In this lab you will provision a PKI Infrastructure using CloudFlare's PKI toolkit, cfssl, then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kubelet, and kube-proxy.
In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates.
Create the CA configuration file:
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
Create the CA certificate signing request:
cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milan",
"O": "Kubernetes",
"OU": "MI",
"ST": "Italy"
}
]
}
EOF
Generate the CA certificate and private key:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
Results:
ca-key.pem
ca.pem
In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes admin
user.
Create the admin
client certificate signing request:
cat > admin-csr.json <<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milan",
"O": "system:masters",
"OU": "Kubernetes The Hard Way",
"ST": "Italy"
}
]
}
EOF
Generate the admin
client certificate and private key:
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
Results:
admin-key.pem
admin.pem
Note: If you run previous command in Windows, surround values with "
. for example: cfssl.exe gencert -ca="ca.pem" -ca-key="ca-key.pem" ...
Kubernetes uses a special-purpose authorization mode called Node Authorizer, that specifically authorizes API requests made by Kubelets. In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the system:nodes
group, with a username of system:node:<nodeName>
. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.
Generate a certificate and private key for each Kubernetes worker node:
for instance in worker-0 worker-1; do
cat > ${instance}-csr.json <<EOF
{
"CN": "system:node:${instance}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milan",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Italy"
}
]
}
EOF
EXTERNAL_IP=$(az network public-ip show -g kubernetes \
-n kubernetes-pip --query ipAddress -o tsv)
INTERNAL_IP=$(az vm show -d -n ${instance} -g kubernetes --query privateIps -o tsv)
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \
-profile=kubernetes \
${instance}-csr.json | cfssljson -bare ${instance}
done
Results:
worker-0-key.pem
worker-0.pem
worker-1-key.pem
worker-1.pem
Generate the kube-controller-manager
client certificate and private key:
{
cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milan",
"O": "system:kube-controller-manager",
"OU": "Kubernetes The Hard Way",
"ST": "Italy"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
}
Results:
kube-controller-manager-key.pem
kube-controller-manager.pem
Create the kube-proxy
client certificate signing request:
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milano",
"O": "system:node-proxier",
"OU": "Kubernetes The Hard Way",
"ST": "Italy"
}
]
}
EOF
Generate the kube-proxy
client certificate and private key:
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
Results:
kube-proxy-key.pem
kube-proxy.pem
Generate the kube-scheduler
client certificate and private key:
{
cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milan",
"O": "system:kube-scheduler",
"OU": "Kubernetes The Hard Way",
"ST": "Italy"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
}
Results:
kube-scheduler-key.pem
kube-scheduler.pem
The kubernetes-the-hard-way
static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
Retrieve the kubernetes-the-hard-way
static IP address:
KUBERNETES_PUBLIC_ADDRESS=$(az network public-ip show -g kubernetes \
-n kubernetes-pip --query "ipAddress" -o tsv)
Create the Kubernetes API Server certificate signing request:
cat > kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milan",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Italy"
}
]
}
EOF
Generate the Kubernetes API Server certificate and private key:
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
Results:
kubernetes-key.pem
kubernetes.pem
The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as described in the managing service accounts documentation.
Generate the service-account
certificate and private key:
{
cat > service-account-csr.json <<EOF
{
"CN": "service-accounts",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"L": "Milan",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Italy"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
service-account-csr.json | cfssljson -bare service-account
}
Results:
service-account-key.pem
service-account.pem
Copy the appropriate certificates and private keys to each worker instance:
for instance in worker-0 worker-1; do
PUBLIC_IP_ADDRESS=$(az network public-ip show -g kubernetes \
-n ${instance}-pip --query "ipAddress" -o tsv)
scp -o StrictHostKeyChecking=no ca.pem ${instance}-key.pem ${instance}.pem kuberoot@${PUBLIC_IP_ADDRESS}:~/
done
Copy the appropriate certificates and private keys to each controller instance:
for instance in controller-0 controller-1 controller-2; do
PUBLIC_IP_ADDRESS=$(az network public-ip show -g kubernetes \
-n ${instance}-pip --query "ipAddress" -o tsv)
scp -o StrictHostKeyChecking=no ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem kuberoot@${PUBLIC_IP_ADDRESS}:~/
done
The
kube-proxy
,kube-controller-manager
,kube-scheduler
, andkubelet
client certificates will be used to generate client authentication configuration files in the next lab.
Next: Generating Kubernetes Configuration Files for Authentication