348 lines
6.5 KiB
Markdown
348 lines
6.5 KiB
Markdown
# Setting up a Certificate Authority and TLS Cert Generation
|
|
|
|
In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.
|
|
|
|
In this lab you will generate a single set of TLS certificates that can be used to secure the following Kubernetes components:
|
|
|
|
* etcd
|
|
* Kubernetes API Server
|
|
* Kubernetes Kubelet
|
|
|
|
> In production you should strongly consider generating individual TLS certificates for each component.
|
|
|
|
After completing this lab you should have the following TLS keys and certificates:
|
|
|
|
```
|
|
admin.pem
|
|
admin-key.pem
|
|
ca-key.pem
|
|
ca.pem
|
|
kubernetes-key.pem
|
|
kubernetes.pem
|
|
kube-proxy.pem
|
|
kube-proxy-key.pem
|
|
```
|
|
|
|
|
|
## Install CFSSL
|
|
|
|
This lab requires the `cfssl` and `cfssljson` binaries. Download them from the [cfssl repository](https://pkg.cfssl.org).
|
|
|
|
### OS X
|
|
|
|
```
|
|
wget https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
|
|
chmod +x cfssl_darwin-amd64
|
|
sudo mv cfssl_darwin-amd64 /usr/local/bin/cfssl
|
|
```
|
|
|
|
```
|
|
wget https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
|
|
chmod +x cfssljson_darwin-amd64
|
|
sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson
|
|
```
|
|
|
|
|
|
### Linux
|
|
|
|
```
|
|
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
|
|
chmod +x cfssl_linux-amd64
|
|
sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
|
|
```
|
|
|
|
```
|
|
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
|
|
chmod +x cfssljson_linux-amd64
|
|
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
|
|
```
|
|
|
|
## Setting up a Certificate Authority
|
|
|
|
### Create the CA configuration file
|
|
|
|
```
|
|
echo '{
|
|
"signing": {
|
|
"default": {
|
|
"expiry": "8760h"
|
|
},
|
|
"profiles": {
|
|
"kubernetes": {
|
|
"usages": ["signing", "key encipherment", "server auth", "client auth"],
|
|
"expiry": "8760h"
|
|
}
|
|
}
|
|
}
|
|
}' > ca-config.json
|
|
```
|
|
|
|
### Generate the CA certificate and private key
|
|
|
|
Create the CA CSR:
|
|
|
|
```
|
|
echo '{
|
|
"CN": "Kubernetes",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "Kubernetes",
|
|
"OU": "CA",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}' > ca-csr.json
|
|
```
|
|
|
|
Generate the CA certificate and private key:
|
|
|
|
```
|
|
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
ca-key.pem
|
|
ca.csr
|
|
ca.pem
|
|
```
|
|
|
|
### Verification
|
|
|
|
```
|
|
openssl x509 -in ca.pem -text -noout
|
|
```
|
|
|
|
## Generate the single Kubernetes TLS Cert
|
|
|
|
In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component. (But all replicas of a given component must share the same certificate.)
