXBiNi9lcXUza2xtMC9LL0gvcGVYZDJkak8KVFNVdGZmb2RqbnlEZHJTV2NKS3JRaTViWjZacmVxbTAxUzRCRXVGRE4xTk9vR1E0SWQ1Mk10bWRmOG53eWIxcgpIOWh6MDlFNVlsU0JRWk8zVXI0OEtRcHlHa1VVbWR3eTBxSzRIMEdaVjZhcE9jang3SHdSY3NkdWNvYXZGWmk2Cm9XT2hGeFRZSGhvdE5nc3EwWTRuQjhjbkJIZmhFc0xjUDRqMHkxdkpKS2FLaVNSQ0lVbnBpZnNIcFdnWEhHblEKa21PZm9PRmRlZXhOME1OU3A3WVdRUmhjR09UVU83aWhrNDFwRUkwQmNUZXJzSW1Hak9QK0h3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" |base64 -d
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIUOazEoeCQENt1hjHvdSzDMh1R/FswDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAOBgNVBAcTB2Jl
aWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxEjAQBgNVBAMTCU9sZGJv
eUVkdTAeFw0yMTAxMzAwMjI4MDBaFw00MTAxMjUwMjI4MDBaMGAxCzAJBgNVBAYT
AkNOMRAwDgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMQswCQYDVQQK
EwJvZDEMMAoGA1UECxMDb3BzMRIwEAYDVQQDEwlPbGRib3lFZHUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCslMdqoyUXfkcNaYuXZZNYp8U4z2AEGrRg
BqwBm3UpMgJqYQM4xis2TIuu0BrywnnctU8GtbzMyvsIDJyMEeluTSFMEmnhtkwi
YXmL0fx2lUfRITVNw36CtNI5HiCgY0q8Zt1Tm4c+adI4qSD4aMqn8Ee6P8i7mEGm
VfqWAsfchIF/Q1QKMIe2Y0RJoYj+1VZ9ilrTDKT0yf0hfiw/5E7zLzQevnHilduS
JhNkjBHbq1s38PCjZrPR87MDDdIrE+NelO/0tz3z+UQSopP9ZsZPOnasSibRFL76
QsDg2mqlrTDDjALbnLGzatiTQaXDabxOlQIHSz7P+JiqPdHdW3DJAgMBAAGjZjBk
MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQ8
8gPR92sNBY5gDN2XI45dokcvnzAfBgNVHSMEGDAWgBQ88gPR92sNBY5gDN2XI45d
okcvnzANBgkqhkiG9w0BAQsFAAOCAQNVHSMEGDFKtb81QRzhn8efNpvlgNXC9h4c
WFRds7U2kUw8yGorGuuVlZ1avpc1XJhlAPl2vlApb6/equ3klm0/K/H/peXd2djO
TSUtffodjnyDdrSWcJKrQi5bZ6Zreqm01S4BEuFDN1NOoGQ4Id52Mtmdf8nwyb1r
H9hz09E5YlSBQZO3Ur48KQpyGkUUmdwy0qK4H0GZV6apOcjx7HwRcsducoavFZi6
oWOhFxTYHhotNgsq0Y4nB8cnBHfhEsLcP4j0y1vJJKaKiSRCIUnpifsHpWgXHGnQ
kmOfoOFdeexN0MNSp7YWQRhcGOTUO7ihk41pEI0BcTersImGjOP+Hw==
-----END CERTIFICATE-----
