From 44a49d8e91643d3ed18116e7072e58d9e9772c42 Mon Sep 17 00:00:00 2001 From: "egor.kudriashov" Date: Tue, 19 Aug 2025 19:09:14 +0300 Subject: [PATCH 1/2] add: scheduler-server, controller-server certificates && lil fixes --- .../allCertificatesAppsInitComponent.mdx | 22 +++++ .../allCertificatesAppsJoinComponent.mdx | 51 ++++++++++ .../checks/statusKubeadm.mdx | 6 ++ .../checks/statusOpenssl.mdx | 29 ++++++ .../kubeControllerManagerServer/main.mdx | 22 +++++ .../kubeControllerManagerServer/openssl.mdx | 92 +++++++++++++++++++ .../checks/statusKubeadm.mdx | 6 ++ .../checks/statusOpenssl.mdx | 29 ++++++ .../kubeSchedulerServer/main.mdx | 22 +++++ .../kubeSchedulerServer/openssl.mdx | 92 +++++++++++++++++++ .../kubernetes/components/allStaticPods.mdx | 2 +- .../controllerManager/staticPod.mdx | 8 +- .../components/kubeAPI/staticPod.mdx | 7 ++ .../components/scheduler/staticPod.mdx | 33 ++++++- .../src/constants/kubernetes/certs.ts | 16 ++++ .../src/constants/kubernetes/customValue.ts | 2 +- .../src/constants/kubernetes/kubeAPIArgs.ts | 2 +- .../kubernetes/kubeControllerManagerArgs.ts | 4 +- .../constants/kubernetes/kubeSchedulerArgs.ts | 4 +- .../constants/kubernetes/kubeadmConfigData.ts | 30 ++++++ .../constants/kubernetes/kubernetesArgs.ts | 17 +++- .../certificates-masters-transport.svg | 2 +- .../img/certificates/certificates-masters.svg | 2 +- 23 files changed, 482 insertions(+), 18 deletions(-) create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusKubeadm.mdx create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusOpenssl.mdx create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/main.mdx create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/openssl.mdx create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusKubeadm.mdx create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusOpenssl.mdx create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/main.mdx create mode 100644 documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/openssl.mdx diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsInitComponent.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsInitComponent.mdx index d6e4bf6da..e1365292b 100644 --- a/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsInitComponent.mdx +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsInitComponent.mdx @@ -6,6 +6,8 @@ import KubeAPIServerMain from '@site/docs/tech-docs/kubernetes/certificates/comp import ETCDClientETCDMain from '@site/docs/tech-docs/etcd/certificates/components/etcd/etcdClient/main.mdx' import ETCDServerMain from '@site/docs/tech-docs/etcd/certificates/components/etcd/etcdServer/main.mdx' import ETCDPeerMain from '@site/docs/tech-docs/etcd/certificates/components/etcd/etcdPeer/main.mdx' +import ControllerServerMain from '@site/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/main.mdx' +import SchedulerServerMain from '@site/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/main.mdx' import TabItem from '@theme/TabItem' import Tabs from '@theme/Tabs' @@ -91,4 +93,24 @@ import Tabs from '@theme/Tabs' + +
+ +
+

Controller server

+
+ + +
+ + +
+ +
+

Scheduler server

+
+ + +
+ diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsJoinComponent.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsJoinComponent.mdx index 998baeb9c..a72d7299f 100644 --- a/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsJoinComponent.mdx +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/allCertificatesAppsJoinComponent.mdx @@ -30,6 +30,15 @@ import ETCDPeerOpenssl from '@site/docs/tech-docs/etcd/certificates/components/e import ETCDPeerOpensslStatus from '@site/docs/tech-docs/etcd/certificates/components/etcd/etcdPeer/checks/statusOpenssl.mdx' import ETCDPeerKubeadmStatus from '@site/docs/tech-docs/etcd/certificates/components/etcd/etcdPeer/checks/statusKubeadm.mdx' +import KubeControllerManagerOpenssl from '@site/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/openssl.mdx' +import KubeControllerManagerOpensslStatus from '@site/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusOpenssl.mdx' +import KubeControllerManagerKubeadmStatus from '@site/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusKubeadm.mdx' + + +import KubeSchedulerOpenssl from '@site/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/openssl.mdx' +import KubeSchedulerOpensslStatus from '@site/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusOpenssl.mdx' +import KubeSchedulerKubeadmStatus from '@site/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusKubeadm.mdx' + import JoinAllCertsGen from '@site/docs/tech-docs/kubernetes/certificates/components/_kubeadm/joinAllCertsGen.mdx' import TabItem from '@theme/TabItem' @@ -188,4 +197,46 @@ import Tabs from '@theme/Tabs' + +
+ +
+

Controller server

+
+ + + + + + + + :::danger + Просьба обратить внимание, что kubeadm не управляет данными сертификатами. + Используйте HardWay режим + ::: + + +
+ + +
+ +
+

