mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Adapt certificates generation (step 04)

pull/582/head
Nemo 2020-06-20 13:48:17 +02:00
parent c2a489998d
commit f2e097ad65
1 changed files with 43 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
docs/04-certificate-authority.md
View File

@ -6,11 +6,9 @@ In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/w
In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates. In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates.
Generate the CA configuration file, certificate, and private key: On the `gateway-01` VM, generate the CA configuration file, certificate, and private key:
```bash ```bash
{
cat > ca-config.json <<EOF cat > ca-config.json <<EOF
{ {
"signing": { "signing": {
@ -36,19 +34,17 @@ cat > ca-csr.json <<EOF
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "Kubernetes", "O": "Kubernetes",
"OU": "CA", "OU": "CA",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
EOF EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca cfssl gencert -initca ca-csr.json | cfssljson -bare ca
}
``` ```
Results: Results:
@ -64,11 +60,9 @@ In this section you will generate client and server certificates for each Kubern
### The Admin Client Certificate ### The Admin Client Certificate
Generate the `admin` client certificate and private key: On the `gateway-01` VM, generate the `admin` client certificate and private key:
```bash ```bash
{
cat > admin-csr.json <<EOF cat > admin-csr.json <<EOF
{ {
"CN": "admin", "CN": "admin",
@ -78,11 +72,11 @@ cat > admin-csr.json <<EOF
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "system:masters", "O": "system:masters",
"OU": "Kubernetes The Hard Way", "OU": "Kubernetes The Hard Way",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
@ -94,8 +88,6 @@ cfssl gencert \
-config=ca-config.json \ -config=ca-config.json \
-profile=kubernetes \ -profile=kubernetes \
admin-csr.json | cfssljson -bare admin admin-csr.json | cfssljson -bare admin
}
``` ```
Results: Results:
@ -109,42 +101,40 @@ admin.pem
Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) called Node Authorizer, that specifically authorizes API requests made by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the `system:nodes` group, with a username of `system:node:<nodeName>`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements. Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) called Node Authorizer, that specifically authorizes API requests made by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the `system:nodes` group, with a username of `system:node:<nodeName>`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.
Generate a certificate and private key for each Kubernetes worker node: On the `gateway-01` VM, generate a certificate and private key for each Kubernetes worker node (you need to replace YOUR_EXTERNAL_IP by your external IP address):
```bash ```bash
for instance in worker-0 worker-1 worker-2; do for id_instance in 0 1 2; do
cat > ${instance}-csr.json <<EOF cat > worker-${id_instance}-csr.json <<EOF
{ {
"CN": "system:node:${instance}", "CN": "system:node:worker-${id_instance}",
"key": { "key": {
"algo": "rsa", "algo": "rsa",
"size": 2048 "size": 2048
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "system:nodes", "O": "system:nodes",
"OU": "Kubernetes The Hard Way", "OU": "Kubernetes The Hard Way",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
EOF EOF
EXTERNAL_IP=$(gcloud compute instances describe ${instance} \ EXTERNAL_IP=YOUR_EXTERNAL_IP
--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
INTERNAL_IP=$(gcloud compute instances describe ${instance} \ INTERNAL_IP=192.168.8.2${id_instance}
--format 'value(networkInterfaces[0].networkIP)')
cfssl gencert \ cfssl gencert \
-ca=ca.pem \ -ca=ca.pem \
-ca-key=ca-key.pem \ -ca-key=ca-key.pem \
-config=ca-config.json \ -config=ca-config.json \
-hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \ -hostname=worker-${id_instance},${EXTERNAL_IP},${INTERNAL_IP} \
-profile=kubernetes \ -profile=kubernetes \
${instance}-csr.json | cfssljson -bare ${instance} worker-${id_instance}-csr.json | cfssljson -bare worker-${id_instance}
done done
``` ```
@ -161,11 +151,9 @@ worker-2.pem
### The Controller Manager Client Certificate ### The Controller Manager Client Certificate
Generate the `kube-controller-manager` client certificate and private key: On the `gateway-01` VM, generate the `kube-controller-manager` client certificate and private key:
```bash ```bash
{
cat > kube-controller-manager-csr.json <<EOF cat > kube-controller-manager-csr.json <<EOF
{ {
"CN": "system:kube-controller-manager", "CN": "system:kube-controller-manager",
@ -175,11 +163,11 @@ cat > kube-controller-manager-csr.json <<EOF
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "system:kube-controller-manager", "O": "system:kube-controller-manager",
"OU": "Kubernetes The Hard Way", "OU": "Kubernetes The Hard Way",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
@ -191,8 +179,6 @@ cfssl gencert \
-config=ca-config.json \ -config=ca-config.json \
-profile=kubernetes \ -profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
}
``` ```
Results: Results:
@ -204,11 +190,9 @@ kube-controller-manager.pem
### The Kube Proxy Client Certificate ### The Kube Proxy Client Certificate
Generate the `kube-proxy` client certificate and private key: On the `gateway-01` VM, generate the `kube-proxy` client certificate and private key:
