this nice part shows us how to create all needed kubernetes certificates - it is one of the most critical parts in deploying a k8s cluster

i create this certificates directly on my hypervisor and transfer these to the maschines lately

certificate authority

# create a certificate folder 
> mkdir ~/code/k8s/kthw/ca

# generate the private key for the CA
> openssl genrsa -out ca.key 4096

# comment line starting with RANDFILE 
# in /etc/ssl/openssl.cnf definition to avoid permission issues
> sudo sed -i '0,/RANDFILE/{s/RANDFILE/\#&/}' /etc/ssl/openssl.cnf

# create a CSR using the private key
> openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

# self sign the csr using its own private key
> openssl x509 -req -in ca.csr -signkey ca.key \
  -CAcreateserial  -out ca.crt -days 1000

the admin client certificate

# generate private key for admin user
> openssl genrsa -out admin.key 4096

# generate CSR for admin user. Note the OU.
> openssl req -new -key admin.key -subj "/CN=admin/O=system:masters" -out admin.csr

# sign certificate for admin user using CA servers private key
> openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial  -out admin.crt -days 1000

the kubelet client certificates

we are going to skip certificate configuration for worker nodes for now. we will deal with them when we configure the workers. for now let’s just focus on the control plane components.

the controller manager client certificate

> openssl genrsa -out kube-controller-manager.key 4096

> openssl req -new -key kube-controller-manager.key -subj \
  "/CN=system:kube-controller-manager" -out kube-controller-manager.csr

> openssl x509 -req -in kube-controller-manager.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out kube-controller-manager.crt -days 1000

the kube proxy client certificate

> openssl genrsa -out kube-proxy.key 4096

> openssl req -new -key kube-proxy.key \
  -subj "/CN=system:kube-proxy" -out kube-proxy.csr

> openssl x509 -req -in kube-proxy.csr -CA ca.crt \
  -CAkey ca.key -CAcreateserial  -out kube-proxy.crt -days 1000

the scheduler client certificate

> openssl genrsa -out kube-scheduler.key 4096

> openssl req -new -key kube-scheduler.key \
  -subj "/CN=system:kube-scheduler" -out kube-scheduler.csr

> openssl x509 -req -in kube-scheduler.csr -CA ca.crt \
  -CAkey ca.key -CAcreateserial  -out kube-scheduler.crt -days 1000

the kubernetes api server certificate

cat > openssl.cnf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = 192.168.5.11
IP.3 = 192.168.5.12
IP.4 = 192.168.5.30
IP.5 = 127.0.0.1
EOF

generates certs for kube-apiserver

> openssl genrsa -out kube-apiserver.key 4096

> openssl req -new -key kube-apiserver.key \
  -subj "/CN=kube-apiserver" -out kube-apiserver.csr -config openssl.cnf

> openssl x509 -req -in kube-apiserver.csr -CA ca.crt \
  -CAkey ca.key -CAcreateserial  -out kube-apiserver.crt \
  -extensions v3_req -extfile openssl.cnf -days 1000

the etcd Server certificate

cat > openssl-etcd.cnf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.5.11
IP.2 = 192.168.5.12
IP.3 = 127.0.0.1
EOF

generates certs for etcd

> openssl genrsa -out etcd-server.key 4096

> openssl req -new -key etcd-server.key \
  -subj "/CN=etcd-server" -out etcd-server.csr -config openssl-etcd.cnf

> openssl x509 -req -in etcd-server.csr -CA ca.crt \
  -CAkey ca.key -CAcreateserial  -out etcd-server.crt \
  -extensions v3_req -extfile openssl-etcd.cnf -days 1000

the service account key pair

> openssl genrsa -out service-account.key 4096

> openssl req -new -key service-account.key \
  -subj "/CN=service-accounts" -out service-account.csr

> openssl x509 -req -in service-account.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial  -out service-account.crt -days 1000

list all created control plane certificates

> ls -l
  ---
  admin.crt
  admin.csr
  admin.key
  ca.crt
  ca.csr
  ca.key
  ca.srl
  etcd-server.crt
  etcd-server.csr
  etcd-server.key
  kube-apiserver.crt
  kube-apiserver.csr
  kube-apiserver.key
  kube-controller-manager.crt
  kube-controller-manager.csr
  kube-controller-manager.key
  kube-proxy.crt
  kube-proxy.csr
  kube-proxy.key
  kube-scheduler.crt
  kube-scheduler.csr
  kube-scheduler.key
  openssl.cnf
  openssl-etcd.cnf
  service-account.crt
  service-account.csr
  service-account.key

run this command from the ca directory to transfer the certificates to the master maschines

for instance in master-1 master-2; do
  scp ca.crt ca.key kube-apiserver.key kube-apiserver.crt \
    service-account.key service-account.crt \
    etcd-server.key etcd-server.crt \
    ${instance}:~/
done

— copyleft —

all commands shown on this page are from mmumshad’s fork of “kubernetes-the-hard-way” by kelseyhightower on github