1.安装 CFSSL

[root@master01 ~]# chmod +x cfssl*
[root@master01 ~]#  mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo
[root@master01 ~]# mv cfssljson_linux-amd64  /opt/kubernetes/bin/cfssljson
[root@master01 ~]# mv cfssl_linux-amd64  /opt/kubernetes/bin/cfssl

2.初始化cfssl

[root@master01 ~]# mkdir ssl && cd ssl
[root@master01 ~]# cfssl print-defaults config > ca-config.json
[root@master01 ~]# cfssl print-defaults csr > ca-csr.json

3.创建用来生成 CA 文件的 JSON 配置文件

[root@master01 ~]# vim ca-config.json
{
  "signing": {
    "default": {
      "expiry": "26280h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "26280h"
      }
    }
  }
}

4.创建用来生成 CA 证书签名请求（CSR）的 JSON 配置文件

[root@master01 ~]# vim ca-csr.json
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "ShenZheng",
      "L": "ShenZheng",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

5.生成CA证书（ca.pem）和密钥（ca-key.pem）

[root@master01 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@master01 ssl]# ls -l ca*
-rw-r--r-- 1 root root  292 Oct 25 15:08 ca-config.json
-rw-r--r-- 1 root root 1005 Oct 25 15:10 ca.csr
-rw-r--r-- 1 root root  212 Oct 25 15:10 ca-csr.json
-rw------- 1 root root 1675 Oct 25 15:10 ca-key.pem
-rw-r--r-- 1 root root 1371 Oct 25 15:10 ca.pem

6.分发证书

# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl
SCP证书到各节点
# scp ca.csr ca.pem ca-key.pem ca-config.json master02:/opt/kubernetes/ssl 
# scp ca.csr ca.pem ca-key.pem ca-config.json node01:/opt/kubernetes/ssl
# scp ca.csr ca.pem ca-key.pem ca-config.json node02:/opt/kubernetes/ssl
# scp ca.csr ca.pem ca-key.pem ca-config.json node03:/opt/kubernetes/ssl