A certificate of Kubernetes

1.1 the TLS

Each component of the Kubernetes system requires TLS certificates to encrypt and authenticate its communications. It is recommended to obtain the relevant TLS certificates before deployment.

1.2 CA Certificate Creation Method

Kubernetes system components need to use TLS certificates to encrypt communications. You can usually use the following tools to produce self-built certificates:

  • openssl
  • cfssl
  • easyrsa

1.3 Kubernetes Component Certificate

Kubernetes component deployment recommended TLS bidirectional authentication, related components involved in the main certificates are:

  • Etcd certificate: TLS certificate used to encrypt communication between ETCD clusters.
  • Kube-apiserver certificate: Configures the kube-Apiserver certificate.
  • Kube-controller-manager certificate: certificate used for communication authentication with Kube-Apiserver.
  • Kube-scheduler certificate: a certificate used for communication authentication with Kube-Apiserver.
  • Kubelet certificate [Optional, optional] : Certificate used for communication authentication with Kube-Apiserver. This certificate is not necessary if TLS Bootstarp authentication is used.
  • Kube-proxy certificate [Optional, optional] : Certificate used for communication authentication with Kube-Apiserver. This certificate is not necessary if TLS Bootstarp authentication is used.

2 OpenSSL generates a certificate

2.1 OpenSSL Creating a Certificate

1 [root@master ~]# MASTER_IP=172.24.8.71 # define MASTER_IP 2 [root@master ~]# mkdir cert 3 [root@master ~]# CD Cert 4 [root@master cert]# openssl genrsa -out ca.key 2048 # Generate a 2048 bit ca.key 5 [root@master cert]# openssl req -x509 -new-nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca. CRT # Generate a ca. CRT based on ca.key (-days is used) 6 [root@master cert]# openssl genrsa -out server.key 2048 # Generate a 2048 bit server.key 7 [root@master cert]# Openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server. CSR # Generate server. CSR 8 [root@master Cert]# openssl x509 -req in server.csr-ca ca.crt -cakey ca.key -cacreateserial -out server.crt -days 1000 # CRT 9 [root@master cert]# openssl x509 -noout -text -in./server.crtCopy the code

 

CFSSL generates a certificate

3.1 CFSSL Creating a Certificate

1 / root @ master ~ # curl - https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 - o L/usr/local/bin/download CFSSL CFSSL # 2 [root@master ~]# chmod u+x /usr/local/bin/cfssl 3 [root@master ~]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 - o/usr/local/bin/cfssljson # download json template 4 / root @ master ~ # chmod u + x / usr/local/bin/cfssljson 5 [root @ master ~] # curl - https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 - L o /usr/local/bin/cfssl-certinfo 6 [root@master ~]# chmod u+x /usr/local/bin/cfssl-certinfo 7 [root@master ~]# mkdir cert 8  [root@master ~]# cd cert/ 9 [root@master cert]# cfssl print-defaults config > config.json 10 [root@master cert]# cfssl Csr. json [root@master cert]# cp config.json ca-config.json [root@master cert]# vi ca-config.json 13 { 14 "signing": { 15 "default": { 16 "expiry": "168h" 17 }, 18 "profiles": { 19 "kubernetes": { 20 "expiry": "8760h", 21 "usages": [ 22 "signing", 23 "key encipherment", 24 "server auth" 25 "client auth" 26 ] 27 } 28 } 29 } 30 }Copy the code

 

Field Description:

Config. json: You can define multiple profiles, specifying different parameters such as expiration time and usage scenario. A profile is then used to sign the certificate;

  • Signing: indicates that this certificate can be used to sign other certificates. In the generated ca.pem certificate, ca =TRUE.
  • Server auth: indicates that the client can use the CA to verify the certificate provided by the server.
  • Client auth: indicates that the server can use the CA to authenticate the certificate provided by the client.
1 [root@master cert]# cp csr.json ca-csr.json 2 [root@master cert]# vi csr.json 3 {4 "CN": "kubernetes", 5 "key": { 6 "algo": "rsa", 7 "size": 2048 8 }, 9 "names": [ 10 { 11 "C": "CN", 12 "ST": "Shanghai", 13 "L": "Shanghai", 14 "O": "k8s", 15 "OU": "System" 16 } 17 ] 18 }Copy the code

 

Field Description:

  • CN: Common Name, kube-apiserver extracts this field from the certificate as the User Name of the request. The browser uses this field to verify that the site is valid.
  • C: the country;
  • ST: the state;
  • L: city;
  • O: Organization, kube-apiserver extract this field from the certificate as the Group to which the requesting user belongs;
  • OU: Organization unit.
1 / root @ master cert # CFSSL gencert - initca ca - CSR. Json | cfssljson - bare ca ca key generated # (ca - key. Pem) and certificate (ca. Pem)Copy the code

Pem and ca.pem can be copied to /etc/kubernetes/ssl on all the machines to be deployed.

