本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Connector AWS Private CA for Kubernetes 入門。
下列主題說明如何使用 AWS Private CA 來保護 Kubernetes 叢集中的通訊。如需另一個範例,請參閱 GitHub 上 Kubernetes 的傳輸中加密。
您可以使用私有憑證授權機構來保護與 Amazon EKS 叢集的通訊。開始之前,請務必備妥下列項目:
-
具有適用於您安全政策範圍之適當許可 AWS 的帳戶。
- Amazon EKS clusters
-
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IAM",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:GetRole"
],
"Resource": "*"
},
{
"Sid": "EKS",
"Effect": "Allow",
"Action": [
"eks:CreateAddon",
"eks:DescribeAddon",
"eks:CreatePodIdentityAssociation",
"eks:DescribeCluster"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/CertManagerPrivateCARole"
}
]
}
- Other clusters
-
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetAndIssuePCACertificates",
"Effect": "Allow",
"Action": [
"acm-pca:GetCertificate",
"acm-pca:IssueCertificate"
],
"Resource": "*"
},
{
"Sid": "RolesAnywhere",
"Effect": "Allow",
"Action": [
"rolesanywhere:CreateProfile"
],
"Resource": "*"
},
{
"Sid": "IAM",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/CertManagerPrivateCARole"
}
]
}
-
Kubernetes 叢集。若要建立 Amazon Elastic Kubernetes Service 叢集,請參閱 Amazon EKS 快速入門指南。為了簡化,請建立環境變數以保留叢集名稱:
export CLUSTER=aws-privateca-demo
-
CA AWS 區域 和 Amazon EKS 叢集所在的 。為了簡化,請建立 環境變數以保留 區域:
export REGION=aws-region
-
AWS Private CA 私有憑證授權單位的 Amazon Resource Name (ARN)。為了簡化,請建立環境變數以保留私有 CA ARN:
export CA_ARN="arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
若要建立私有 CA,請參閱在 中https://docs.aws.amazon.com/privateca/latest/userguide/create-CA.html建立私有 CA AWS Private CA
-
已安裝下列軟體的電腦:
安裝 cert-manager
若要使用私有 CA,您必須安裝請求憑證、分發憑證和自動化憑證續約的cert-manager>附加元件。您還必須安裝可讓您從中發行私有憑證的aws-private-ca-issuer外掛程式 AWS Private CA。使用下列步驟來安裝附加元件和外掛程式。
- Amazon EKS clusters
-
安裝 cert-manager 做為 Amazon EKS 附加元件:
aws eks create-addon \
--cluster-name $CLUSTER \
--addon-name cert-manager \
--region $REGION
- Other clusters
-
cert-manager 使用 Helm 安裝:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true
設定 IAM 許可
aws-privateca-issuer 外掛程式需要 與 互動的許可 AWS Private CA。對於 Amazon EKS 叢集,您可以使用 Pod 身分。對於其他叢集,您可以使用 AWS Identity and Access Management Roles Anywhere。
查詢,建立 IAM 政策。此政策使用 AWSPrivateCAConnectorForKubernetesPolicy受管政策。如需政策的詳細資訊,請參閱《 AWS 受管政策參考指南》中的 AWSPrivateCAConnectorForKubernetesPolicy。
- Amazon EKS clusters
-
-
建立名為 的檔案,trust-policy.json其中包含下列信任政策:
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TrustPolicyForEKSClusters",
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
-
執行下列命令來建立 IAM 角色:
ROLE_ARN=$(aws iam create-role \
--role-name CertManagerPrivateCARole \
--assume-role-policy-document file://trust-policy.json \
--region $REGION \
--output text \
--query "Role.Arn")
aws iam attach-role-policy \
--role-name CertManagerPrivateCARole \
--policy-arn arn:aws:iam::aws:policy/AWSPrivateCAConnectorForKubernetesPolicy
- Other clusters
-
-
建立信任錨點,信任存放在 中的私有 CACA_ARN。如需說明,請參閱 入門 IAM Roles Anywhere。建立環境變數以存放信任錨點 ARN:
export TRUST_ANCHOR_ARN=trustAnchorArn
-
建立名為 的檔案,trust-policy.json其中包含下列信任政策:
