🗼Introduction
Securing a Kubernetes cluster involves ensuring that all communication between its components is encrypted. This is achieved through the use of TLS certificates. In this blog, we will delve into the types of certificates used in Kubernetes, the process of generating them, viewing certificate details, and leveraging Kubernetes' built-in Certificate API for automated management and rotation.
🗼Types of TLS Certificates in Kubernetes
Server Certificates
Server certificates are essential for the secure communication between various Kubernetes components. Below are the key server certificates used:
Kube-apiserver: Uses
apiserver.crt
andapiserver.key
.ETCD server: Uses
etcdserver.crt
andetcdserver.key
.Kubelet server: Uses
kubelet.crt
andkubelet.key
.
Client Certificates
Client certificates are used for authenticating clients interacting with the Kubernetes API. Each client, such as kubectl
or any other component, can have its own set of certificates.
🗼Generating TLS Certificates
Follow these steps to generate TLS certificates using OpenSSL:
Step 1: Create a Private Key
Generate a private key using the OpenSSL command:
openssl genrsa –out ca.key 2048
Step 2: Create a Certificate Signing Request (CSR)
Generate a CSR with the following command:
openssl req –new –key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr
Step 3: Sign the Certificate
Sign the certificate using the private key:
openssl x509 –req –in ca.csr -signkey ca.key -out ca.crt
🗼Viewing Certificate Details
To view the details of a certificate, follow these steps:
Step 1: Identify the Certificate File
Locate the certificate file by inspecting the relevant Kubernetes manifest. For example, to find the kube-apiserver certificate path:
cat /etc/kubernetes/manifests/kube-apiserver.yaml
Note down the absolute path of the certificate.
Step 2: Decode and View Certificate Details
Use the OpenSSL command to decode and view the certificate:
openssl x509 –in /etc/kubernetes/pki/apiserver.crt -text –noout
🗼Certificate API
Kubernetes offers an automated way to manage and rotate certificates through the Certificate API. This allows for streamlined certificate signing requests (CSRs) and approvals without manual intervention.
🗼Steps to Sign a Certificate
User Creates a Key:
openssl genrsa -out jane.key 2048
Generate a CSR:
openssl req –new –key jane.key -subj "/CN=jane" -out jane.csr
Admin Submits the CSR: The admin encodes the CSR in base64 and creates a CertificateSigningRequest (CSR) object in Kubernetes.
cat jane.csr | base64
Admin Approves the CSR: The admin approves the CSR using
kubectl
:kubectl get csr kubectl certificate approve jane
Extract the Certificate:
kubectl get csr jane -o yaml
Decode the Certificate: Decode the base64 encoded certificate:
echo "certificate text" | base64 –decode
🗼Automated Certificate Management
The Kubernetes Controller Manager handles all certificate operations, ensuring that certificates are rotated and managed efficiently without manual intervention.
By following the above steps and leveraging Kubernetes' built-in tools, you can ensure that your cluster's communication remains secure and up-to-date with the necessary TLS certificates.