60DaysOfK8s – Day 23 TLS, Cert

Tech biscuit 2 Minutes

TLS

TLS makes sure the communication between servers is secure by encrypting the data.

Asymmetric encryption uses a pair of keys, private and public keys. But hackers can somehow have a copy of the public key and trick you to provide your private key. To avoid this, now website give a digital cert.

Certificate Authority (CA) is known for signing and validating certs. The famous ones are Symantec, DigiCert, etc. They also have their own private and public keys. Browsers are already equipped with the public key. These orgs will validate if certs are issued by them.

Certs, based on the location, can be grouped into 3 categories: root, client, server.

CA, client/ server keys all form Public Key Infrastructure.

In convention, public key file name is ‘.crt’, ‘.pem’ while private key is ‘.key’ or ‘-key.pem’.

TLS in Kubernetes

kube components use TLS certificates to talk to apiserver. All clients and servers need to have ca certs.

Cert creation

Root cert creation

Generate keys

openssl genrsa -out ca.key 2048

Generate cert signing request (cert without signature)

openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

Sign certificate

openssl x509 -req -in ca.csr -signkey ca.ke -out ca.crt

Client cert creation

For admin user, 

openssl genrsa -out admin.key 2048
openssl req -new -key admin.key -subj "/CN=KUBERNETES-ADMIN/O=system:masters" -out admin.csr  
openssl x509 -req -in admin.csr -CA ca.crt -CAKey ca.key -CAcreateserial -CAserial serial -out admin.crt

The creation process is similar for kube-scheduler, kube-controller-manager and kube-proxy. The only thing needs noteworthy is that subject must have system prefix, “/CN=system:kube-scheduler”.

After having certs, authenticating becomes: 

curl -v -k https://master-node.ip:6443/api/v1/pods --key admin.key --cert admin.crt --cacert ca.crt

Server cert creation

Take kubi-api server as an example.

openssl genrsa -out apiserver.key 2048
openssl req -new -key apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr -conf openssl.conf
openssl x509 -req -in apiserver.csr -CA ca.crt -CAKey ca.key -out apiserver.crt

kube-api server has many alternative names. We can define them in openssl.conf and use it as an option to the openssl req.

[ req ]
req_extensions = v3_req
distinguished_name  = req_distinguished_name

[ v3_req ]
basicConstraints   = CA:FALSE
keyUsage  = nonRepudiation, 
subjectAltName   = @alt_names

[ alt_names ]
DNS.1  =  kubernetes
DNS.2  =  kubernetes.default
DNS.3  =  kubernetes.default.svc
DNS.4  =  kubernetes.default.svc.cluster.local
IP.1  =   10.96.0.1
IP.2  =   172.17.0.87

Published by geeklady

The girl who likes geeky things in the world.

Published

Leave a comment