KodeCloud CKA TLS Kubernetes

Kubernetes TLS¶

- CA certificates: Root certificates
We need server certificates for server and client certificates for client.
Servers: kubeapi-server, kubelet, etcd
Clients: admin/users, kube-proxy, kube-scheduler, kube-controller-manager.

Among all the servers kubeapi-server is the only server that talks to the etcd server.

So kubeapi-server is a client to the etcd server. But it can use the same keys that it used as a server as its client keys.
Or we can generate a new pair of certificates specifically for the kubeapi-server to authenticate to the etcd server.

kubeapi-server also talks to the kubelet and for this also it can use its original certificates or generate new ones specifically for this purpose.

attachments/Pasted image 20221013143518.jpg

kubeapi-server may need 2 (talking to kubelet, etcd) client certificates, kubelet (talking to kubeapi-server) needs 1 client certificates.

We need a CA for signing all these certificates.
k8s requires us to have at least 1 CA for our cluster.
- We can have more than one. Like one for all the components and one for the etcd client (kubeapi-server) and server certificates.

We will use openssl to generate the certificates.
We first create a private key for CA: openssl genrsa -out ca.key 2048
We then use the openssl req command with the private key we just created to generate a CSR (Certificate Signing Request)
- A CSR is like certificate with a PUBLIC key and all other details but no signature.
We then sign the CSR.
- Since it is for the CA it is self signed by the CA using its own private key.
Going forward we will use the CA private key to sign the CSRs generated by other components.

Admin user:
- CN is the name of the admin user.
  - Name doesn't have to be kube-admin.
  - But this is the name that kubectl client authenticates with when we run the kubectl command. We will see this name in edit logs too.

Last updated: 2022-10-31