Four EasyRSA generates certificates

4.1 EasyRSA Creating a Certificate

1 [root@master ~]# mkdir cert 2 [root@master ~]# curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz # download easyrsa 3 / root @ master ~ # tar XZF easy-rsa.tar.gz 4 [root@master ~]# cd easy-rsa-master/easyrsa3 5 [root@master easyrsa3]# ./easyrsa init-pki 6 [root@master easyrsa3]# MASTER_IP=172.24.8.71 # batch "--req-cn=${MASTER_IP}@ 'date +%s' "build-ca nopass #Copy the code

 

Explanation:

— Batch: sets the batch mode to automatic.

–req-cn: set the default CN

1 [root@master easyrsa3]#./ easyRSA --subject-alt-name="IP:${MASTER_IP}" build-server-full server nopassCopy the code

Explanation:

Build-server-full [filename] : Generates a key-value pair that signs the client and server locally.

1 [root@master easyrsa3]# cp pki/ca.crt PKI /issued/server.crt PKI /private/server.key /root/cert/Copy the code

Note: After the certificate is generated, the Kubernetes cluster can use the certificate through the following configuration:

  • –client-ca-file=/root/cert/ca.crt
  • –tls-cert-file=/root/cert/server.crt
  • –tls-private-key-file=/root/cert/server.key

Related certificates and configuration items

5.1 API Server Certificate

API Server certificates are configured with the following two options:

  • –tls-cert-file string

File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and –tls-cert-file and –tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by –cert-dir.

 

  • –tls-private-key-file string

File containing the default x509 private key matching –tls-cert-file.

5.2 Client CA Certificate

  • –client-ca-file string

If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.

This configuration specifies that when Clent connects to the API Server, the API Server should ensure that its certificate is issued from which CA. If its certificate is not issued by the CA, the request is rejected; In fact, this CA need not be the same as the certificate CA used by the HTTPS endpoint; At the same time, the Client here is a general reference, can be Kubectl, or you develop your own application

5.3 Request Header Certificate

The API Server supports multiple authentication modes, one of which is to use the specified fields in the HTTP header for authentication. The configuration is as follows:

  • –requestheader-allowed-names stringSlice

List of client certificate common names to allow to provide usernames in headers specified by –requestheader-username-headers. If empty, any client certificate validated by the authorities in –requestheader-client-ca-file is allowed.

  • –requestheader-client-ca-file string

Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by –requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests.

5.4 kubelet certificate

For Kubelet components, API Server provides a separate certificate configuration option that specifies the certificate API Server uses to communicate with Kubelet and the CA it signed. At the same time, this CA can be completely independent of the other cas mentioned above. The Kubelet component also provides the option to reverse the configuration:

# API Server

  • –kubelet-certificate-authority string

Path to a cert file for the certificate authority.

  • –kubelet-client-certificate string

Path to a client cert file for TLS.

  • –kubelet-client-key string

Path to a client key file for TLS.

 

# Kubelet

  • –client-ca-file string

If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.

  • –tls-cert-file string

File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If –tls-cert-file and –tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to –cert-dir.

  • –tls-private-key-file string

File containing x509 private key matching –tls-cert-file.

5.5 Service Account Certificate

In the API Server configuration, there are also two certificate configurations for Service Account:

  • –service-account-key-file stringArray

File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. If unspecified, –tls-private-key-file is used. Must be specified when –service-account-signing-key is provided

  • –service-account-signing-key-file string

Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. (Requires the ‘TokenRequest’ feature gate.)

These two configurations describe the certificate used to authenticate the signature of the Service Account. Note, however, that there is no explicit requirement for a certificate CA, so the CAS for these two certificates could theoretically be completely separate.

Kubernetes certificates and configuration items:

Mritd. Me / 2018/08/26 /…

Note: For the certificate creation example above:Notes. Doublemine. Me / 2018-03-26 -…