From 4c9d0cd225c3955008b3eea587de2e758261b289 Mon Sep 17 00:00:00 2001 From: Tom English Date: Thu, 21 Dec 2023 16:07:38 -0500 Subject: [PATCH] Generate and update cert authority --- docs/04-certificate-authority.md | 103 ++++++++++++++++++++++--------- 1 file changed, 73 insertions(+), 30 deletions(-) diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 1510993..85ffc7e 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -9,8 +9,6 @@ In this section you will provision a Certificate Authority that can be used to g Generate the CA configuration file, certificate, and private key: ``` -{ - cat > ca-config.json < ca-csr.json < admin-csr.json <`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements. +Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/reference/access-authn-authz/node/) called Node Authorizer, that specifically authorizes API requests made by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the `system:nodes` group, with a username of `system:node:`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements. Generate a certificate and private key for each Kubernetes worker node: +```gcloud``` ``` for instance in worker-0 worker-1 worker-2; do cat > ${instance}-csr.json < ${instance}-csr.json < kube-controller-manager-csr.json < kube-proxy-csr.json < kube-scheduler-csr.json < kubernetes-csr.json < The Kubernetes API server is automatically assigned the `kubernetes` internal dns name, which will be linked to the first IP address (`10.32.0.1`) from the address range (`10.32.0.0/24`) reserved for internal cluster services during the [control plane bootstrapping](08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-api-server) lab. @@ -346,13 +368,11 @@ kubernetes.pem ## The Service Account Key Pair -The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as described in the [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) documentation. +The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as described in the [managing service accounts](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) documentation. Generate the `service-account` certificate and private key: ``` -{ - cat > service-account-csr.json < The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab. Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)