Scheduler server

+
+ + + + + + + + :::danger + Просьба обратить внимание, что kubeadm не управляет данными сертификатами. + Используйте HardWay режим + ::: + + +
+ diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusKubeadm.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusKubeadm.mdx new file mode 100644 index 000000000..09cdccc14 --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusKubeadm.mdx @@ -0,0 +1,6 @@ +
+ Проверка готовности сертификата + :::warning Обратите ВНИМАНИЕ! + kubeadm не отображает статус сертификата, используемого компонентом `kubelet`. + ::: +
diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusOpenssl.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusOpenssl.mdx new file mode 100644 index 000000000..2eef169bf --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusOpenssl.mdx @@ -0,0 +1,29 @@ +import CodeBlock from '@theme/CodeBlock' +import dedent from 'ts-dedent' +import { CERTIFICATES } from '@site/src/constants/kubernetes/certs' +import { CUSTOM_VALUE } from '@site/src/constants/kubernetes/customValue' + +
+ Проверка готовности сертификата + :::warning Обратите ВНИМАНИЕ! + + Данный раздел зависит от следующих разделов: + - [SSL Certificate Check](/docs/tech-docs/kubernetes/certificates/examination/examinationOpensslComponent.mdx). + ::: + + + {dedent` + ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/cert-report.sh ${CERTIFICATES.kubernetesControllerManagerServer.crtPath} + `} + + + :::note Вывод команды + + {dedent` + CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED + controller-manager-server Oct 22, 2025 22:06 UTC 364d kubernetes no + `} + + ::: + +
diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/main.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/main.mdx new file mode 100644 index 000000000..53d51364a --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/main.mdx @@ -0,0 +1,22 @@ +import TabItem from '@theme/TabItem' +import Tabs from '@theme/Tabs' +import Openssl from '@site/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/openssl.mdx' +import StatusOpenssl from '@site/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusOpenssl.mdx' +import StatusKubeadm from '@site/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/checks/statusKubeadm.mdx' + + + + + + + + + + + :::danger + Просьба обратить внимание, что kubeadm не управляет данными сертификатами. + Используйте HardWay режим + ::: + + + diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/openssl.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/openssl.mdx new file mode 100644 index 000000000..dceb5d09a --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeControllerManager/kubeControllerManagerServer/openssl.mdx @@ -0,0 +1,92 @@ +import { CERTIFICATES } from '@site/src/constants/kubernetes/certs' +import { CUSTOM_VALUE } from '@site/src/constants/kubernetes/customValue' + +import CodeBlock from '@theme/CodeBlock' +import dedent from 'ts-dedent' + +

Переменные окружения

+ + {dedent` + export MACHINE_LOCAL_ADDRESS=${CUSTOM_VALUE.virtualMachineLocalAddress.value} + `} + + +

Рабочая директория

+ + {dedent` + mkdir -p ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki + mkdir -p ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/csr + `} + + +

Конфигурация

+ + {dedent` + cat < ${CERTIFICATES.kubernetesControllerManagerServer.crtConf} + [ req ] + default_bits = ${CERTIFICATES.kubernetesControllerManagerServer.keySize} + prompt = no + default_md = sha256 + distinguished_name = dn + req_extensions = req_ext + + [ req_ext ] + subjectAltName = @alt_names + + [ alt_names ] + DNS.1 = kube-controller-manager + DNS.2 = kube-controller-manager.kube-system + DNS.3 = kube-controller-manager.kube-system.svc + IP.1 = 127.0.0.1 + IP.2 = 0:0:0:0:0:0:0:1 + IP.3 = $\{MACHINE_LOCAL_ADDRESS} + + [ dn ] + CN = "${CERTIFICATES.kubernetesControllerManagerServer.cname}" + + [ v3_ext ] + authorityKeyIdentifier=keyid,issuer:always + basicConstraints=CA:FALSE + keyUsage=keyEncipherment,dataEncipherment + extendedKeyUsage=serverAuth + subjectAltName=@alt_names + EOF + `} + + +

Генерация приватного ключа

+ + {dedent` + openssl genrsa \\ + -out ${CERTIFICATES.kubernetesControllerManagerServer.keyPath} ${CERTIFICATES.kubernetesControllerManagerServer.keySize} + `} + + +

Генерация CSR

+ + {dedent` + openssl req \\ + -new \\ + -key ${CERTIFICATES.kubernetesControllerManagerServer.keyPath} \\ + -out ${CERTIFICATES.kubernetesControllerManagerServer.csrPath} \\ + -config ${CERTIFICATES.kubernetesControllerManagerServer.crtConf} + `} + + +

