由于默认的k8s集群是登录访问是匿名可以直接访问，这样会出现安全问题，所以在这里我们搭建下https的双因素认证。

#双因素认证
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"

#创建openssl配置文件
vim openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.kube.local
IP.1 = 10.254.0.1   #k8s 集群service ip(dns),关键地方
IP.2 = 10.200.102.93  #k8s master ip


# 生成 apiserver 私钥
openssl genrsa -out apiserver-key.pem 2048
# 生成签署请求
openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config openssl.cnf
# 使用自建 CA 签署（导入openssl文件）
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile openssl.cnf

# 生成 admin 私钥
openssl genrsa -out admin-key.pem 2048
openssl req -new -key admin-key.pem -out admin.csr -subj "/CN=kube-admin"
openssl x509 -req -in admin.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin.pem -days 365

## 配置apiserver配置文件
KUBE_API_ADDRESS="--bind-address=10.10.10.10 --insecure-bind-address=127.0.0.1 "
KUBE_API_PORT=="--secure-port=443 --insecure-port=8080"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
KUBE_API_ARGS="--log-dir=/var/log/kubernetes --secure-port=443 --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem --client-ca-file=/etc/kubernetes/ssl/ca.pem --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem"


##config
KUBE_MASTER="--master=https://10.10.10.10:443"

##scheduler
KUBE_SCHEDULER_ARGS="--kubeconfig=/etc/kubernetes/ssl/kubeconfig.yaml --master=http://127.0.0.1:8080"

##controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem  --root-ca-file=/etc/kubernetes/ssl/ca.pem --master=http://127.0.0.1:8080 --kubeconfig=/etc/kubernetes/ssl/kubeconfig.yaml"

##/etc/kubernetes/ssl/kubeconfig.yaml 
apiVersion: v1
kind: Config
clusters:
- name: local
  cluster:
    certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: controllermanager
  user:
    client-certificate: /etc/kubernetes/ssl/apiserver.pem
    client-key: /etc/kubernetes/ssl/apiserver-key.pem
contexts:
- context:
    cluster: local
    user: controllermanager
  name: kubelet-context
current-context: kubelet-context

## 重启服务
systemctl  restart  etcd kube-apiserver.service kube-controller-manager.service kube-scheduler.service


## 测试是否可以正常访问
curl https://10.10.10.10:443/api/v1/nodes --cert /etc/kubernetes/ssl/admin.pem --key /etc/kubernetes/ssl/admin-key.pem --cacert /etc/kubernetes/ssl/ca.pem

curl https://10.10.10.10:443/api/v1/nodes --cert /etc/kubernetes/ssl/apiserver.pem --key /etc/kubernetes/ssl/apiserver-key.pem --cacert /etc/kubernetes/ssl/ca.pem

curl https://192.168.4.2:443/api/v1/nodes --cert /etc/kubernetes/ssl/apiserver.pem --key /etc/kubernetes/ssl/apiserver-key.pem --cacert /etc/kubernetes/ssl/ca.pem


## 配置 node节点的openssl（IP为node节点ip）
[root@master ssl]# cat node-openssl.conf 
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.10.10.20
IP.2 = 10.10.10.30


# 生成 k8s-node-1 私钥
openssl genrsa -out k8s-node-1-key.pem 2048
# 生成签署请求
openssl req -new -key k8s-node-1-key.pem -out k8s-node-1.csr -subj "/CN=k8s-node-1" -config node-openssl.conf 
# 使用自建 CA 签署
openssl x509 -req -in k8s-node-1.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out k8s-node-1.pem -days 365 -extensions v3_req -extfile node-openssl.conf


# 生成 k8s-node-2 私钥
openssl genrsa -out k8s-node-2-key.pem 2048
# 生成签署请求
openssl req -new -key k8s-node-2-key.pem -out k8s-node-2.csr -subj "/CN=k8s-node-1" -config node-openssl.conf 
# 使用自建 CA 签署
openssl x509 -req -in k8s-node-2.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out k8s-node-2.pem -days 365 -extensions v3_req -extfile node-openssl.conf

# 将配置文件复制过去过去
scp  k8s-node-1.pem  10.10.10.20:/etc/kubernetes/ssl/
scp  k8s-node-1-key.pem 10.10.10.20:/etc/kubernetes/ssl/

scp  k8s-node-1.pem  10.10.10.30:/etc/kubernetes/ssl/
scp  k8s-node-1-key.pem 10.10.10.30:/etc/kubernetes/ssl/

##node01

##k8s-node-1-kubeconfig.yaml
apiVersion: v1
kind: Config
clusters:
- name: local
  cluster:
    server: https://10.10.10.20:443
    certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
  user:
    client-certificate: /etc/kubernetes/ssl/k8s-node-1.pem
    client-key: /etc/kubernetes/ssl/k8s-node-1-key.pem
contexts:
- context:
    cluster: local
    user: kubelet
  name: kubelet-context
current-context: kubelet-context

##配置 config 文件
KUBE_MASTER="--master=https://10.10.10.10:443"

##配置 kubelet 文件
KUBELET_ADDRESS="--address=192.168.23.129"
KUBELET_PORT="--port=10250"
KUBELET_HOSTNAME="--hostname-override=node1"
KUBELET_API_SERVER="--api-servers=https://192.168.23.128:443"
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
KUBELET_ARGS="--cluster_dns=10.254.0.3 --cluster_domain=cluster.local --tls-cert-file=/etc/kubernetes/ssl/k8s-node-1.pem --tls-private-key-file=/etc/kubernetes/ssl/k8s-node-1-key.pem --kubeconfig=/etc/kubernetes/k8s-node-1-kubeconfig.yaml --allow-privileged=true"

##配置proxy 文件
KUBE_PROXY_ARGS="--proxy-mode=iptables --master=https://192.168.23.128:6443 --kubeconfig=/etc/kubernetes/ssl/node-1-kubeconfig.yaml"

## 重启
systemctl  restart  kube-proxy kubelet

## 测试
curl https://192.168.4.2:443/api/v1/nodes --cert /etc/kubernetes/ssl/k8s-node-2.pem --key /etc/kubernetes/ssl/k8s-node-2-key.pem --cacert /etc/kubernetes/ssl/ca.pem

curl https://192.168.4.2:443/api/v1/nodes --cert /etc/kubernetes/ssl/k8s-node-1.pem --key /etc/kubernetes/ssl/k8s-node-1-key.pem --cacert /etc/kubernetes/ssl/ca.pem

https://www.jianshu.com/p/6a6abeefbcbf
https://ipaas.com.cn/blog/post/seanzhau/2f0edd1809d8
http://jeromeliu.win/2017/04/21/Kubernetes-%E5%8F%8C%E5%90%91%E8%AF%81%E4%B9%A6TLS%E9%85%8D%E7%BD%AE/