kubernetes-the-hard-way/docs/04-certificate-authority.md

# Provisioning a CA and Generating TLS Certificates

In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.

## Certificate Authority

In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates.

Generate the CA configuration file, certificate, and private key:

```
{

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "CA",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

}
```

Results:

```
ca-key.pem
ca.pem
```

## Client and Server Certificates

In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes `admin` user.

### The Admin Client Certificate

Generate the `admin` client certificate and private key:

```
{

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:masters",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin

}
```

Results:

```
admin-key.pem
admin.pem
```

### The Kubelet Client Certificates

Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) called Node Authorizer, that specifically authorizes API requests made by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the `system:nodes` group, with a username of `system:node:<nodeName>`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.

Generate a certificate and private key for each Kubernetes worker node:

```
for instance in worker-0 worker-1 worker-2; do
cat > ${instance}-csr.json <<EOF
{
  "CN": "system:node:${instance}",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:nodes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

EXTERNAL_IP=$(gcloud compute instances describe ${instance} \
  --format 'value(networkInterfaces[0].accessConfigs[0].natIP)')

INTERNAL_IP=$(gcloud compute instances describe ${instance} \
  --format 'value(networkInterfaces[0].networkIP)')

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \
  -profile=kubernetes \
  ${instance}-csr.json | cfssljson -bare ${instance}
done
```

Results:

```
worker-0-key.pem
worker-0.pem
worker-1-key.pem
worker-1.pem
worker-2-key.pem
worker-2.pem
```

### The Controller Manager Client Certificate

Generate the `kube-controller-manager` client certificate and private key:

```
{

cat > kube-controller-manager-csr.json <<EOF
{
  "CN": "system:kube-controller-manager",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:kube-controller-manager",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

}
```

Results:

```
kube-controller-manager-key.pem
kube-controller-manager.pem
```


### The Kube Proxy Client Certificate

Generate the `kube-proxy` client certificate and private key:

```
{

cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:node-proxier",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-proxy-csr.json | cfssljson -bare kube-proxy

}
```

Results:

```
kube-proxy-key.pem
kube-proxy.pem
```

### The Scheduler Client Certificate

Generate the `kube-scheduler` client certificate and private key:

```
{

cat > kube-scheduler-csr.json <<EOF
{
  "CN": "system:kube-scheduler",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:kube-scheduler",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-scheduler-csr.json | cfssljson -bare kube-scheduler

}
```

Results:

```
kube-scheduler-key.pem
kube-scheduler.pem
```


### The Kubernetes API Server Certificate

The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.

Generate the Kubernetes API Server certificate and private key:

```
{

KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
  --region $(gcloud config get-value compute/region) \
  --format 'value(address)')

cat > kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes

}
```

Results:

```
kubernetes-key.pem
kubernetes.pem
```

## The Service Account Key Pair

The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as describe in the [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) documentation.

Generate the `service-account` certificate and private key:

```
{

cat > service-account-csr.json <<EOF
{
  "CN": "service-accounts",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  service-account-csr.json | cfssljson -bare service-account

}
```

Results:

```
service-account-key.pem
service-account.pem
```


## Distribute the Client and Server Certificates

Copy the appropriate certificates and private keys to each worker instance:

```
for instance in worker-0 worker-1 worker-2; do
  gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
done
```

Copy the appropriate certificates and private keys to each controller instance:

```
for instance in controller-0 controller-1 controller-2; do
  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
    service-account-key.pem service-account.pem ${instance}:~/
done
```

> The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.

Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)
update docs 2017-08-29 00:19:25 +03:00			`# Provisioning a CA and Generating TLS Certificates`

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.`
update docs 2017-08-29 00:19:25 +03:00
			`## Certificate Authority`

			`In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates.`

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`Generate the CA configuration file, certificate, and private key:`
update docs 2017-08-29 00:19:25 +03:00
			```
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`

update docs 2017-08-29 00:19:25 +03:00			`cat > ca-config.json <<EOF`
			`{`
			`"signing": {`
			`"default": {`
			`"expiry": "8760h"`
			`},`
			`"profiles": {`
			`"kubernetes": {`
			`"usages": ["signing", "key encipherment", "server auth", "client auth"],`
			`"expiry": "8760h"`
			`}`
			`}`
			`}`
			`}`
			`EOF`

			`cat > ca-csr.json <<EOF`
			`{`
			`"CN": "Kubernetes",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "Kubernetes",`
			`"OU": "CA",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`

			`cfssl gencert -initca ca-csr.json \| cfssljson -bare ca`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
			`}`
update docs 2017-08-29 00:19:25 +03:00			```

			`Results:`

			```
			`ca-key.pem`
			`ca.pem`
			```

			`## Client and Server Certificates`

			In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes `admin` user.

			`### The Admin Client Certificate`

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			Generate the `admin` client certificate and private key:
update docs 2017-08-29 00:19:25 +03:00
			```
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`

update docs 2017-08-29 00:19:25 +03:00			`cat > admin-csr.json <<EOF`
			`{`
			`"CN": "admin",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "system:masters",`
			`"OU": "Kubernetes The Hard Way",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`

			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`admin-csr.json \| cfssljson -bare admin`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
			`}`
update docs 2017-08-29 00:19:25 +03:00			```

			`Results:`

			```
			`admin-key.pem`
			`admin.pem`
			```

			`### The Kubelet Client Certificates`

			Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) called Node Authorizer, that specifically authorizes API requests made by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the `system:nodes` group, with a username of `system:node:<nodeName>`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.