```bash ```bash
{
cat > kube-proxy-csr.json <<EOF cat > kube-proxy-csr.json <<EOF
{ {
"CN": "system:kube-proxy", "CN": "system:kube-proxy",
@ -218,11 +202,11 @@ cat > kube-proxy-csr.json <<EOF
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "system:node-proxier", "O": "system:node-proxier",
"OU": "Kubernetes The Hard Way", "OU": "Kubernetes The Hard Way",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
@ -234,8 +218,6 @@ cfssl gencert \
-config=ca-config.json \ -config=ca-config.json \
-profile=kubernetes \ -profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy kube-proxy-csr.json | cfssljson -bare kube-proxy
}
``` ```
Results: Results:
@ -247,11 +229,9 @@ kube-proxy.pem
### The Scheduler Client Certificate ### The Scheduler Client Certificate
Generate the `kube-scheduler` client certificate and private key: On the `gateway-01` VM, generate the `kube-scheduler` client certificate and private key:
```bash ```bash
{
cat > kube-scheduler-csr.json <<EOF cat > kube-scheduler-csr.json <<EOF
{ {
"CN": "system:kube-scheduler", "CN": "system:kube-scheduler",
@ -261,11 +241,11 @@ cat > kube-scheduler-csr.json <<EOF
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "system:kube-scheduler", "O": "system:kube-scheduler",
"OU": "Kubernetes The Hard Way", "OU": "Kubernetes The Hard Way",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
@ -277,8 +257,6 @@ cfssl gencert \
-config=ca-config.json \ -config=ca-config.json \
-profile=kubernetes \ -profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler kube-scheduler-csr.json | cfssljson -bare kube-scheduler
}
``` ```
Results: Results:
@ -292,14 +270,10 @@ kube-scheduler.pem
The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients. The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
Generate the Kubernetes API Server certificate and private key: On the `gateway-01` VM, generate the Kubernetes API Server certificate and private key (you need to replace YOUR_EXTERNAL_IP by your external IP address):
```bash ```bash
{ KUBERNETES_PUBLIC_ADDRESS=YOUR_EXTERNAL_IP
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region) \
--format 'value(address)')
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
@ -312,11 +286,11 @@ cat > kubernetes-csr.json <<EOF
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "Kubernetes", "O": "Kubernetes",
"OU": "Kubernetes The Hard Way", "OU": "Kubernetes The Hard Way",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
@ -329,8 +303,6 @@ cfssl gencert \
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \ -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
-profile=kubernetes \ -profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
}
``` ```
> The Kubernetes API server is automatically assigned the `kubernetes` internal dns name, which will be linked to the first IP address (`10.32.0.1`) from the address range (`10.32.0.0/24`) reserved for internal cluster services during the [control plane bootstrapping](08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-api-server) lab. > The Kubernetes API server is automatically assigned the `kubernetes` internal dns name, which will be linked to the first IP address (`10.32.0.1`) from the address range (`10.32.0.0/24`) reserved for internal cluster services during the [control plane bootstrapping](08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-api-server) lab.
@ -346,11 +318,9 @@ kubernetes.pem
The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as described in the [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) documentation. The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as described in the [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) documentation.
Generate the `service-account` certificate and private key: On the `gateway-01` VM, generate the `service-account` certificate and private key:
```bash ```bash
{
cat > service-account-csr.json <<EOF cat > service-account-csr.json <<EOF
{ {
"CN": "service-accounts", "CN": "service-accounts",
@ -360,11 +330,11 @@ cat > service-account-csr.json <<EOF
}, },
"names": [ "names": [
{ {
"C": "US", "C": "FR",
"L": "Portland", "L": "Rennes",
"O": "Kubernetes", "O": "Kubernetes",
"OU": "Kubernetes The Hard Way", "OU": "Kubernetes The Hard Way",
"ST": "Oregon" "ST": "Bretagne"
} }
] ]
} }
@ -376,8 +346,6 @@ cfssl gencert \
-config=ca-config.json \ -config=ca-config.json \
-profile=kubernetes \ -profile=kubernetes \
service-account-csr.json | cfssljson -bare service-account service-account-csr.json | cfssljson -bare service-account
}
``` ```
Results: Results:
@ -393,7 +361,7 @@ Copy the appropriate certificates and private keys to each worker instance:
```bash ```bash
for instance in worker-0 worker-1 worker-2; do for instance in worker-0 worker-1 worker-2; do
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/ scp ca.pem ${instance}-key.pem ${instance}.pem $root@{instance}:~/
done done
``` ```
@ -401,8 +369,8 @@ Copy the appropriate certificates and private keys to each controller instance:
```bash ```bash
for instance in controller-0 controller-1 controller-2; do for instance in controller-0 controller-1 controller-2; do
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem ${instance}:~/ service-account-key.pem service-account.pem root@${instance}:~/
done done
``` ```