|
|
|
|
### Set the Kubernetes Public Address
|
|
|
|
#### GCE
|
|
|
|
```
|
|
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes \
|
|
--format 'value(address)')
|
|
```
|
|
|
|
#### AWS
|
|
|
|
```
|
|
KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
|
|
--load-balancer-name kubernetes | \
|
|
jq -r '.LoadBalancerDescriptions[].DNSName')
|
|
```
|
|
|
|
---
|
|
|
|
Create the `admin-csr.json` file:
|
|
|
|
```
|
|
cat > admin-csr.json <<EOF
|
|
{
|
|
"CN": "admin",
|
|
"hosts": [],
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:masters",
|
|
"OU": "Cluster",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
```
|
|
|
|
Generate the admin certificate and private key:
|
|
|
|
```
|
|
cfssl gencert \
|
|
-ca=ca.pem \
|
|
-ca-key=ca-key.pem \
|
|
-config=ca-config.json \
|
|
-profile=kubernetes \
|
|
admin-csr.json | cfssljson -bare admin
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
admin-key.pem
|
|
admin.csr
|
|
admin.pem
|
|
```
|
|
|
|
Create the `kube-proxy-csr.json` file:
|
|
|
|
```
|
|
cat > kube-proxy-csr.json <<EOF
|
|
{
|
|
"CN": "system:kube-proxy",
|
|
"hosts": [],
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:node-proxier",
|
|
"OU": "Cluster",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
```
|
|
|
|
Generate the node-proxier certificate and private key:
|
|
|
|
```
|
|
cfssl gencert \
|
|
-ca=ca.pem \
|
|
-ca-key=ca-key.pem \
|
|
-config=ca-config.json \
|
|
-profile=kubernetes \
|
|
kube-proxy-csr.json | cfssljson -bare kube-proxy
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
kube-proxy-key.pem
|
|
kube-proxy.csr
|
|
kube-proxy.pem
|
|
```
|
|
|
|
|
|
Create the `kubernetes-csr.json` file:
|
|
|
|
```
|
|
cat > kubernetes-csr.json <<EOF
|
|
{
|
|
"CN": "kubernetes",
|
|
"hosts": [
|
|
"10.32.0.1",
|
|
"10.240.0.10",
|
|
"10.240.0.11",
|
|
"10.240.0.12",
|
|
"ip-10-240-0-20",
|
|
"ip-10-240-0-21",
|
|
"ip-10-240-0-22",
|
|
"${KUBERNETES_PUBLIC_ADDRESS}",
|
|
"127.0.0.1",
|
|
"kubernetes.default"
|
|
],
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "Kubernetes",
|
|
"OU": "Cluster",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
```
|
|
|
|
Generate the Kubernetes certificate and private key:
|
|
|
|
```
|
|
cfssl gencert \
|
|
-ca=ca.pem \
|
|
-ca-key=ca-key.pem \
|
|
-config=ca-config.json \
|
|
-profile=kubernetes \
|
|
kubernetes-csr.json | cfssljson -bare kubernetes
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
kubernetes-key.pem
|
|
kubernetes.csr
|
|
kubernetes.pem
|
|
```
|
|
|
|
### Verification
|
|
|
|
```
|
|
openssl x509 -in kubernetes.pem -text -noout
|
|
```
|
|
|
|
## Copy TLS Certs
|
|
|
|
Set the list of Kubernetes hosts where the certs should be copied to:
|
|
|
|
```
|
|
KUBERNETES_HOSTS=(controller0 controller1 controller2 worker0 worker1 worker2)
|
|
```
|
|
|
|
```
|
|
KUBERNETES_CONTROLLERS=(controller0 controller1 controller2)
|
|
```
|
|
|
|
### GCE
|
|
|
|
The following command will:
|
|
|
|
* Copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute copy-files` command.
|
|
|
|
```
|
|
for host in ${KUBERNETES_HOSTS[*]}; do
|
|
gcloud compute copy-files ca.pem ${host}:~/
|
|
done
|
|
```
|
|
|
|
```
|
|
for host in ${KUBERNETES_CONTROLLERS[*]}; do
|
|
gcloud compute copy-files ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${host}:~/
|
|
done
|
|
```
|
|
|
|
### AWS
|
|
|
|
The following command will:
|
|
* Extract the public IP address for each Kubernetes host
|
|
* Copy the TLS certificates and keys to each Kubernetes host using `scp`
|
|
|
|
```
|
|
for host in ${KUBERNETES_HOSTS[*]}; do
|
|
PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
|
|
--filters "Name=tag:Name,Values=${host}" | \
|
|
jq -r '.Reservations[].Instances[].PublicIpAddress')
|
|
scp -o "StrictHostKeyChecking no" ca.pem \
|
|
ubuntu@${PUBLIC_IP_ADDRESS}:~/
|
|
done
|
|
```
|
|
|
|
```
|
|
for host in ${KUBERNETES_HOSTS[*]}; do
|
|
PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
|
|
--filters "Name=tag:Name,Values=${host}" | \
|
|
jq -r '.Reservations[].Instances[].PublicIpAddress')
|
|
scp -o "StrictHostKeyChecking no" ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
|
|
ubuntu@${PUBLIC_IP_ADDRESS}:~/
|
|
done
|
|
```
|