Provisioning a CA and Generating TLS Certificates
In this lab you will provision a PKI Infrastructure using CloudFlare's PKI toolkit, cfssl, then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.
Certificate Authority
In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates.
Generate the CA configuration file, certificate, and private key:
{
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
}
2019/01/05 16:02:00 [INFO] generating a new CA key and certificate from CSR
2019/01/05 16:02:00 [INFO] generate received request
2019/01/05 16:02:00 [INFO] received CSR
2019/01/05 16:02:00 [INFO] generating key: rsa-2048
2019/01/05 16:02:01 [INFO] encoded CSR
2019/01/05 16:02:01 [INFO] signed certificate with serial number 323025748688708318570253284733879669822799068156
Results
ca-key.pem
ca.pem
Client and Server Certificates
In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes admin user.
The Admin Client Certificate
Generate the admin client certificate and private key:
{
cat > admin-csr.json <<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:masters",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
}
2019/01/05 16:03:28 [INFO] generate received request
2019/01/05 16:03:28 [INFO] received CSR
2019/01/05 16:03:28 [INFO] generating key: rsa-2048
2019/01/05 16:03:28 [INFO] encoded CSR
2019/01/05 16:03:28 [INFO] signed certificate with serial number 397241996261079825564698472796581367873151234788
2019/01/05 16:03:28 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Results:
admin-key.pem
admin.pem
The Kubelet Client Certificates
Kubernetes uses a special-purpose authorization mode called Node Authorizer, that specifically authorizes API requests made by Kubelets. In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the system:nodes group, with a username of system:node:<nodeName>. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.
Generate a certificate and private key for each Kubernetes worker node:
for instance in worker-0 worker-1 worker-2; do
cat > ${instance}-csr.json <<EOF
{
"CN": "system:node:${instance}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
EXTERNAL_IP=$(gcloud compute instances describe ${instance} \
--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
INTERNAL_IP=$(gcloud compute instances describe ${instance} \
--format 'value(networkInterfaces[0].networkIP)')
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \
-profile=kubernetes \
${instance}-csr.json | cfssljson -bare ${instance}
done
2019/01/05 16:04:45 [INFO] generate received request
2019/01/05 16:04:45 [INFO] received CSR
2019/01/05 16:04:45 [INFO] generating key: rsa-2048
2019/01/05 16:04:45 [INFO] encoded CSR
2019/01/05 16:04:45 [INFO] signed certificate with serial number 588665804219981469420318125766354150157956272708
2019/01/05 16:04:48 [INFO] generate received request
2019/01/05 16:04:48 [INFO] received CSR
2019/01/05 16:04:48 [INFO] generating key: rsa-2048
2019/01/05 16:04:48 [INFO] encoded CSR
2019/01/05 16:04:48 [INFO] signed certificate with serial number 463915570111830477007189178627591793676833745176
2019/01/05 16:04:51 [INFO] generate received request
2019/01/05 16:04:51 [INFO] received CSR
2019/01/05 16:04:51 [INFO] generating key: rsa-2048
2019/01/05 16:04:51 [INFO] encoded CSR
2019/01/05 16:04:51 [INFO] signed certificate with serial number 681525012966934687184975916762231207760280929672
Results:
worker-0-key.pem
worker-0.pem
worker-1-key.pem
worker-1.pem
worker-2-key.pem
worker-2.pem
The Controller Manager Client Certificate
Generate the kube-controller-manager client certificate and private key:
{
cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:kube-controller-manager",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
}
2019/01/05 16:05:35 [INFO] generate received request
2019/01/05 16:05:35 [INFO] received CSR
2019/01/05 16:05:35 [INFO] generating key: rsa-2048
2019/01/05 16:05:35 [INFO] encoded CSR
2019/01/05 16:05:35 [INFO] signed certificate with serial number 375078798301890290443404113543616719636084017716
2019/01/05 16:05:35 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Results:
kube-controller-manager-key.pem
kube-controller-manager.pem
The Kube Proxy Client Certificate
Generate the kube-proxy client certificate and private key:
{
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:node-proxier",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
}
2019/01/05 16:06:12 [INFO] generate received request
2019/01/05 16:06:12 [INFO] received CSR
2019/01/05 16:06:12 [INFO] generating key: rsa-2048
2019/01/05 16:06:13 [INFO] encoded CSR
2019/01/05 16:06:13 [INFO] signed certificate with serial number 114104864442277038012476668868258835741699585436
2019/01/05 16:06:13 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Results:
kube-proxy-key.pem
kube-proxy.pem
The Scheduler Client Certificate
Generate the kube-scheduler client certificate and private key:
{
cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:kube-scheduler",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
}
2019/01/05 16:06:40 [INFO] generate received request
2019/01/05 16:06:40 [INFO] received CSR
2019/01/05 16:06:40 [INFO] generating key: rsa-2048
2019/01/05 16:06:41 [INFO] encoded CSR
2019/01/05 16:06:41 [INFO] signed certificate with serial number 494999747893915979883482809702633253027624275052
2019/01/05 16:06:41 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Results:
kube-scheduler-key.pem
kube-scheduler.pem
The Kubernetes API Server Certificate
The kubernetes-the-hard-way static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
Generate the Kubernetes API Server certificate and private key:
{
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region) \
--format 'value(address)')
cat > kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
}
2019/01/05 16:07:24 [INFO] generate received request
2019/01/05 16:07:24 [INFO] received CSR
2019/01/05 16:07:24 [INFO] generating key: rsa-2048
2019/01/05 16:07:24 [INFO] encoded CSR
2019/01/05 16:07:24 [INFO] signed certificate with serial number 698258564979472011923711709133126949790606032929
Results:
kubernetes-key.pem
kubernetes.pem
The Service Account Key Pair
The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as describe in the managing service accounts documentation.