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TrustPolicyForSelfManagedOrOnPremiseClusters",
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
],
"Condition": {
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/TRUST_ANCHOR_ARN"
]
},
"StringEquals": {
"aws:PrincipalTag/x509Subject/CN": "aws-privateca-issuer"
}
}
}
]
}
-
執行下列命令來建立 IAM 角色:
ROLE_ARN=$(aws iam create-role \
--role-name CertManagerPrivateCARole \
--assume-role-policy-document file://trust-policy.json \
--query "Role.Arn" \
--region $REGION \
--output text)
aws iam attach-role-policy \
--role-name CertManagerPrivateCARole \
--region $REGION \
--policy-arn arn:aws:iam::aws:policy/AWSPrivateCAConnectorForKubernetesPolicy
安裝和設定 AWS Private CA 叢集發行者
若要安裝 aws-privateca-connector-for-kubernetes 附加元件,請使用下列命令:
- Amazon EKS clusters
-
建立附加元件:
aws eks create-addon --region $REGION \
--cluster-name $CLUSTER \
--addon-name aws-privateca-connector-for-kubernetes \
--pod-identity-associations "[{
\"serviceAccount\": \"aws-privateca-issuer\",
\"roleArn\": \"$ROLE_ARN\"
}]"
然後等待附加元件處於作用中狀態:
aws eks describe-addon \
--cluster-name $CLUSTER \
--addon-name aws-privateca-connector-for-kubernetes \
--region $REGION \
--query 'addon.status'
- Other clusters
-
-
在 中建立設定檔 IAM Roles Anywhere:
PROFILE_ARN=$(aws rolesanywhere create-profile \
--name "privateca-profile" \
--role-arns "$ROLE_ARN" \
--region "$REGION" \
--query 'profile.profileArn' \
--enabled \
--output text)
-
產生用戶端憑證以搭配 Connector for Kubernetes 使用 IAM Roles Anywhere ,並驗證 AWS Private CA:
-
產生用戶端憑證的私有金鑰:
openssl genrsa -out client.key 2048
-
產生用戶端憑證的憑證簽署請求 (CSR):
openssl req -new \
-key client.key \
-out client.csr \
-subj "/CN=aws-privateca-issuer"
-
從以下位置發出用戶端憑證 AWS Private CA:
CERT_ARN=$(aws acm-pca issue-certificate \
--signing-algorithm SHA256WITHRSA \
--csr fileb://client.csr \
--validity Value=1,Type=DAYS \
--certificate-authority-arn "$CA_ARN" \
--region "$REGION" \
--query 'CertificateArn' \
--output text)
-
將用戶端憑證存放在本機:
aws acm-pca get-certificate \
--certificate-authority-arn $CA_ARN \
--certificate-arn $CERT_ARN \
--region $REGION \
--query 'Certificate'
--output text > pca-issuer-client-cert.pem
-
使用用戶端憑證在叢集中安裝 AWS Private CA 發行者:
-
新增 awspca Helm 儲存庫:
helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer
helm repo update
-
建立命名空間:
kubectl create namespace aws-privateca-issuer
-
將先前建立的憑證放入秘密中:
kubectl create secret tls aws-privateca-credentials \
-n aws-privateca-issuer \
--cert=pca-issuer-client-cert.pem \
--key=client.key
-
使用下列命令安裝 AWS Private CA 發行者 IAM Roles Anywhere:
-
建立名為 的檔案values.yaml,將 AWS Private CA 發行者外掛程式設定為與下列項目搭配使用 IAM Roles Anywhere:
cat > values.yaml <<EOF
env:
AWS_EC2_METADATA_SERVICE_ENDPOINT: "http://127.0.0.1:9911"
extraContainers:
- name: "rolesanywhere-credential-helper"
image: "public.ecr.aws/rolesanywhere/credential-helper:latest"
command: ["aws_signing_helper"]
args:
- "serve"
- "--private-key"
- "/etc/cert/tls.key"
- "--certificate"
- "/etc/cert/tls.crt"
- "--role-arn"