			`Generate a certificate and private key for each Kubernetes worker node:`

			```
			`for instance in worker-0 worker-1 worker-2; do`
			`cat > ${instance}-csr.json <<EOF`
			`{`
			`"CN": "system:node:${instance}",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "system:nodes",`
			`"OU": "Kubernetes The Hard Way",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`

			`EXTERNAL_IP=$(gcloud compute instances describe ${instance} \`
			`--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')`

			`INTERNAL_IP=$(gcloud compute instances describe ${instance} \`
			`--format 'value(networkInterfaces[0].networkIP)')`

			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \`
			`-profile=kubernetes \`
			`${instance}-csr.json \| cfssljson -bare ${instance}`
			`done`
			```

			`Results:`

			```
			`worker-0-key.pem`
			`worker-0.pem`
			`worker-1-key.pem`
			`worker-1.pem`
			`worker-2-key.pem`
			`worker-2.pem`
			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`### The Controller Manager Client Certificate`
update docs 2017-08-29 00:19:25 +03:00
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			Generate the `kube-controller-manager` client certificate and private key:
update docs 2017-08-29 00:19:25 +03:00
			```
			`{`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
			`cat > kube-controller-manager-csr.json <<EOF`
			`{`
			`"CN": "system:kube-controller-manager",`
update docs 2017-08-29 00:19:25 +03:00			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`"O": "system:kube-controller-manager",`
update docs 2017-08-29 00:19:25 +03:00			`"OU": "Kubernetes The Hard Way",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`kube-controller-manager-csr.json \| cfssljson -bare kube-controller-manager`

			`}`
			```

			`Results:`

			```
			`kube-controller-manager-key.pem`
			`kube-controller-manager.pem`
update docs 2017-08-29 00:19:25 +03:00			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
			`### The Kube Proxy Client Certificate`

update docs 2017-08-29 00:19:25 +03:00			Generate the `kube-proxy` client certificate and private key:

			```
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`

			`cat > kube-proxy-csr.json <<EOF`
			`{`
			`"CN": "system:kube-proxy",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "system:node-proxier",`
			`"OU": "Kubernetes The Hard Way",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`

update docs 2017-08-29 00:19:25 +03:00			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`kube-proxy-csr.json \| cfssljson -bare kube-proxy`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
			`}`
update docs 2017-08-29 00:19:25 +03:00			```

			`Results:`

			```
			`kube-proxy-key.pem`
			`kube-proxy.pem`
			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`### The Scheduler Client Certificate`

			Generate the `kube-scheduler` client certificate and private key:

			```
			`{`

			`cat > kube-scheduler-csr.json <<EOF`
			`{`
			`"CN": "system:kube-scheduler",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "system:kube-scheduler",`
			`"OU": "Kubernetes The Hard Way",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`

			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`kube-scheduler-csr.json \| cfssljson -bare kube-scheduler`

			`}`
			```

			`Results:`

			```
			`kube-scheduler-key.pem`
			`kube-scheduler.pem`
			```


update docs 2017-08-29 00:19:25 +03:00			`### The Kubernetes API Server Certificate`

			The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`Generate the Kubernetes API Server certificate and private key:`
update docs 2017-08-29 00:19:25 +03:00
			```
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`

update docs 2017-08-29 00:19:25 +03:00			`KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \`
			`--region $(gcloud config get-value compute/region) \`
			`--format 'value(address)')`

			`cat > kubernetes-csr.json <<EOF`
			`{`
			`"CN": "kubernetes",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "Kubernetes",`
			`"OU": "Kubernetes The Hard Way",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`

			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \`
			`-profile=kubernetes \`
			`kubernetes-csr.json \| cfssljson -bare kubernetes`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
			`}`
update docs 2017-08-29 00:19:25 +03:00			```

			`Results:`

			```
			`kubernetes-key.pem`
			`kubernetes.pem`
			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`## The Service Account Key Pair`

			`The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as describe in the [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) documentation.`

			Generate the `service-account` certificate and private key:

			```
			`{`

			`cat > service-account-csr.json <<EOF`
			`{`
			`"CN": "service-accounts",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "Kubernetes",`
			`"OU": "Kubernetes The Hard Way",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`

			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`service-account-csr.json \| cfssljson -bare service-account`

			`}`
			```

			`Results:`

			```
			`service-account-key.pem`
			`service-account.pem`
			```


update docs 2017-08-29 00:19:25 +03:00			`## Distribute the Client and Server Certificates`

			`Copy the appropriate certificates and private keys to each worker instance:`

			```
			`for instance in worker-0 worker-1 worker-2; do`
			`gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/`
			`done`
			```

			`Copy the appropriate certificates and private keys to each controller instance:`

			```
			`for instance in controller-0 controller-1 controller-2; do`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \`
			`service-account-key.pem service-account.pem ${instance}:~/`
update docs 2017-08-29 00:19:25 +03:00			`done`
			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			> The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
update docs 2017-08-29 00:19:25 +03:00
			`Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)`