[req] distinguished_name = req_distinguished_name prompt = no x509_extensions = ca_x509_extensions [ca_x509_extensions] basicConstraints = CA:TRUE keyUsage = cRLSign, keyCertSign [req_distinguished_name] C = US ST = Michigan L = Redford CN = CA [admin] distinguished_name = admin_distinguished_name prompt = no req_extensions = default_req_extensions [admin_distinguished_name] CN = admin O = system:masters # Service Accounts # # The Kubernetes Controller Manager leverages a key pair to generate # and sign service account tokens as described in the # [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) # documentation. [service-accounts] distinguished_name = service-accounts_distinguished_name prompt = no req_extensions = default_req_extensions [service-accounts_distinguished_name] CN = service-accounts # Worker Nodes # # Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) # called Node Authorizer, that specifically authorizes API requests made # by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). # In order to be authorized by the Node Authorizer, Kubelets must use a credential # that identifies them as being in the `system:nodes` group, with a username # of `system:node:`. [node01] distinguished_name = node01_distinguished_name prompt = no req_extensions = node01_req_extensions [node01_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "node01 Certificate" subjectAltName = DNS:node01, IP:127.0.0.1 subjectKeyIdentifier = hash [node01_distinguished_name] CN = system:node:node01 O = system:nodes C = US ST = Michigan L = Redford [node02] distinguished_name = node02_distinguished_name prompt = no req_extensions = node02_req_extensions [node02_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "node02 Certificate" subjectAltName = DNS:node02, IP:127.0.0.1 subjectKeyIdentifier = hash [node02_distinguished_name] CN = system:node:node02 O = system:nodes C = US ST = Michigan L = Redford # Kube Proxy Section [kube-proxy] distinguished_name = kube-proxy_distinguished_name prompt = no req_extensions = kube-proxy_req_extensions [kube-proxy_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Kube Proxy Certificate" subjectAltName = DNS:kube-proxy, IP:127.0.0.1 subjectKeyIdentifier = hash [kube-proxy_distinguished_name] CN = system:kube-proxy O = system:node-proxier C = US ST = Michigan L = Redford # Controller Manager [kube-controller-manager] distinguished_name = kube-controller-manager_distinguished_name prompt = no req_extensions = kube-controller-manager_req_extensions [kube-controller-manager_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Kube Controller Manager Certificate" subjectAltName = DNS:kube-controller-manager, IP:127.0.0.1 subjectKeyIdentifier = hash [kube-controller-manager_distinguished_name] CN = system:kube-controller-manager O = system:kube-controller-manager C = US ST = Michigan L = Redford # Scheduler [kube-scheduler] distinguished_name = kube-scheduler_distinguished_name prompt = no req_extensions = kube-scheduler_req_extensions [kube-scheduler_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Kube Scheduler Certificate" subjectAltName = DNS:kube-scheduler, IP:127.0.0.1 subjectKeyIdentifier = hash [kube-scheduler_distinguished_name] CN = system:kube-scheduler O = system:system:kube-scheduler C = US ST = Michigan L = Redford # API Server # # The Kubernetes API server is automatically assigned the `kubernetes` # internal dns name, which will be linked to the first IP address (`10.32.0.1`) # from the address range (`10.32.0.0/24`) reserved for internal cluster # services. [kube-apiserver] distinguished_name = kube-apiserver_distinguished_name prompt = no req_extensions = kube-apiserver_req_extensions [kube-apiserver_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client, server nsComment = "Kube API Server Certificate" subjectAltName = @kube-api-server_alt_names subjectKeyIdentifier = hash [kube-apiserver_alt_names] IP.0 = 127.0.0.1 IP.1 = 10.32.0.1 DNS.0 = kubernetes DNS.1 = kubernetes.default DNS.2 = kubernetes.default.svc DNS.3 = kubernetes.default.svc.cluster DNS.4 = kubernetes.svc.cluster.local DNS.5 = controlplane.kubernetes.local DNS.6 = api-server.kubernetes.local [kube-apiserver_distinguished_name] CN = kubernetes C = US ST = Michigan L = Redford [default_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Admin Client Certificate" subjectKeyIdentifier = hash