Подпись CSR

+ + {dedent` + openssl x509 \\ + -req \\ + -days 365 \\ + -sha256 \\ + -outform PEM \\ + -CA ${CERTIFICATES.kubernetesCA.crtPath} \\ + -CAkey ${CERTIFICATES.kubernetesCA.keyPath} \\ + -CAcreateserial \\ + -in ${CERTIFICATES.kubernetesControllerManagerServer.csrPath} \\ + -out ${CERTIFICATES.kubernetesControllerManagerServer.crtPath} \\ + -extensions v3_ext \\ + -extfile ${CERTIFICATES.kubernetesControllerManagerServer.crtConf} + `} + diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusKubeadm.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusKubeadm.mdx new file mode 100644 index 000000000..09cdccc14 --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusKubeadm.mdx @@ -0,0 +1,6 @@ +
+ Проверка готовности сертификата + :::warning Обратите ВНИМАНИЕ! + kubeadm не отображает статус сертификата, используемого компонентом `kubelet`. + ::: +
diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusOpenssl.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusOpenssl.mdx new file mode 100644 index 000000000..d4a832a2b --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusOpenssl.mdx @@ -0,0 +1,29 @@ +import CodeBlock from '@theme/CodeBlock' +import dedent from 'ts-dedent' +import { CERTIFICATES } from '@site/src/constants/kubernetes/certs' +import { CUSTOM_VALUE } from '@site/src/constants/kubernetes/customValue' + +
+ Проверка готовности сертификата + :::warning Обратите ВНИМАНИЕ! + + Данный раздел зависит от следующих разделов: + - [SSL Certificate Check](/docs/tech-docs/kubernetes/certificates/examination/examinationOpensslComponent.mdx). + ::: + + + {dedent` + ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/cert-report.sh ${CERTIFICATES.kubernetesSchedulerServer.crtPath} + `} + + + :::note Вывод команды + + {dedent` + CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED + scheduler-server Oct 22, 2025 22:06 UTC 364d kubernetes no + `} + + ::: + +
diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/main.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/main.mdx new file mode 100644 index 000000000..3f873f4d2 --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/main.mdx @@ -0,0 +1,22 @@ +import TabItem from '@theme/TabItem' +import Tabs from '@theme/Tabs' +import Openssl from '@site/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/openssl.mdx' +import StatusOpenssl from '@site/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusOpenssl.mdx' +import StatusKubeadm from '@site/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/checks/statusKubeadm.mdx' + + + + + + + + + + + :::danger + Просьба обратить внимание, что kubeadm не управляет данными сертификатами. + Используйте HardWay режим + ::: + + + diff --git a/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/openssl.mdx b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/openssl.mdx new file mode 100644 index 000000000..1c1e05e6a --- /dev/null +++ b/documentation/docs/tech-docs/kubernetes/certificates/components/kubeScheduler/kubeSchedulerServer/openssl.mdx @@ -0,0 +1,92 @@ +import { CERTIFICATES } from '@site/src/constants/kubernetes/certs' +import { CUSTOM_VALUE } from '@site/src/constants/kubernetes/customValue' + +import CodeBlock from '@theme/CodeBlock' +import dedent from 'ts-dedent' + +

Переменные окружения

+ + {dedent` + export MACHINE_LOCAL_ADDRESS=${CUSTOM_VALUE.virtualMachineLocalAddress.value} + `} + + +

Рабочая директория

+ + {dedent` + mkdir -p ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki + mkdir -p ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/csr + `} + + +

Конфигурация

+ + {dedent` + cat < ${CERTIFICATES.kubernetesSchedulerServer.crtConf} + [ req ] + default_bits = ${CERTIFICATES.kubernetesSchedulerServer.keySize} + prompt = no + default_md = sha256 + distinguished_name = dn + req_extensions = req_ext + + [ req_ext ] + subjectAltName = @alt_names + + [ alt_names ] + DNS.1 = kube-scheduler + DNS.2 = kube-scheduler.kube-system + DNS.3 = kube-scheduler.kube-system.svc + IP.1 = 127.0.0.1 + IP.2 = 0:0:0:0:0:0:0:1 + IP.3 = $\{MACHINE_LOCAL_ADDRESS} + + [ dn ] + CN = "${CERTIFICATES.kubernetesSchedulerServer.cname}" + + [ v3_ext ] + authorityKeyIdentifier=keyid,issuer:always + basicConstraints=CA:FALSE + keyUsage=keyEncipherment,dataEncipherment + extendedKeyUsage=serverAuth + subjectAltName=@alt_names + EOF + `} + + +

Генерация приватного ключа

+ + {dedent` + openssl genrsa \\ + -out ${CERTIFICATES.kubernetesSchedulerServer.keyPath} ${CERTIFICATES.kubernetesSchedulerServer.keySize} + `} + + +

Генерация CSR

+ + {dedent` + openssl req \\ + -new \\ + -key ${CERTIFICATES.kubernetesSchedulerServer.keyPath} \\ + -out ${CERTIFICATES.kubernetesSchedulerServer.csrPath} \\ + -config ${CERTIFICATES.kubernetesSchedulerServer.crtConf} + `} + + +