Generate the service-account certificate and private key:
{
cat > service-account-csr.json <<EOF
{
"CN": "service-accounts",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
service-account-csr.json | cfssljson -bare service-account
}
2019/01/05 16:08:08 [INFO] generate received request
2019/01/05 16:08:08 [INFO] received CSR
2019/01/05 16:08:08 [INFO] generating key: rsa-2048
2019/01/05 16:08:08 [INFO] encoded CSR
2019/01/05 16:08:08 [INFO] signed certificate with serial number 344947898601466655991277606099879950294446503038
2019/01/05 16:08:08 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Results:
service-account-key.pem
service-account.pem
Distribute the Client and Server Certificates
Copy the appropriate certificates and private keys to each worker instance:
for instance in worker-0 worker-1 worker-2; do
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
done
Warning: Permanently added 'compute.3042180953477927523' (ECDSA) to the list of known hosts.
ca.pem 100% 1318 1.3KB/s 00:01
worker-0-key.pem 100% 1679 2.0KB/s 00:00
worker-0.pem 100% 1493 4.8KB/s 00:00
Warning: Permanently added 'compute.6505812313784898144' (ECDSA) to the list of known hosts.
ca.pem 100% 1318 5.9KB/s 00:00
worker-1-key.pem 100% 1675 7.5KB/s 00:00
worker-1.pem 100% 1493 3.3KB/s 00:00
Warning: Permanently added 'compute.8475780105833206397' (ECDSA) to the list of known hosts.
ca.pem 100% 1318 2.3KB/s 00:00
worker-2-key.pem 100% 1675 7.8KB/s 00:00
worker-2.pem 100% 1493 7.0KB/s 00:00
Copy the appropriate certificates and private keys to each controller instance:
for instance in controller-0 controller-1 controller-2; do
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem ${instance}:~/
done
ca.pem 100% 1318 6.1KB/s 00:00
ca-key.pem 100% 1679 3.8KB/s 00:00
kubernetes-key.pem 100% 1679 7.7KB/s 00:00
kubernetes.pem 100% 1521 6.1KB/s 00:00
service-account-key.pem 100% 1679 7.7KB/s 00:00
service-account.pem 100% 1440 6.3KB/s 00:00
Warning: Permanently added 'compute.6984916929265980097' (ECDSA) to the list of known hosts.
ca.pem 100% 1318 2.5KB/s 00:00
ca-key.pem 100% 1679 5.4KB/s 00:00
kubernetes-key.pem 100% 1679 7.4KB/s 00:00
kubernetes.pem 100% 1521 3.4KB/s 00:00
service-account-key.pem 100% 1679 7.5KB/s 00:00
service-account.pem 100% 1440 6.5KB/s 00:00
Warning: Permanently added 'compute.5780765196486365917' (ECDSA) to the list of known hosts.
ca.pem 100% 1318 6.1KB/s 00:00
ca-key.pem 100% 1679 7.7KB/s 00:00
kubernetes-key.pem 100% 1679 7.8KB/s 00:00
kubernetes.pem 100% 1521 7.0KB/s 00:00
service-account-key.pem 100% 1679 7.8KB/s 00:00
service-account.pem 100% 1440 6.7KB/s 00:00
The
kube-proxy,kube-controller-manager,kube-scheduler, andkubeletclient certificates will be used to generate client authentication configuration files in the next lab.