- "$ROLE_ARN"
- "--profile-arn"
- "$PROFILE_ARN"
- "--trust-anchor-arn"
- "$TRUST_ANCHOR_ARN"
volumeMounts:
- name: cert
mountPath: /etc/cert/
readOnly: true
volumes:
- name: cert
secret:
secretName: aws-privateca-credentials
EOF
-
使用下列命令安裝 AWS Private CA 發行者 IAM Roles Anywhere:
helm install aws-privateca-issuer awspca/aws-privateca-issuer \
-n aws-privateca-issuer \
-f values.yaml
等待發行者準備就緒。使用下列命令:
kubectl wait --for=condition=ready pods --all -n aws-privateca-issuer --timeout=120s
然後驗證安裝,以確保所有 Pod 都已達到 READY 狀態:
kubectl -n aws-privateca-issuer get all
若要設定 aws-private-ca-cluster-issuer,請建立名為 的 YAML 檔案,cluster-issuer.yaml其中包含發行者的組態:
cat > cluster-issuer.yaml <<EOF
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAClusterIssuer
metadata:
name: aws-privateca-cluster-issuer
spec:
arn: "$CA_ARN"
region: "$REGION"
EOF
接著,套用叢集組態:
kubectl apply -f cluster-issuer.yaml
檢查發行者的狀態:
kubectl describe awspcaclusterissuer aws-privateca-cluster-issuer
您應該會看到類似以下的回應:
Status:
Conditions:
Last Transition Time: 2025-08-13T21:00:00Z
Message: AWS PCA Issuer is ready
Reason: Verified
Status: True
Type: Ready
使用 cert-manager 管理 AWS Private CA 用戶端憑證
如果您不是使用 Amazon EKS 叢集,則在 中手動引導信任的憑證之後aws-privateca-issuer,您可以轉換到由 管理的用戶端身分驗證憑證cert-manager。這可讓 cert-manager自動續約用戶端身分驗證憑證。
-
建立名為 的檔案pca-auth-cert.yaml:
cat > pca-auth-cert.yaml <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: aws-privateca-client-cert
namespace: aws-privateca-issuer
spec:
secretName: aws-privateca-credentials
duration: 168h
renewBefore: 48h
commonName: aws-privateca-issuer
privateKey:
algorithm: ECDSA
size: 256
rotationPolicy: Always
usages:
- client auth
issuerRef:
name: aws-privateca-cluster-issuer
kind: AWSPCAClusterIssuer
group: awspca.cert-manager.io
EOF
-
建立新的受管用戶端身分驗證憑證:
kubectl apply -f pca-auth-cert.yaml
-
驗證憑證已建立:
kubectl get certificate aws-privateca-client-cert -n aws-privateca-issuer
您應該會看到類似以下的回應:
NAME READY SECRET AGE
aws-privateca-client-cert True aws-privateca-credentials 19m
發行您的第一個 TLS 憑證
現在aws-privateca-issuer已安裝 cert-manager和 ,您可以發行憑證。
建立名為 的 YAML 檔案,certificate.yaml其中包含憑證資源:
cat > certificate.yaml <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-certificate
namespace: default
spec:
secretName: example-certificate-tls
issuerRef:
name: aws-privateca-cluster-issuer
kind: AWSPCAClusterIssuer
group: awspca.cert-manager.io
commonName: example.internal
dnsNames:
- example.internal
- api.example.internal
duration: 2160h # 90 days
renewBefore: 360h # 15 days
usages:
- digital signature
- key encipherment
- server auth
EOF
使用下列命令套用憑證:
kubectl apply -f certificate.yaml
然後,您可以使用下列命令檢查憑證的狀態:
kubectl get certificate example-certificate
kubectl describe certificate example-certificate
您應該會看到類似以下的回應:
NAME READY SECRET AGE
example-certificate True example-certificate-tls 30s
您可以使用下列命令來檢查發行的憑證:
kubectl get secret example-certificate-tls -o yaml
您也可以使用下列命令解碼和檢查憑證:
kubectl get secret example-certificate-tls -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout
