https
。 API服务器的证书和密钥应使用群集本身的CA进行签名,以解决自签名证书的发布。并且,为此,建议执行以下步骤:openssl genrsa -out app.key 2048
openssl req -new -key app.key -subj "/CN=${CSR_NAME}" -out app.csr -config csr.conf
kubectl create -f csr.yaml
kubectl certificate approve csr_name
kubectl get csr app.csr -o jsonpath='{.status.certificate}' | openssl base64 -d -A -out app.pem
注意1. csr.conf
具有成功设置CSR的详细信息。2. csr.yaml
是为kuberenetes类型CertificateSigningRequest
编写的。3. csr_name
在CertificateSigningRequest
中定义。4. spec.request
中的csr.yaml
设置为cat app.csr | base64 | tr -d '\n'
。5. app.pem
和app.key
用于设置https
端点。
Internal error occurred: failed calling webhook "com.me.webhooks.demo": Post https://webhook.sidecars.svc:443/mutate?timeout=10s: x509: certificate signed by unknown authority
如何解决certificate signed by unknown authority
问题?参考:1.Writing a very basic kubernetes mutating admission webhook2. Diving into Kubernetes MutatingAdmissionWebhook