use dedicated key pair for service accounts

2018-05-13 04:52:53 +00:00 · 2018-05-13 04:52:53 +00:00 · 63c6d32fc7
parent f5cd671efb
commit 63c6d32fc7
3 changed files with 59 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -42,3 +42,7 @@ worker-2-key.pem
 worker-2.csr
 worker-2.kubeconfig
 worker-2.pem
+service-account-key.pem
+service-account.csr
+service-account.pem
+service-account-csr.json
--- a/docs/04-certificate-authority.md
+++ b/docs/04-certificate-authority.md
@ -163,7 +163,7 @@ worker-2-key.pem
 worker-2.pem
 ```

-### The kube-controller-manager Client Certificate
+### The Controller Manager Client Certificate

 Create the `kube-controller-manager` client certificate signing request:

@ -207,7 +207,7 @@ kube-controller-manager.pem
 ```


-### The kube-proxy Client Certificate
+### The Kube Proxy Client Certificate

 Create the `kube-proxy` client certificate signing request:

@ -250,7 +250,7 @@ kube-proxy-key.pem
 kube-proxy.pem
 ```

-### The kube-scheduler Client Certificate
+### The Scheduler Client Certificate

 Create the `kube-scheduler` client certificate signing request:

@ -348,6 +348,51 @@ kubernetes-key.pem
 kubernetes.pem
 ```

+## The Service Account Key Pair
+
+Create the `service-account` certificate signing request:
+
+```
+cat > service-account-csr.json <<EOF
+{
+  "CN": "service-accounts",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+```
+
+Generate the `service-account` certificate and private key:
+
+```
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  service-account-csr.json | cfssljson -bare service-account
+```
+
+Results:
+
+```
+service-account-key.pem
+service-account.pem
+```
+
+
+
 ## Distribute the Client and Server Certificates

 Copy the appropriate certificates and private keys to each worker instance:
@ -362,7 +407,8 @@ Copy the appropriate certificates and private keys to each controller instance:

 ```
 for instance in controller-0 controller-1 controller-2; do
-  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${instance}:~/
+  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
+    service-account-key.pem service-account.pem ${instance}:~/
 done
 ```

--- a/docs/08-bootstrapping-kubernetes-controllers.md
+++ b/docs/08-bootstrapping-kubernetes-controllers.md
@ -47,7 +47,9 @@ sudo mkdir -p /var/lib/kubernetes/
 ```

 ```
-sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem encryption-config.yaml /var/lib/kubernetes/
+sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
+  service-account-key.pem service-account.pem \
+  encryption-config.yaml /var/lib/kubernetes/
 ```

 The instance internal IP address will be used to advertise the API Server to members of the cluster. Retrieve the internal IP address for the current compute instance:
@ -90,7 +92,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\
  --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
  --kubelet-https=true \\
  --runtime-config=api/all \\
-  --service-account-key-file=/var/lib/kubernetes/ca-key.pem \\
+  --service-account-key-file=/var/lib/kubernetes/service-account.pem \\
  --service-cluster-ip-range=10.32.0.0/24 \\
  --service-node-port-range=30000-32767 \\
  --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \\
@ -130,7 +132,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
  --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
  --leader-elect=true \\
  --root-ca-file=/var/lib/kubernetes/ca.pem \\
-  --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
+  --service-account-private-key-file=/var/lib/kubernetes/service-account-key.pem \\
  --service-cluster-ip-range=10.32.0.0/24 \\
  --use-service-account-credentials=true \\
  --v=2