Подпись CSR

+ + {dedent` + openssl x509 \\ + -req \\ + -days 365 \\ + -sha256 \\ + -outform PEM \\ + -CA ${CERTIFICATES.kubernetesCA.crtPath} \\ + -CAkey ${CERTIFICATES.kubernetesCA.keyPath} \\ + -CAcreateserial \\ + -in ${CERTIFICATES.kubernetesSchedulerServer.csrPath} \\ + -out ${CERTIFICATES.kubernetesSchedulerServer.crtPath} \\ + -extensions v3_ext \\ + -extfile ${CERTIFICATES.kubernetesSchedulerServer.crtConf} + `} + diff --git a/documentation/docs/tech-docs/kubernetes/components/allStaticPods.mdx b/documentation/docs/tech-docs/kubernetes/components/allStaticPods.mdx index 0919608dd..3000ec6fc 100644 --- a/documentation/docs/tech-docs/kubernetes/components/allStaticPods.mdx +++ b/documentation/docs/tech-docs/kubernetes/components/allStaticPods.mdx @@ -7,7 +7,7 @@ import AllStaticPodsETCDComponent from '@site/docs/tech-docs/kubernetes/componen # 5.2.1.4. Настройка Static Pods -## 5.2.1.4.1. Kuberentes +## 5.2.1.4.1. Kubernetes diff --git a/documentation/docs/tech-docs/kubernetes/components/controllerManager/staticPod.mdx b/documentation/docs/tech-docs/kubernetes/components/controllerManager/staticPod.mdx index 9fb9c4586..117529974 100644 --- a/documentation/docs/tech-docs/kubernetes/components/controllerManager/staticPod.mdx +++ b/documentation/docs/tech-docs/kubernetes/components/controllerManager/staticPod.mdx @@ -162,6 +162,12 @@ import CodeBlock from '@theme/CodeBlock' # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ # -> # - --cloud-provider: "${KUBE_CONTROLLER_MANAGER_ARGS.cloudProvider.value}" + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-CONTROLLER-MANAGER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # - --tls-cert-file=${KUBE_CONTROLLER_MANAGER_ARGS.tlsCertFile.value} + # - --tls-private-key-file=${KUBE_CONTROLLER_MANAGER_ARGS.tlsPrivateKeyFile.value} # Не указывать если значение "" или undefined # - --cluster-signing-kube-apiserver-client-cert-file=${KUBE_CONTROLLER_MANAGER_ARGS.clusterSigningKubeApiserverClientCertFile.value} # - --cluster-signing-kube-apiserver-client-key-file=${KUBE_CONTROLLER_MANAGER_ARGS.clusterSigningKubeApiserverClientKeyFile.value} @@ -183,10 +189,8 @@ import CodeBlock from '@theme/CodeBlock' # - --pv-recycler-pod-template-filepath-nfs=${KUBE_CONTROLLER_MANAGER_ARGS.pvRecyclerPodTemplateFilepathNfs.value} # - --service-cluster-ip-range=${KUBE_CONTROLLER_MANAGER_ARGS.serviceClusterIpRange.value} # - --show-hidden-metrics-for-version=${KUBE_CONTROLLER_MANAGER_ARGS.showHiddenMetricsForVersion.value} - # - --tls-cert-file=${KUBE_CONTROLLER_MANAGER_ARGS.tlsCertFile.value} # - --tls-cipher-suites=${KUBE_CONTROLLER_MANAGER_ARGS.tlsCipherSuites.value} # - --tls-min-version=${KUBE_CONTROLLER_MANAGER_ARGS.tlsMinVersion.value} - # - --tls-private-key-file=${KUBE_CONTROLLER_MANAGER_ARGS.tlsPrivateKeyFile.value} # - --tls-sni-cert-key=${KUBE_CONTROLLER_MANAGER_ARGS.tlsSniCertKey.value} # - --vmodule=${KUBE_CONTROLLER_MANAGER_ARGS.vmodule.value} # - --volume-host-cidr-denylist=${KUBE_CONTROLLER_MANAGER_ARGS.volumeHostCidrDenylist.value} diff --git a/documentation/docs/tech-docs/kubernetes/components/kubeAPI/staticPod.mdx b/documentation/docs/tech-docs/kubernetes/components/kubeAPI/staticPod.mdx index 669687e1c..ba1e7e073 100644 --- a/documentation/docs/tech-docs/kubernetes/components/kubeAPI/staticPod.mdx +++ b/documentation/docs/tech-docs/kubernetes/components/kubeAPI/staticPod.mdx @@ -270,6 +270,9 @@ import dedent from 'ts-dedent' readOnly: true - mountPath: /var/log/kubernetes/audit/ name: k8s-audit + - mountPath: /etc/kubernetes/audit-policy.yaml + name: k8s-audit-policy + readOnly: true - mountPath: ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki name: k8s-certs readOnly: true @@ -302,6 +305,10 @@ import dedent from 'ts-dedent' path: /var/log/kubernetes/audit/ type: DirectoryOrCreate name: k8s-audit + - hostPath: + path: /etc/kubernetes/audit-policy.yaml + type: File + name: k8s-audit-policy - hostPath: path: ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki type: DirectoryOrCreate diff --git a/documentation/docs/tech-docs/kubernetes/components/scheduler/staticPod.mdx b/documentation/docs/tech-docs/kubernetes/components/scheduler/staticPod.mdx index 817245caf..180dd98ba 100644 --- a/documentation/docs/tech-docs/kubernetes/components/scheduler/staticPod.mdx +++ b/documentation/docs/tech-docs/kubernetes/components/scheduler/staticPod.mdx @@ -15,7 +15,7 @@ import {KUBE_SCHEDULER_ARGS} from '@site/src/constants/kubernetes/kubeSchedulerA
-Static Pod Kube-Schedulerr +Static Pod Kube-Scheduler

