493 lines
9.8 KiB
Markdown
493 lines
9.8 KiB
Markdown
# Provisioning a CA and Generating TLS Certificates
|
|
|
|
In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kubelet, and kube-proxy.
|
|
|
|
## Certificate Authority
|
|
|
|
In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates.
|
|
|
|
Create the CA configuration file:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cat > ca-config.json <<EOF
|
|
{
|
|
"signing": {
|
|
"default": {
|
|
"expiry": "8760h"
|
|
},
|
|
"profiles": {
|
|
"kubernetes": {
|
|
"usages": ["signing", "key encipherment", "server auth", "client auth"],
|
|
"expiry": "8760h"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
New-Item ca-config.json -Value @"
|
|
{
|
|
"signing": {
|
|
"default": {
|
|
"expiry": "8760h"
|
|
},
|
|
"profiles": {
|
|
"kubernetes": {
|
|
"usages": ["signing", "key encipherment", "server auth", "client auth"],
|
|
"expiry": "8760h"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
"@
|
|
```
|
|
|
|
Create the CA certificate signing request:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cat > ca-csr.json <<EOF
|
|
{
|
|
"CN": "Kubernetes",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "Kubernetes",
|
|
"OU": "CA",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
New-Item ca-csr.json -Value @"
|
|
{
|
|
"CN": "Kubernetes",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "Kubernetes",
|
|
"OU": "CA",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
"@
|
|
```
|
|
|
|
Generate the CA certificate and private key:
|
|
|
|
```
|
|
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
ca-key.pem
|
|
ca.pem
|
|
```
|
|
|
|
## Client and Server Certificates
|
|
|
|
In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes `admin` user.
|
|
|
|
### The Admin Client Certificate
|
|
|
|
Create the `admin` client certificate signing request:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cat > admin-csr.json <<EOF
|
|
{
|
|
"CN": "admin",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:masters",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
New-Item admin-csr.json -Value @"
|
|
{
|
|
"CN": "admin",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:masters",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
"@
|
|
```
|
|
|
|
Generate the `admin` client certificate and private key:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cfssl gencert \
|
|
-ca=ca.pem \
|
|
-ca-key=ca-key.pem \
|
|
-config=ca-config.json \
|
|
-profile=kubernetes \
|
|
admin-csr.json | cfssljson -bare admin
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
cfssl gencert `
|
|
-ca=ca.pem `
|
|
-ca-key=ca-key.pem `
|
|
-config=ca-config.json `
|
|
-profile=kubernetes `
|
|
admin-csr.json | cfssljson -bare admin
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
admin-key.pem
|
|
admin.pem
|
|
```
|
|
|
|
### The Kubelet Client Certificates
|
|
|
|
Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) called Node Authorizer, that specifically authorizes API requests made by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the `system:nodes` group, with a username of `system:node:<nodeName>`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.
|
|
|
|
Generate a certificate and private key for each Kubernetes worker node:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
for instance in worker-0 worker-1 worker-2; do
|
|
cat > ${instance}-csr.json <<EOF
|
|
{
|
|
"CN": "system:node:${instance}",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:nodes",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
|
|
EXTERNAL_IP=$(gcloud compute instances describe ${instance} \
|
|
--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
|
|
|
|
INTERNAL_IP=$(gcloud compute instances describe ${instance} \
|
|
--format 'value(networkInterfaces[0].networkIP)')
|
|
|
|
cfssl gencert \
|
|
-ca=ca.pem \
|
|
-ca-key=ca-key.pem \
|
|
-config=ca-config.json \
|
|
-hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \
|
|
-profile=kubernetes \
|
|
${instance}-csr.json | cfssljson -bare ${instance}
|
|
done
|
|
```
|
|
|
|
#### Windows
|
|
|
|
```
|
|
@('worker-0', 'worker-1', 'worker-2') | ForEach-Object {
|
|
New-Item $_-csr.json -Value @"
|
|
{
|
|
"CN": "system:node:$_",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:nodes",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
"@
|
|
|
|
$EXTERNAL_IP=$(gcloud compute instances describe $_ `
|
|
--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
|
|
|
|
$INTERNAL_IP=$(gcloud compute instances describe $_ `
