openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=cluster.local" -days 5000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=kubernetes-master" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000
--service-account-private-key-file provided to the controller manager is used to sign service account tokens. The corresponding public key must be provided to the api server with --service-account-key-file, which uses it to verify tokens.
As a convenience, you can provide a private key to both, and the public key portion of it will be used by the api server to verify token signatures.
As a further convenience, the api server‘s private key for it‘s serving certificate is used to verify service account tokens if you don‘t specify --service-account-key-file
--tls-cert-file and --tls-private-key-file are used to provide the serving cert and key to the api server. If you don‘t specify these, the api server will make a self-signed cert/key-pair and store it at apiserver.crt/apiserver.key
https://github.com/kubernetes/kubernetes/issues/22351#event-913006676
原文:http://www.cnblogs.com/zhangeamon/p/6272445.html