Генерация манифеста

@@ -74,6 +74,13 @@ import {KUBE_SCHEDULER_ARGS} from '@site/src/constants/kubernetes/kubeSchedulerA - --secure-port=${KUBE_SCHEDULER_ARGS.securePort.value} - --v=${KUBE_SCHEDULER_ARGS.v.value} - --version=${KUBE_SCHEDULER_ARGS.version.value} + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-SCHEDULER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # - --tls-cert-file=${KUBE_SCHEDULER_ARGS.tlsCertFile.value} + # - --tls-private-key-file=${KUBE_SCHEDULER_ARGS.tlsPrivateKeyFile.value} + # <- # - --allow-metric-labels=${KUBE_SCHEDULER_ARGS.allowMetricLabels.value} # - --allow-metric-labels-manifest=${KUBE_SCHEDULER_ARGS.allowMetricLabelsManifest.value} # - --cert-dir=${KUBE_SCHEDULER_ARGS.certDir.value} @@ -84,10 +91,8 @@ import {KUBE_SCHEDULER_ARGS} from '@site/src/constants/kubernetes/kubeSchedulerA # - --requestheader-allowed-names=${KUBE_SCHEDULER_ARGS.requestheaderAllowedNames.value} # - --requestheader-client-ca-file=${KUBE_SCHEDULER_ARGS.requestheaderClientCaFile.value} # - --show-hidden-metrics-for-version=${KUBE_SCHEDULER_ARGS.showHiddenMetricsForVersion.value} - # - --tls-cert-file=${KUBE_SCHEDULER_ARGS.tlsCertFile.value} # - --tls-cipher-suites=${KUBE_SCHEDULER_ARGS.tlsCipherSuites.value} # - --tls-min-version=${KUBE_SCHEDULER_ARGS.tlsMinVersion.value} - # - --tls-private-key-file=${KUBE_SCHEDULER_ARGS.tlsPrivateKeyFile.value} # - --tls-sni-cert-key=${KUBE_SCHEDULER_ARGS.tlsSniCertKey.value} # - --vmodule=${KUBE_SCHEDULER_ARGS.vmodule.value} # - --write-config-to=${KUBE_SCHEDULER_ARGS.writeConfigTo.value} @@ -119,6 +124,16 @@ import {KUBE_SCHEDULER_ARGS} from '@site/src/constants/kubernetes/kubeSchedulerA - mountPath: ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/scheduler.conf name: kubeconfig readOnly: true + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-SCHEDULER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # - mountPath: ${KUBE_SCHEDULER_ARGS.tlsCertFile.value} + # name: kube-scheduler-crt + # readOnly: true + # - mountPath: ${KUBE_SCHEDULER_ARGS.tlsPrivateKeyFile.value} + # name: kube-scheduler-key + # readOnly: true hostNetwork: true priority: 2000001000 priorityClassName: system-node-critical @@ -130,6 +145,18 @@ import {KUBE_SCHEDULER_ARGS} from '@site/src/constants/kubernetes/kubeSchedulerA path: ${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/scheduler.conf type: FileOrCreate name: kubeconfig + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-SCHEDULER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # - hostPath: + # path: ${KUBE_SCHEDULER_ARGS.tlsCertFile.value} + # type: FileOrCreate + # name: kube-scheduler-crt + # - hostPath: + # path: ${KUBE_SCHEDULER_ARGS.tlsPrivateKeyFile.value} + # type: FileOrCreate + # name: kube-scheduler-key status: {} EOF `} diff --git a/documentation/src/constants/kubernetes/certs.ts b/documentation/src/constants/kubernetes/certs.ts index 83600cb8b..42b5e6651 100644 --- a/documentation/src/constants/kubernetes/certs.ts +++ b/documentation/src/constants/kubernetes/certs.ts @@ -35,6 +35,14 @@ export const CERTIFICATES: TCertsItems = { keySize: '2048', cname: 'system:kube-controller-manager', }, + kubernetesControllerManagerServer: { + keyPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/controller-manager-server-key.pem`, + crtPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/controller-manager-server.pem`, + csrPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/csr/controller-manager-server.csr`, + crtConf: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/controller-manager-server.conf`, + keySize: '2048', + cname: 'system:kube-controller-manager-server', + }, etcdClient: { keyPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/etcd/healthcheck-client.key`, crtPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/etcd/healthcheck-client.crt`, @@ -172,4 +180,12 @@ export const CERTIFICATES: TCertsItems = { keySize: '2048', cname: 'system:kube-scheduler', }, + kubernetesSchedulerServer: { + keyPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/scheduler-server-key.pem`, + crtPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/scheduler-server.pem`, + csrPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/csr/scheduler-server.csr`, + crtConf: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/scheduler-server.conf`, + keySize: '2048', + cname: 'system:kube-scheduler-server', + }, } diff --git a/documentation/src/constants/kubernetes/customValue.ts b/documentation/src/constants/kubernetes/customValue.ts index e787b6e30..cbe3f9612 100644 --- a/documentation/src/constants/kubernetes/customValue.ts +++ b/documentation/src/constants/kubernetes/customValue.ts @@ -30,7 +30,7 @@ export const CUSTOM_VALUE: TCustomValueItems = { value: '/var/run/containerd/containerd.sock', }, kubernetesAPIAuditPolicyPath: { - value: '/var/log/kubernetes/audit/audit-policy.yaml', + value: '/etc/kubernetes/audit-policy.yaml', }, kubernetesAPIAuditLogPath: { value: '/var/log/kubernetes/audit/audit.log', diff --git a/documentation/src/constants/kubernetes/kubeAPIArgs.ts b/documentation/src/constants/kubernetes/kubeAPIArgs.ts index 155d0258a..57bfe6003 100644 --- a/documentation/src/constants/kubernetes/kubeAPIArgs.ts +++ b/documentation/src/constants/kubernetes/kubeAPIArgs.ts @@ -126,7 +126,7 @@ export const KUBE_API_ARGS: TCustomValueItems = { authorizationMode: { value: "Node,RBAC" }, authorizationWebhookVersion: { value: "v1beta1" }, cloudProvider: { value: "external" }, - enableAdmissionPlugins: { value: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,AlwaysPullImages,NodeRestriction,PodSecurity" }, + enableAdmissionPlugins: { value: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PodSecurity" }, endpointReconcilerType: { value: "lease" }, storageMediaType: { value: "application/vnd.kubernetes.protobuf" }, etcdPrefix: { value: "/registry" }, diff --git a/documentation/src/constants/kubernetes/kubeControllerManagerArgs.ts b/documentation/src/constants/kubernetes/kubeControllerManagerArgs.ts index 982c14b2c..8ac990ced 100644 --- a/documentation/src/constants/kubernetes/kubeControllerManagerArgs.ts +++ b/documentation/src/constants/kubernetes/kubeControllerManagerArgs.ts @@ -139,10 +139,10 @@ export const KUBE_CONTROLLER_MANAGER_ARGS: TCustomValueItems = { serviceClusterIpRange: { value: '' }, showHiddenMetricsForVersion: { value: '' }, terminatedPodGcThreshold: { value: '0' }, - tlsCertFile: { value: '' }, + tlsCertFile: { value: '/etc/kubernetes/pki/controller-manager-server.crt' }, tlsCipherSuites: { value: '' }, tlsMinVersion: { value: '' }, - tlsPrivateKeyFile: { value: '' }, + tlsPrivateKeyFile: { value: '/etc/kubernetes/pki/controller-manager-server.key' }, tlsSniCertKey: { value: '' }, unhealthyZoneThreshold: { value: '0.55' }, useServiceAccountCredentials: { value: 'true' }, diff --git a/documentation/src/constants/kubernetes/kubeSchedulerArgs.ts b/documentation/src/constants/kubernetes/kubeSchedulerArgs.ts index e0d165736..5828e8e90 100644 --- a/documentation/src/constants/kubernetes/kubeSchedulerArgs.ts +++ b/documentation/src/constants/kubernetes/kubeSchedulerArgs.ts @@ -165,13 +165,13 @@ export const KUBE_SCHEDULER_ARGS: TCustomValueItems = { value: '', }, tlsPrivateKeyFile: { - value: '', + value: '/etc/kubernetes/pki/scheduler-server.key', }, showHiddenMetricsForVersion: { value: '', }, tlsCertFile: { - value: '', + value: '/etc/kubernetes/pki/scheduler-server.crt', }, requestheaderClientCaFile: { value: '', diff --git a/documentation/src/constants/kubernetes/kubeadmConfigData.ts b/documentation/src/constants/kubernetes/kubeadmConfigData.ts index 40ad94677..2b3efa914 100644 --- a/documentation/src/constants/kubernetes/kubeadmConfigData.ts +++ b/documentation/src/constants/kubernetes/kubeadmConfigData.ts @@ -42,6 +42,10 @@ export const KUBEADM_COFNIG_DATA: TCustomValueItems = { mountPath: "/var/log/kubernetes/audit/" readOnly: false pathType: DirectoryOrCreate + - name: "k8s-audit-policy" + hostPath: "/etc/kubernetes/audit-policy.yaml" + mountPath: "/etc/kubernetes/audit-policy.yaml" + pathType: File certSANs: - "127.0.0.1" # TODO для доабвления внешнего FQDN в сертификаты кластера @@ -51,9 +55,35 @@ export const KUBEADM_COFNIG_DATA: TCustomValueItems = { extraArgs: cluster-name: "$\{CLUSTER_NAME}" ${KUBERNETES_KUBE_CONTROLLER_MANAGER_ARGS.data.value} + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-CONTROLLER-MANAGER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # extraVolumes: + # - name: "controller-manager-crt" + # hostPath: "/etc/kubernetes/pki/controller-manager-server.crt" + # mountPath: "/etc/kubernetes/pki/controller-manager-server.crt" + # pathType: File + # - name: "controller-manager-key" + # hostPath: "/etc/kubernetes/pki/controller-manager-server.key" + # mountPath: "/etc/kubernetes/pki/controller-manager-server.key" + # pathType: File scheduler: extraArgs: ${KUBERNETES_KUBE_SCHEDULER_ARGS.data.value} + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-SCHEDULER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # extraVolumes: + # - name: "scheduler-crt" + # hostPath: "/etc/kubernetes/pki/scheduler-server.crt" + # mountPath: "/etc/kubernetes/pki/scheduler-server.crt" + # pathType: File + # - name: "scheduler-key" + # hostPath: "/etc/kubernetes/pki/scheduler-server.key" + # mountPath: "/etc/kubernetes/pki/scheduler-server.key" + # pathType: File `, }, } diff --git a/documentation/src/constants/kubernetes/kubernetesArgs.ts b/documentation/src/constants/kubernetes/kubernetesArgs.ts index b5fe74278..c391c38b5 100644 --- a/documentation/src/constants/kubernetes/kubernetesArgs.ts +++ b/documentation/src/constants/kubernetes/kubernetesArgs.ts @@ -339,6 +339,12 @@ export const KUBERNETES_KUBE_CONTROLLER_MANAGER_ARGS: TCustomValueItems = { v: "${KUBE_CONTROLLER_MANAGER_ARGS.v.value}" version: "${KUBE_CONTROLLER_MANAGER_ARGS.version.value}" volume-host-allow-local-loopback: "${KUBE_CONTROLLER_MANAGER_ARGS.volumeHostAllowLocalLoopback.value}" + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-CONTROLLER-MANAGER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # tls-cert-file=${KUBE_CONTROLLER_MANAGER_ARGS.tlsCertFile.value} + # tls-private-key-file=${KUBE_CONTROLLER_MANAGER_ARGS.tlsPrivateKeyFile.value} # Не указывать если значение "" или undefined # cluster-signing-kube-apiserver-client-cert-file: "${KUBE_CONTROLLER_MANAGER_ARGS.clusterSigningKubeApiserverClientCertFile.value}" # cluster-signing-kube-apiserver-client-key-file: "${KUBE_CONTROLLER_MANAGER_ARGS.clusterSigningKubeApiserverClientKeyFile.value}" @@ -360,10 +366,8 @@ export const KUBERNETES_KUBE_CONTROLLER_MANAGER_ARGS: TCustomValueItems = { # pv-recycler-pod-template-filepath-nfs: "${KUBE_CONTROLLER_MANAGER_ARGS.pvRecyclerPodTemplateFilepathNfs.value}" # service-cluster-ip-range: "${KUBE_CONTROLLER_MANAGER_ARGS.serviceClusterIpRange.value}" # show-hidden-metrics-for-version: "${KUBE_CONTROLLER_MANAGER_ARGS.showHiddenMetricsForVersion.value}" - # tls-cert-file: "${KUBE_CONTROLLER_MANAGER_ARGS.tlsCertFile.value}" # tls-cipher-suites: "${KUBE_CONTROLLER_MANAGER_ARGS.tlsCipherSuites.value}" # tls-min-version: "${KUBE_CONTROLLER_MANAGER_ARGS.tlsMinVersion.value}" - # tls-private-key-file: "${KUBE_CONTROLLER_MANAGER_ARGS.tlsPrivateKeyFile.value}" # tls-sni-cert-key: "${KUBE_CONTROLLER_MANAGER_ARGS.tlsSniCertKey.value}" # vmodule: "${KUBE_CONTROLLER_MANAGER_ARGS.vmodule.value}" # volume-host-cidr-denylist: "${KUBE_CONTROLLER_MANAGER_ARGS.volumeHostCidrDenylist.value}" @@ -416,6 +420,13 @@ export const KUBERNETES_KUBE_SCHEDULER_ARGS: TCustomValueItems = { secure-port: "${KUBE_SCHEDULER_ARGS.securePort.value}" v: "${KUBE_SCHEDULER_ARGS.v.value}" version: "${KUBE_SCHEDULER_ARGS.version.value}" + # ЕСЛИ НУЖНО ПОДКЛЮЧИТЬ СЕРВЕРНЫЕ СЕРТИФИКАТЫ ДЛЯ KUBE-SCHEDULER + # ОБРАТИТЕ ВНИМАНИЕ, ЧТО KUBEADM НЕ СОЗДАЕТ ДАННЫЕ СЕРТИФИКАТЫ + # ТРЕБУЕТСЯ РАСКОМЕНТИРОВАТЬ + # -> + # tls-cert-file=${KUBE_SCHEDULER_ARGS.tlsCertFile.value} + # tls-private-key-file=${KUBE_SCHEDULER_ARGS.tlsPrivateKeyFile.value} + # <- # allow-metric-labels: "${KUBE_SCHEDULER_ARGS.allowMetricLabels.value}" # allow-metric-labels-manifest: "${KUBE_SCHEDULER_ARGS.allowMetricLabelsManifest.value}" # cert-dir: "${KUBE_SCHEDULER_ARGS.certDir.value}" @@ -426,10 +437,8 @@ export const KUBERNETES_KUBE_SCHEDULER_ARGS: TCustomValueItems = { # requestheader-allowed-names: "${KUBE_SCHEDULER_ARGS.requestheaderAllowedNames.value}" # requestheader-client-ca-file: "${KUBE_SCHEDULER_ARGS.requestheaderClientCaFile.value}" # show-hidden-metrics-for-version: "${KUBE_SCHEDULER_ARGS.showHiddenMetricsForVersion.value}" - # tls-cert-file: "${KUBE_SCHEDULER_ARGS.tlsCertFile.value}" # tls-cipher-suites: "${KUBE_SCHEDULER_ARGS.tlsCipherSuites.value}" # tls-min-version: "${KUBE_SCHEDULER_ARGS.tlsMinVersion.value}" - # tls-private-key-file: "${KUBE_SCHEDULER_ARGS.tlsPrivateKeyFile.value}" # tls-sni-cert-key: "${KUBE_SCHEDULER_ARGS.tlsSniCertKey.value}" # vmodule: "${KUBE_SCHEDULER_ARGS.vmodule.value}" # write-config-to: "${KUBE_SCHEDULER_ARGS.writeConfigTo.value}" diff --git a/documentation/static/img/certificates/certificates-masters-transport.svg b/documentation/static/img/certificates/certificates-masters-transport.svg index 332544e0c..58147d776 100644 --- a/documentation/static/img/certificates/certificates-masters-transport.svg +++ b/documentation/static/img/certificates/certificates-masters-transport.svg @@ -1,4 +1,4 @@ -
K8S
Master Nodes
K8S...
Kube-Scheduler
Kube-Scheduler
Kube-Controller-Manager
Kube-Controller-Manager
ETCD
ETCD
Kube-Apiserver
Kube-Apiserver
Kubectl
Kubectl
Certificate
super-admin-client > kube-api
Certificatesuper-admin-client > kube...
Certificate
admin-client > kube-api
Certificateadmin-client > kube-api
kubeconfig
super-admin.conf
kubeconfigsuper-admin.conf
kubeconfig
admin.conf
kubeconfigadmin.conf
Certificate
scheduler-client > kube-api
Certificatescheduler-client > kube-a...
kubeconfig
scheduler.conf
kubeconfigscheduler.conf
Certificate
controller-client > kube-api
Certificatecontroller-client > kube-...
kubeconfig
controller-manager.conf
kubeconfigcontroller-mana...
Kubelet
Kubelet
Certificate
kubelet client > kube-api
Certificatekubelet client > kube-api
Certificate
kubelet-server
Certificatekubelet-server
kubeconfig
kubelet.conf
kubeconfigkubelet.conf
Certificate
kube-api-server
Certificatekube-api-server
Certificate
kube-api-client > kubelet
Certificatekube-api-client > ku...
Certificate
kube-api-client > etcd
Certificatekube-api-client >...
Certificate
etcd-peer > etcd
Certificateetcd-peer > etcd
Certificate
etcd-server
Certificateetcd-server
Certificate
kube-api-client > etcd
Certificatekube-api-client >...Text is not SVG - cannot display \ No newline at end of file +
K8S
Master Nodes
Kube-Scheduler
Kube-Controller-Manager
ETCD
Kube-Apiserver
Kubectl
Certificate
super-admin-client > kube-api
Certificate
admin-client > kube-api
kubeconfig
super-admin.conf
kubeconfig
admin.conf
Certificate
scheduler-client > kube-api
kubeconfig
scheduler.conf