[root@alice002 conf]# echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR0RENDQXB5Z0F3SUJBZ0lVT2F6RW9lQ1FFTnQxaGpIdmRTekRNaDFSL0Zzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjJKbGFXcHBibWN4RURBT0JnTlZCQWNUQjJKbAphV3BwYm1jeEN6QUpCZ05WQkFvVEFtOWtNUXd3Q2dZRFZRUUxFd052Y0hNeEVqQVFCZ05WQkFNVENVOXNaR0p2CmVVVmtkVEFlRncweU1UQXhNekF3TWpJNE1EQmFGdzAwTVRBeE1qVXdNakk0TURCYU1HQXhDekFKQmdOVkJBWVQKQWtOT01SQXdEZ1lEVlFRSUV3ZGlaV2xxYVc1bk1SQXdEZ1lEVlFRSEV3ZGlaV2xxYVc1bk1Rc3dDUVlEVlFRSwpFd0p2WkRFTU1Bb0dBMVVFQ3hNRGIzQnpNUkl3RUFZRFZRUURFd2xQYkdSaWIzbEZaSFV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNzbE1kcW95VVhma2NOYVl1WFpaTllwOFU0ejJBRUdyUmcKQnF3Qm0zVXBNZ0pxWVFNNHhpczJUSXV1MEJyeXdubmN0VThHdGJ6TXl2c0lESnlNRWVsdVRTRk1FbW5odGt3aQpZWG1MMGZ4MmxVZlJJVFZOdzM2Q3ROSTVIaUNnWTBxOFp0MVRtNGMrYWRJNHFTRDRhTXFuOEVlNlA4aTdtRUdtClZmcVdBc2ZjaElGL1ExUUtNSWUyWTBSSm9ZaisxVlo5aWxyVERLVDB5ZjBoZml3LzVFN3pMelFldm5IaWxkdVMKSmhOa2pCSGJxMXMzOFBDalpyUFI4N01ERGRJckUrTmVsTy8wdHozeitVUVNvcFA5WnNaUE9uYXNTaWJSRkw3NgpRc0RnMm1xbHJURERqQUxibkxHemF0aVRRYVhEYWJ4T2xRSUhTejdQK0ppcVBkSGRXM0RKQWdNQkFBR2paakJrCk1BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUTgKOGdQUjkyc05CWTVnRE4yWEk0NWRva2N2bnpBZkJnTlZIU01FR0RBV2dCUTg4Z1BSOTJzTkJZNWdETjJYSTQ1ZApva2N2bnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVRCbVh0Y0ZLdGI4MVFSemhuOGVmTnB2bGdOWEM5aDRjCldGUmRzN1Uya1V3OHlHb3JHdXVWbFoxYXZwYzFYSmhsQVBsMnZsQXBiNi9lcXUza2xtMC9LL0gvcGVYZDJkak8KVFNVdGZmb2RqbnlEZHJTV2NKS3JRaTViWjZacmVxbTAxUzRCRXVGRE4xTk9vR1E0SWQ1Mk10bWRmOG53eWIxcgpIOWh6MDlFNVlsU0JRWk8zVXI0OEtRcHlHa1VVbWR3eTBxSzRIMEdaVjZhcE9jang3SHdSY3NkdWNvYXZGWmk2Cm9XT2hGeFRZSGhvdE5nc3EwWTRuQjhjbkJIZmhFc0xjUDRqMHkxdkpKS2FLaVNSQ0lVbnBpZnNIcFdnWEhHblEKa21PZm9PRmRlZXhOME1OU3A3WVdRUmhjR09UVU83aWhrNDFwRUkwQmNUZXJzSW1Hak9QK0h3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" |base64 -d >123.pem
[root@alice002 conf]#
[root@alice002 conf]# ll
total 28
-rw-r--r-- 1 root root 1346 Feb 7 11:02 123.pem
-rw-r--r-- 1 root root 2223 Jan 30 17:42 audit.yaml
-rw-r--r-- 1 root root 258 Jan 30 20:20 k8s-node.yaml
-rw------- 1 root root 6204 Jan 30 20:18 kubelet.kubeconfig
-rw------- 1 root root 6220 Jan 31 09:26 kube-proxy.kubeconfig
[root@alice002 conf]# md5sum 123.pem
7e349d25185bc1d1ec836e00b6a31b48 123.pem
[root@alice002 conf]# ll /opt/kubernetes/server/bin/c
certs/ cloud-controller-manager cloud-controller-manager.docker_tag
