From 63c6d32fc730176a265acf1a57e66c3eb9382718 Mon Sep 17 00:00:00 2001
From: Kelsey Hightower <kelsey.hightower@gmail.com>
Date: Sun, 13 May 2018 04:52:53 +0000
Subject: [PATCH] use dedicated key pair for service accounts

---
 .gitignore                                    |  4 ++
 docs/04-certificate-authority.md              | 54 +++++++++++++++++--
 ...08-bootstrapping-kubernetes-controllers.md |  8 +--
 3 files changed, 59 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index 729a64c..624c834 100644
--- a/.gitignore
+++ b/.gitignore
@@ -42,3 +42,7 @@ worker-2-key.pem
 worker-2.csr
 worker-2.kubeconfig
 worker-2.pem
+service-account-key.pem
+service-account.csr
+service-account.pem
+service-account-csr.json
diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md
index 45c1ef3..70d2201 100644
--- a/docs/04-certificate-authority.md
+++ b/docs/04-certificate-authority.md
@@ -163,7 +163,7 @@ worker-2-key.pem
 worker-2.pem
 ```
 
-### The kube-controller-manager Client Certificate
+### The Controller Manager Client Certificate
 
 Create the `kube-controller-manager` client certificate signing request:
 
@@ -207,7 +207,7 @@ kube-controller-manager.pem
 ```
 
 
-### The kube-proxy Client Certificate
+### The Kube Proxy Client Certificate
 
 Create the `kube-proxy` client certificate signing request:
 
@@ -250,7 +250,7 @@ kube-proxy-key.pem
 kube-proxy.pem
 ```
 
-### The kube-scheduler Client Certificate
+### The Scheduler Client Certificate
 
 Create the `kube-scheduler` client certificate signing request:
 
@@ -348,6 +348,51 @@ kubernetes-key.pem
 kubernetes.pem
 ```
 
+## The Service Account Key Pair
+
+Create the `service-account` certificate signing request:
+
+```
+cat > service-account-csr.json <<EOF
+{
+  "CN": "service-accounts",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+```
+
+Generate the `service-account` certificate and private key:
+
+```
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  service-account-csr.json | cfssljson -bare service-account
+```
+
+Results:
+
+```
+service-account-key.pem
+service-account.pem
+```
+
+
+
 ## Distribute the Client and Server Certificates
 
 Copy the appropriate certificates and private keys to each worker instance:
@@ -362,7 +407,8 @@ Copy the appropriate certificates and private keys to each controller instance:
 
 ```
 for instance in controller-0 controller-1 controller-2; do
-  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${instance}:~/
+  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
+    service-account-key.pem service-account.pem ${instance}:~/
 done
 ```
 
diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md
index b4c2f29..cbd93e3 100644
--- a/docs/08-bootstrapping-kubernetes-controllers.md
+++ b/docs/08-bootstrapping-kubernetes-controllers.md
@@ -47,7 +47,9 @@ sudo mkdir -p /var/lib/kubernetes/
 ```
 
 ```
-sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem encryption-config.yaml /var/lib/kubernetes/
+sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
+  service-account-key.pem service-account.pem \
+  encryption-config.yaml /var/lib/kubernetes/
 ```
 
 The instance internal IP address will be used to advertise the API Server to members of the cluster. Retrieve the internal IP address for the current compute instance:
@@ -90,7 +92,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\
   --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
   --kubelet-https=true \\
   --runtime-config=api/all \\
-  --service-account-key-file=/var/lib/kubernetes/ca-key.pem \\
+  --service-account-key-file=/var/lib/kubernetes/service-account.pem \\
   --service-cluster-ip-range=10.32.0.0/24 \\
   --service-node-port-range=30000-32767 \\
   --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \\
@@ -130,7 +132,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
   --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
   --leader-elect=true \\
   --root-ca-file=/var/lib/kubernetes/ca.pem \\
-  --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
+  --service-account-private-key-file=/var/lib/kubernetes/service-account-key.pem \\
   --service-cluster-ip-range=10.32.0.0/24 \\
   --use-service-account-credentials=true \\
   --v=2