Certificate
controller-client > kube-api
kubeconfig
controller-manager.conf
Kubelet
Certificate
kubelet client > kube-api
Certificate
kubelet-server
kubeconfig
kubelet.conf
Certificate
kube-api-server
Certificate
kube-api-client > kubelet
Certificate
kube-api-client > etcd
Certificate
etcd-peer > etcd
Certificate
etcd-server
Certificate
kube-api-client > etcd
Certificate
scheduler-server
Certificate
controller-server
K8S
Monitoring
Scraper
 \ No newline at end of file diff --git a/documentation/static/img/certificates/certificates-masters.svg b/documentation/static/img/certificates/certificates-masters.svg index d6712d480..cc0ff287d 100644 --- a/documentation/static/img/certificates/certificates-masters.svg +++ b/documentation/static/img/certificates/certificates-masters.svg @@ -1,4 +1,4 @@ -
K8S
Master Nodes
K8S...
Certificate
kube-api-server
Certificatekube-api-server
Certificate
kube-api-client > kubelet
Certificatekube-api-client > kubelet
Certificate
controller-client > kube-api
Certificatecontroller-client > kube...
kubeconfig
controller-manager.conf
kubeconfigcontroller-mana...
Certificate
scheduler-client > kube-api
Certificatescheduler-client > kube-...
kubeconfig
scheduler.conf
kubeconfigscheduler.conf
Certificate
super-admin-client > kube-api
Certificatesuper-admin-client > kub...
Certificate
admin-client > kube-api
Certificateadmin-client > kube-api
kubeconfig
super-admin.conf
kubeconfigsuper-admi...
kubeconfig
admin.conf
kubeconfigadmin.conf
Certificate
kubelet client > kube-api
Certificatekubelet client > kube-api
kubeconfig
kubelet.conf
kubeconfigkubelet.co...
Certificate
kubelet-server
Certificatekubelet-server
Kubelet
Kubelet
Kubectl
Kubectl
ETCD
ETCD
Kube-Scheduler
Kube-Scheduler
Kube-Apiserver
Kube-Apiserver
Kube Controller Manager
Kube Controller Manager
Certificate
kube-api-client > etcd
Certificatekube-api-client >...
Certificate
etcd-server
Certificateetcd-server
Certificate
etcd-client
Certificateetcd-client
Certificate
etcd-peer > etcd
Certificateetcd-peer > etcd
Certificate
Kubernetes CA
CertificateKubernetes CA
Certificate
ETCD CA
CertificateETCD CA
Certificate
front-proxy-client > kube-api
Certificatefront-proxy-client...
Certificate
Front Proxy CA
CertificateFront Proxy CAText is not SVG - cannot display \ No newline at end of file +
K8S
Master Nodes
Certificate
kube-api-server
Certificate
kube-api-client > kubelet
Certificate
controller-client > kube-api
kubeconfig
controller-manager.conf
Certificate
scheduler-client > kube-api
kubeconfig
scheduler.conf
Certificate
super-admin-client > kube-api
Certificate
admin-client > kube-api
kubeconfig
super-admin.conf
kubeconfig
admin.conf
Certificate
kubelet client > kube-api
kubeconfig
kubelet.conf
Certificate
kubelet-server
Kubelet
Kubectl
ETCD
Kube-Scheduler
Kube-Apiserver
Kube Controller Manager
Certificate
kube-api-client > etcd
Certificate
etcd-server
Certificate
etcd-client
Certificate
etcd-peer > etcd
Certificate
Kubernetes CA
Certificate
ETCD CA
Certificate
front-proxy-client > kube-api
Certificate
Front Proxy CA
Certificate
controller-server
Certificate
scheduler-server
 \ No newline at end of file From e334b7b48ec26cbeae80152da50a896a387b92d1 Mon Sep 17 00:00:00 2001 From: "egor.kudriashov" Date: Tue, 19 Aug 2025 19:30:13 +0300 Subject: [PATCH 2/2] fix paths --- documentation/src/constants/kubernetes/certs.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/src/constants/kubernetes/certs.ts b/documentation/src/constants/kubernetes/certs.ts index 42b5e6651..34809e5ed 100644 --- a/documentation/src/constants/kubernetes/certs.ts +++ b/documentation/src/constants/kubernetes/certs.ts @@ -36,8 +36,8 @@ export const CERTIFICATES: TCertsItems = { cname: 'system:kube-controller-manager', }, kubernetesControllerManagerServer: { - keyPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/controller-manager-server-key.pem`, - crtPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/controller-manager-server.pem`, + keyPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/controller-manager-server.key`, + crtPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/controller-manager-server.crt`, csrPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/csr/controller-manager-server.csr`, crtConf: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/controller-manager-server.conf`, keySize: '2048', @@ -181,8 +181,8 @@ export const CERTIFICATES: TCertsItems = { cname: 'system:kube-scheduler', }, kubernetesSchedulerServer: { - keyPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/scheduler-server-key.pem`, - crtPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/scheduler-server.pem`, + keyPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/scheduler-server.key`, + crtPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/pki/scheduler-server.crt`, csrPath: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/csr/scheduler-server.csr`, crtConf: `${CUSTOM_VALUE.kubernetesBaseFolderPath.value}/openssl/scheduler-server.conf`, keySize: '2048',