[root@alice002 conf]# ll /opt/kubernetes/server/bin/certs/ca.pem
-rw-r--r-- 1 root root 1346 Jan 30 17:40 /opt/kubernetes/server/bin/certs/ca.pem
[root@alice002 conf]# md5sum /opt/kubernetes/server/bin/certs/ca.pem
7e349d25185bc1d1ec836e00b6a31b48 /opt/kubernetes/server/bin/certs/ca.pem
[root@alice002 conf]#
资源
Pod
为什么pod必须是原子调度单位
- 进程组概念 Pod = “进程组”
- 有些容器需要紧密合作 需要在同一个宿主机上 (业务容器 日志转发容器) 亲密关系-调度解决
Pod 里面的容器是“超亲密关系”
超亲密关系-pod解决
- 比如说两个进程之间会发生文件交换,一个写日志,一个读日志;
- 两个进程之间需要通过 localhost 或者说是本地的 Socket 去进行通信,这种本地通信也是超亲密关系;
- 这两个容器或者是微服务之间,需要发生非常频繁的 RPC 调用,出于性能的考虑,也希望它们是超亲密关系;
两个容器或者是应用,它们需要共享某些 Linux Namespace。最简单常见的一个例子,就是我有一个容器需要加入另一个容器的 Network Namespace。这样我就能看到另一个容器的网络设备,和它的网络信息。
Pod要解决的问题 共享网络和存储。
共享网络
启动一个infra container 共享Network Namespace其他容器加入到 Infra container 的 Network Namespace 中。
整个 Pod 里面,必然是 Infra container 第一个启动。并且整个 Pod 的生命周期是等同于 Infra container 的生命周期的,与容器A 和 B 是无关的。共享存储
容器设计模式
InitContainer
首先启动 退出后 启动别的容器 tomcat+war包 (war包cp到emptydir第二个容器挂emptydir)
Sidecar
sidecar 通过在Pod里定义专门容器,来执行主业务容器需要的辅助工作
原本需要在容器里面执行 SSH 需要干的一些事情,可以写脚本、一些前置的条件,其实都可以通过像 Init Container 或者另外像 Sidecar 的方式去解决;
- 当然还有一个典型例子就是我的日志收集,日志收集本身是一个进程,是一个小容器,那么就可以把它打包进 Pod 里面去做这个收集工作;
- 还有一个非常重要的东西就是 Debug 应用,实际上现在 Debug 整个应用都可以在应用 Pod 里面再次定义一个额外的小的 Container,它可以去 exec 应用 pod 的 namespace;
- 查看其他容器的工作状态,这也是它可以做的事情。不再需要去 SSH 登陆到容器里去看,只要把监控组件装到额外的小容器里面就可以了,然后把它作为一个 Sidecar 启动起来,跟主业务容器进行协作,所以同样业务监控也都可以通过 Sidecar 方式来去做。
优势:
辅助功能从业务容器解耦,所以我就能够独立发布 Sidecar 容器,
更重要的是这个能力是可以重用的,即同样的一个监控 Sidecar 或者日志 Sidecar,可以被全公司的人共用
Deployment
示例yaml
Pod 的 ownerReferences 即 Pod 所属的 controller 资源,并不是 Deployment,而是一个 ReplicaSet。
这个 ReplicaSet 的 name,其实是 nginx-deployment 加上 pod.template-hash
所有的 Pod 都是 ReplicaSet 创建出来的,而 ReplicaSet 它对应的某一个具体的 Deployment.template 版本。
[root@alice002 ~]# kubectl get replicasets
NAME DESIRED CURRENT READY AGE
resume-7d7567dcd5 3 3 3 4d12h
DESIRED:期望的 Pod 数量是 3 个; CURRENT:当前实际 Pod 数量是 3 个; UP-TO-DATE:其实是到达最新的期望版本的 Pod 数量 AVAILABLE:这个其实是运行过程中可用的 Pod 数量。这里 AVAILABLE 并不简单是可用的,也就是 Ready 状态的,它其实包含了一些可用超过一定时间长度的 Pod; AGE:deployment 创建的时长,如上图 Deployment 就是已经创建了 80 分钟。