|
|
--format 'value(networkInterfaces[0].networkIP)')
|
|
|
|
cfssl gencert `
|
|
-ca ca.pem `
|
|
-ca-key ca-key.pem `
|
|
-config ca-config.json `
|
|
-hostname $_,$EXTERNAL_IP,$INTERNAL_IP `
|
|
-profile kubernetes `
|
|
$_-csr.json | cfssljson -bare $_
|
|
}
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
worker-0-key.pem
|
|
worker-0.pem
|
|
worker-1-key.pem
|
|
worker-1.pem
|
|
worker-2-key.pem
|
|
worker-2.pem
|
|
```
|
|
|
|
### The kube-proxy Client Certificate
|
|
|
|
Create the `kube-proxy` client certificate signing request:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cat > kube-proxy-csr.json <<EOF
|
|
{
|
|
"CN": "system:kube-proxy",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:node-proxier",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
New-Item kube-proxy-csr.json -Value @"
|
|
{
|
|
"CN": "system:kube-proxy",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "system:node-proxier",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
"@
|
|
```
|
|
|
|
Generate the `kube-proxy` client certificate and private key:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cfssl gencert \
|
|
-ca=ca.pem \
|
|
-ca-key=ca-key.pem \
|
|
-config=ca-config.json \
|
|
-profile=kubernetes \
|
|
kube-proxy-csr.json | cfssljson -bare kube-proxy
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
cfssl gencert `
|
|
-ca ca.pem `
|
|
-ca-key ca-key.pem `
|
|
-config ca-config.json `
|
|
-profile kubernetes `
|
|
kube-proxy-csr.json | cfssljson -bare kube-proxy
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
kube-proxy-key.pem
|
|
kube-proxy.pem
|
|
```
|
|
|
|
### The Kubernetes API Server Certificate
|
|
|
|
The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
|
|
|
|
Retrieve the `kubernetes-the-hard-way` static IP address:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
|
|
--region $(gcloud config get-value compute/region) \
|
|
--format 'value(address)')
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way `
|
|
--region $(gcloud config get-value compute/region) `
|
|
--format 'value(address)')
|
|
```
|
|
|
|
Create the Kubernetes API Server certificate signing request:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cat > kubernetes-csr.json <<EOF
|
|
{
|
|
"CN": "kubernetes",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "Kubernetes",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
New-Item kubernetes-csr.json -Value @"
|
|
{
|
|
"CN": "kubernetes",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "Portland",
|
|
"O": "Kubernetes",
|
|
"OU": "Kubernetes The Hard Way",
|
|
"ST": "Oregon"
|
|
}
|
|
]
|
|
}
|
|
"@
|
|
```
|
|
|
|
Generate the Kubernetes API Server certificate and private key:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
cfssl gencert \
|
|
-ca=ca.pem \
|
|
-ca-key=ca-key.pem \
|
|
-config=ca-config.json \
|
|
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \
|
|
-profile=kubernetes \
|
|
kubernetes-csr.json | cfssljson -bare kubernetes
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
cfssl gencert `
|
|
-ca ca.pem `
|
|
-ca-key ca-key.pem `
|
|
-config ca-config.json `
|
|
-hostname 10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,$KUBERNETES_PUBLIC_ADDRESS,127.0.0.1,kubernetes.default `
|
|
-profile kubernetes `
|
|
kubernetes-csr.json | cfssljson -bare kubernetes
|
|
```
|
|
|
|
Results:
|
|
|
|
```
|
|
kubernetes-key.pem
|
|
kubernetes.pem
|
|
```
|
|
|
|
## Distribute the Client and Server Certificates
|
|
|
|
Copy the appropriate certificates and private keys to each worker instance:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
for instance in worker-0 worker-1 worker-2; do
|
|
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
|
|
done
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
@('worker-0','worker-1','worker-2') | ForEach-Object {
|
|
gcloud compute scp ca.pem "$_-key.pem" "$_.pem" ${_}:/home/$env:USERNAME/
|
|
}
|
|
```
|
|
|
|
Copy the appropriate certificates and private keys to each controller instance:
|
|
|
|
#### Linux & OS X
|
|
```
|
|
for instance in controller-0 controller-1 controller-2; do
|
|
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${instance}:~/
|
|
done
|
|
```
|
|
|
|
#### Windows
|
|
```
|
|
@('controller-0', 'controller-1', 'controller-2') | ForEach-Object {
|
|
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${_}:/home/$env:USERNAME/
|
|
}
|
|
```
|
|
> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
|
|
|
|
Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)
|