TLS
TLS makes sure the communication between servers is secure by encrypting the data.
Asymmetric encryption uses a pair of keys, private and public keys. But hackers can somehow have a copy of the public key and trick you to provide your private key. To avoid this, now website give a digital cert.
Certificate Authority (CA) is known for signing and validating certs. The famous ones are Symantec, DigiCert, etc. They also have their own private and public keys. Browsers are already equipped with the public key. These orgs will validate if certs are issued by them.
Certs, based on the location, can be grouped into 3 categories: root, client, server.
CA, client/ server keys all form Public Key Infrastructure.
In convention, public key file name is ‘.crt’, ‘.pem’ while private key is ‘.key’ or ‘-key.pem’.
TLS in Kubernetes
kube components use TLS certificates to talk to apiserver. All clients and servers need to have ca certs.
Cert creation
Root cert creation
Generate keys
openssl genrsa -out ca.key 2048
Generate cert signing request (cert without signature)
openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr
Sign certificate
openssl x509 -req -in ca.csr -signkey ca.ke -out ca.crt
Client cert creation
For admin user,
openssl genrsa -out admin.key 2048 openssl req -new -key admin.key -subj "/CN=KUBERNETES-ADMIN/O=system:masters" -out admin.csr openssl x509 -req -in admin.csr -CA ca.crt -CAKey ca.key -CAcreateserial -CAserial serial -out admin.crt
The creation process is similar for kube-scheduler, kube-controller-manager and kube-proxy. The only thing needs noteworthy is that subject must have system prefix, “/CN=system:kube-scheduler”.
After having certs, authenticating becomes:
curl -v -k https://master-node.ip:6443/api/v1/pods --key admin.key --cert admin.crt --cacert ca.crt
Server cert creation
Take kubi-api server as an example.
openssl genrsa -out apiserver.key 2048 openssl req -new -key apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr -conf openssl.conf openssl x509 -req -in apiserver.csr -CA ca.crt -CAKey ca.key -out apiserver.crt
kube-api server has many alternative names. We can define them in openssl.conf and use it as an option to the openssl req.
[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, subjectAltName = @alt_names [ alt_names ] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local IP.1 = 10.96.0.1 IP.2 = 172.17.0.87