2.0 KiB
2.0 KiB
Certificate Authority
In this lab you will setup the necessary PKI infrastructure to secure the Kuberentes components. This lab will leverage CloudFlare's PKI toolkit, cfssl, to bootstrap a Certificate Authority and generate TLS certificates.
Install CFSSL
Follow the CFSSL installation guide and install cfssl and cfssljson binaries.
Initialize a CA
Create the CA configuration file
echo '{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}' > ca-config.json
Generate the CA certificate and private key
Create the CA CSR:
echo '{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}' > ca-csr.json
Generate the CA certificate and private key:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
Results:
ca-key.pem
ca.csr
ca.pem
openssl x509 -in ca.pem -text -noout
Generate Server and Client Certs
Generate the kube-apiserver server cert
echo '{
"CN": "kubernetes",
"hosts": [
"10.240.0.10",
"10.240.0.11",
"10.240.0.12",
"10.240.0.20",
"10.240.0.21",
"10.240.0.22",
"10.240.0.30",
"10.240.0.31",
"10.240.0.32",
"146.148.34.151",
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Cluster",
"ST": "Oregon"
}
]
}' > kubernetes-csr.json
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
openssl x509 -in kubernetes.pem -text -noout