常用命令
修改镜像
kubectl set image deployment.v1.apps/resume nginx=nginx:1.9.1
kubectl set image 资源名.资源版本.资源组/deployment名 container名=镜像名
快速回滚到上一个版本
kubectl rollout undo deployment.v1.apps/nginx-deployment
Deployment 中的字段解析
spec 字段:
MinReadySeconds:30 Pod ready 超过 30 秒之后才认为 Pod 是 available 的 revisionHistoryLimit: 保留历史 revision,即保留历史 ReplicaSet 的数量,默认值为 10 个paused:paused 是标识,Deployment 只做数量维持,不做新的发布,这里在 Debug 场景可能会用到;progressDeadlineSeconds:当 Deployment 处于扩容或者发布状态时,它会处于一个 processing 的状态,processing 可以设置一个超时时间。如果超过超时时间还处于 processing,那么 controller 将认为这个 Pod 会进入 failed 的状态。
升级策略字段
MaxUnavailable:滚动过程中最多有多少个 Pod 不可用;默认25% MaxSurge:滚动过程中最多存在多少个 Pod 超过预期 replicas 数量 默认25%
要注意的是 MaxSurge 和 MaxUnavailable 不能同时为 0
管理模式
- Deployment只负责管理不同版本的ReplicaSet, 由ReplicaSet管理Pod副本数 每个ReplicaSet对应了Deployment template的一个版本 一个ReplicaSet下的Pod都是相同的版本
- Deployment 管理多版本的方式,是针对每个版本的 template 创建一个 ReplicaSet,由 ReplicaSet 维护一定数量的 Pod 副本,而 Deployment 只需要关心不同版本的 ReplicaSet 里要指定多少数量的 Pod;
- 因此,Deployment 发布部署的根本原理,就是 Deployment 调整不同版本 ReplicaSet 里的终态副本数,以此来达到多版本 Pod 的升级和回滚。
job
[root@alice002 ~]# kubectl get job
NAME COMPLETIONS DURATION AGE
pi 10/10 88s 20h
DURATION Job 里面的实际业务到底运行了多长时间,当我们的性能调优的时候,这个参数会非常的有用。 COMPLETIONS 主要来看我们任务里面这个 Pod 一共有几个,然后它其中完成了多少个状态
字段
completions 这个 Job 指定的可以运行的总次数。比如这里设置成 8,即这个任务一共会被执行 8 次;
parallelism 并行执行的个数 把它设置成 2,也就是说这个 Job 一定要执行 8 次,每次并行 2 个 Pod,这样的话,一共会执行 4 个批次
Cronjob
schedule:设置时间格式,它的时间格式和 Linux 的 crontime 是一样的 startingDeadlineSeconds:即:每次运行 Job 的时候,它最长可以等多长时间,有时这个 Job 可能运行很长时间也不会启动。所以这时,如果超过较长时间的话,CronJob 就会停止这个 Job; concurrencyPolicy:就是说是否允许并行运行。第二个 Job 要到时间需要去运行的时候,上一个 Job 还没完成。如果这个 policy 设置为 true 的话,那么不管你前面的 Job 是否运行完成,每分钟都会去执行;如果是 false,它就会等上一个 Job 运行完成之后才会运行下一个; JobsHistoryLimit:指定任务历史存留数
管理模式
- Job Controller负责根据配置创建Pod
- Job Controller跟踪Job状态,根据配置及时重试Pod或者继续创建
- Job Controller会自动添加label来跟踪对应的pod,并根据配置并行或者串行创建Pod
DaemonSet
更新策略
RollingUpdate 其实比较好理解,就是会一个一个的更新。先更新第一个 pod,然后老的 pod 被移除,通过健康检查之后再去见第二个 pod,这样对于业务上来说会比较平滑地升级,不会中断;
OnDelete 模板更新之后,pod 不会有任何变化,需要我们手动控制。删除某一个节点对应的 pod,它就会重建,不删除的话它就不会重建
管理模式
若有收获,就点个赞吧
0 人点赞
