k8s thw 04 - certificate authority
this nice part shows us how to create all needed kubernetes certificates - it is one of the most critical parts in deploying a k8s cluster
i create this certificates directly on my hypervisor and transfer these to the maschines lately
certificate authority
# create a certificate folder
> mkdir ~/code/k8s/kthw/ca
# generate the private key for the CA
> openssl genrsa -out ca.key 4096
# comment line starting with RANDFILE
# in /etc/ssl/openssl.cnf definition to avoid permission issues
> sudo sed -i '0,/RANDFILE/{s/RANDFILE/\#&/}' /etc/ssl/openssl.cnf
# create a CSR using the private key
> openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr
# self sign the csr using its own private key
> openssl x509 -req -in ca.csr -signkey ca.key \
-CAcreateserial -out ca.crt -days 1000
the admin client
certificate
# generate private key for admin user
> openssl genrsa -out admin.key 4096
# generate CSR for admin user. Note the OU.
> openssl req -new -key admin.key -subj "/CN=admin/O=system:masters" -out admin.csr
# sign certificate for admin user using CA servers private key
> openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out admin.crt -days 1000
the kubelet client
certificates
we are going to skip certificate configuration for worker nodes for now. we will deal with them when we configure the workers. for now let’s just focus on the control plane components.
the controller manager
client certificate
> openssl genrsa -out kube-controller-manager.key 4096
> openssl req -new -key kube-controller-manager.key -subj \
"/CN=system:kube-controller-manager" -out kube-controller-manager.csr
> openssl x509 -req -in kube-controller-manager.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out kube-controller-manager.crt -days 1000
the kube proxy
client certificate
> openssl genrsa -out kube-proxy.key 4096
> openssl req -new -key kube-proxy.key \
-subj "/CN=system:kube-proxy" -out kube-proxy.csr
> openssl x509 -req -in kube-proxy.csr -CA ca.crt \
-CAkey ca.key -CAcreateserial -out kube-proxy.crt -days 1000
the scheduler client
certificate
> openssl genrsa -out kube-scheduler.key 4096
> openssl req -new -key kube-scheduler.key \
-subj "/CN=system:kube-scheduler" -out kube-scheduler.csr
> openssl x509 -req -in kube-scheduler.csr -CA ca.crt \
-CAkey ca.key -CAcreateserial -out kube-scheduler.crt -days 1000
the kubernetes api server
certificate
cat > openssl.cnf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = 192.168.5.11
IP.3 = 192.168.5.12
IP.4 = 192.168.5.30
IP.5 = 127.0.0.1
EOF
generates certs for kube-apiserver
> openssl genrsa -out kube-apiserver.key 4096
> openssl req -new -key kube-apiserver.key \
-subj "/CN=kube-apiserver" -out kube-apiserver.csr -config openssl.cnf
> openssl x509 -req -in kube-apiserver.csr -CA ca.crt \
-CAkey ca.key -CAcreateserial -out kube-apiserver.crt \
-extensions v3_req -extfile openssl.cnf -days 1000
the etcd Server
certificate
cat > openssl-etcd.cnf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.5.11
IP.2 = 192.168.5.12
IP.3 = 127.0.0.1
EOF
generates certs for etcd
> openssl genrsa -out etcd-server.key 4096
> openssl req -new -key etcd-server.key \
-subj "/CN=etcd-server" -out etcd-server.csr -config openssl-etcd.cnf
> openssl x509 -req -in etcd-server.csr -CA ca.crt \
-CAkey ca.key -CAcreateserial -out etcd-server.crt \
-extensions v3_req -extfile openssl-etcd.cnf -days 1000
the service account
key pair
> openssl genrsa -out service-account.key 4096
> openssl req -new -key service-account.key \
-subj "/CN=service-accounts" -out service-account.csr
> openssl x509 -req -in service-account.csr \
-CA ca.crt -CAkey ca.key -CAcreateserial -out service-account.crt -days 1000
list all created control plane
certificates
> ls -l
---
admin.crt
admin.csr
admin.key
ca.crt
ca.csr
ca.key
ca.srl
etcd-server.crt
etcd-server.csr
etcd-server.key
kube-apiserver.crt
kube-apiserver.csr
kube-apiserver.key
kube-controller-manager.crt
kube-controller-manager.csr
kube-controller-manager.key
kube-proxy.crt
kube-proxy.csr
kube-proxy.key
kube-scheduler.crt
kube-scheduler.csr
kube-scheduler.key
openssl.cnf
openssl-etcd.cnf
service-account.crt
service-account.csr
service-account.key
run this command from the ca
directory to transfer the certificates to the master maschines
for instance in master-1 master-2; do
scp ca.crt ca.key kube-apiserver.key kube-apiserver.crt \
service-account.key service-account.crt \
etcd-server.key etcd-server.crt \
${instance}:~/
done
— copyleft —
all commands shown on this page are from
mmumshad’s fork of “kubernetes-the-hard-way” by kelseyhightower
on github
19-09-2021