kubernetes-the-hard-way/docs/02-certificate-authority.md

283 lines
5.2 KiB
Markdown
Raw Normal View History

# Setting up a Certificate Authority and Creating TLS Certificates
2016-07-07 17:15:59 +03:00
In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates to secure the following Kubernetes components:
2016-07-07 17:52:54 +03:00
* etcd
2017-03-25 19:44:23 +03:00
* kube-apiserver
* kubelet
* kube-proxy
2016-07-07 17:57:18 +03:00
2016-07-07 17:59:38 +03:00
After completing this lab you should have the following TLS keys and certificates:
2016-07-07 17:59:02 +03:00
```
2017-03-24 09:08:54 +03:00
admin.pem
admin-key.pem
2016-07-07 17:59:02 +03:00
ca-key.pem
ca.pem
kubernetes-key.pem
kubernetes.pem
2017-03-24 09:08:54 +03:00
kube-proxy.pem
kube-proxy-key.pem
2016-07-07 17:59:02 +03:00
```
2016-07-07 17:49:56 +03:00
## Install CFSSL
2016-07-09 07:09:05 +03:00
This lab requires the `cfssl` and `cfssljson` binaries. Download them from the [cfssl repository](https://pkg.cfssl.org).
2016-07-07 17:15:59 +03:00
2016-07-09 06:59:01 +03:00
### OS X
```
wget https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
chmod +x cfssl_darwin-amd64
sudo mv cfssl_darwin-amd64 /usr/local/bin/cfssl
```
```
wget https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
chmod +x cfssljson_darwin-amd64
sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson
```
### Linux
```
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
2016-07-09 06:59:01 +03:00
```
```
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
```
2017-03-25 19:44:23 +03:00
## Set up a Certificate Authority
2016-07-07 17:15:59 +03:00
2017-03-25 19:44:23 +03:00
Create a CA configuration file:
2016-07-07 17:15:59 +03:00
```
2017-03-25 19:44:23 +03:00
cat > ca-config.json <<EOF
{
2016-07-07 17:15:59 +03:00
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
2017-03-25 19:44:23 +03:00
}
EOF
2016-07-07 17:15:59 +03:00
```
2017-03-25 19:44:23 +03:00
Create a CA certificate signing request:
2016-07-07 17:15:59 +03:00
```
2017-03-25 19:44:23 +03:00
cat > ca-csr.json <<EOF
{
2016-07-07 17:15:59 +03:00
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
2017-03-25 19:44:23 +03:00
}
EOF
2016-07-07 17:15:59 +03:00
```
Generate a CA certificate and private key:
2016-07-07 17:15:59 +03:00
```
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
```
Results:
```
ca-key.pem
ca.pem
```
2017-03-25 19:44:23 +03:00
## Generate client and server TLS certificates
2016-07-07 17:15:59 +03:00
In this section we will generate TLS certificates for each Kubernetes component and a client certificate for the admin user.
2016-07-08 20:26:32 +03:00
2017-03-25 19:44:23 +03:00
### Create the Admin client certificate
2016-07-08 00:10:49 +03:00
2017-03-25 19:44:23 +03:00
Create the admin client certificate signing request:
2017-03-24 05:48:14 +03:00
```
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:masters",
"OU": "Cluster",
"ST": "Oregon"
}
]
}
EOF
```
2017-03-25 19:44:23 +03:00
Generate the admin client certificate and private key:
2017-03-24 05:48:14 +03:00
```
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
```
Results:
```
admin-key.pem
admin.pem
```
2017-03-25 19:44:23 +03:00
### Create the kube-proxy client certificate
Create the kube-proxy client certificate signing request:
2017-03-24 09:08:54 +03:00
```
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:node-proxier",
"OU": "Cluster",
"ST": "Oregon"
}
]
}
EOF
```
2017-03-25 19:44:23 +03:00
Generate the kube-proxy client certificate and private key:
2017-03-24 09:08:54 +03:00
```
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
```
Results:
```
kube-proxy-key.pem
kube-proxy.pem
```
2017-03-25 19:44:23 +03:00
### Create the kubernetes server certificate
2017-03-24 09:08:54 +03:00
2017-03-25 19:44:23 +03:00
The Kubernetes public IP address will be included in the list of subject alternative names for the Kubernetes server certificate. This will ensure the TLS certificate is valid for remote client access.
```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region us-central1 \
--format 'value(address)')
```
Create the Kubernetes server certificate signing request:
2016-09-11 04:49:06 +03:00
2016-07-07 17:15:59 +03:00
```
2016-07-08 20:26:32 +03:00
cat > kubernetes-csr.json <<EOF
{
2016-07-07 17:15:59 +03:00
"CN": "kubernetes",
"hosts": [
2016-07-09 10:15:26 +03:00
"10.32.0.1",
2016-07-07 17:15:59 +03:00
"10.240.0.10",
"10.240.0.11",
"10.240.0.12",
2016-09-11 13:02:27 +03:00
"${KUBERNETES_PUBLIC_ADDRESS}",
"127.0.0.1",
"kubernetes.default"
2016-07-07 17:15:59 +03:00
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Cluster",
"ST": "Oregon"
}
]
2016-07-08 20:26:32 +03:00
}
EOF
```
Generate the Kubernetes certificate and private key:
2016-07-07 17:15:59 +03:00
```
cfssl gencert \
2016-07-09 03:10:40 +03:00
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
2016-07-07 17:15:59 +03:00
```
2016-07-07 17:57:18 +03:00
Results:
```
kubernetes-key.pem
kubernetes.pem
```
2017-03-25 19:44:23 +03:00
## Distribute the TLS certificates
2016-07-08 00:15:06 +03:00
2016-09-11 05:13:17 +03:00
Set the list of Kubernetes hosts where the certs should be copied to:
The following commands will copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute scp` command.
2016-09-11 05:17:55 +03:00
2016-09-11 05:13:17 +03:00
```
for host in worker0 worker1 worker2; do
gcloud compute scp ca.pem kube-proxy.pem kube-proxy-key.pem ${host}:~/
2017-03-24 05:48:14 +03:00
done
```
```
for host in controller0 controller1 controller2; do
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${host}:~/
2016-09-11 05:13:17 +03:00
done
```