Managing TLS Certificates in Kubernetes

Managing TLS Certificates in Kubernetes

·

3 min read

🗼Introduction

Securing a Kubernetes cluster involves ensuring that all communication between its components is encrypted. This is achieved through the use of TLS certificates. In this blog, we will delve into the types of certificates used in Kubernetes, the process of generating them, viewing certificate details, and leveraging Kubernetes' built-in Certificate API for automated management and rotation.

🗼Types of TLS Certificates in Kubernetes

Server Certificates

Server certificates are essential for the secure communication between various Kubernetes components. Below are the key server certificates used:

  • Kube-apiserver: Uses apiserver.crt and apiserver.key.

  • ETCD server: Uses etcdserver.crt and etcdserver.key.

  • Kubelet server: Uses kubelet.crt and kubelet.key.

Client Certificates

Client certificates are used for authenticating clients interacting with the Kubernetes API. Each client, such as kubectl or any other component, can have its own set of certificates.

🗼Generating TLS Certificates

Follow these steps to generate TLS certificates using OpenSSL:

Step 1: Create a Private Key

Generate a private key using the OpenSSL command:

openssl genrsa –out ca.key 2048

Step 2: Create a Certificate Signing Request (CSR)

Generate a CSR with the following command:

openssl req –new –key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

Step 3: Sign the Certificate

Sign the certificate using the private key:

openssl x509 –req –in ca.csr -signkey ca.key -out ca.crt

🗼Viewing Certificate Details

To view the details of a certificate, follow these steps:

Step 1: Identify the Certificate File

Locate the certificate file by inspecting the relevant Kubernetes manifest. For example, to find the kube-apiserver certificate path:

cat /etc/kubernetes/manifests/kube-apiserver.yaml

Note down the absolute path of the certificate.

Step 2: Decode and View Certificate Details

Use the OpenSSL command to decode and view the certificate:

openssl x509 –in /etc/kubernetes/pki/apiserver.crt -text –noout

🗼Certificate API

Kubernetes offers an automated way to manage and rotate certificates through the Certificate API. This allows for streamlined certificate signing requests (CSRs) and approvals without manual intervention.

🗼Steps to Sign a Certificate

  1. User Creates a Key:

     openssl genrsa -out jane.key 2048
    
  2. Generate a CSR:

     openssl req –new –key jane.key -subj "/CN=jane" -out jane.csr
    
  3. Admin Submits the CSR: The admin encodes the CSR in base64 and creates a CertificateSigningRequest (CSR) object in Kubernetes.

     cat jane.csr | base64
    
  4. Admin Approves the CSR: The admin approves the CSR using kubectl:

     kubectl get csr
     kubectl certificate approve jane
    
  5. Extract the Certificate:

     kubectl get csr jane -o yaml
    
  6. Decode the Certificate: Decode the base64 encoded certificate:

     echo "certificate text" | base64 –decode
    

🗼Automated Certificate Management

The Kubernetes Controller Manager handles all certificate operations, ensuring that certificates are rotated and managed efficiently without manual intervention.

By following the above steps and leveraging Kubernetes' built-in tools, you can ensure that your cluster's communication remains secure and up-to-date with the necessary TLS certificates.

Did you find this article valuable?

Support Ashutosh Mahajan's blog by becoming a sponsor. Any amount is appreciated!

Â