Skip to content

KodeCloud CKA TLS Kubernetes

Links: 111 KodeCloud Index


Kubernetes TLS

  • attachments/Pasted image 20221013142023.jpg

    • CA certificates: Root certificates
  • We need server certificates for server and client certificates for client.

  • Servers: kubeapi-server, kubelet, etcd
    • attachments/Pasted image 20221013142353.jpg
  • Clients: admin/users, kube-proxy, kube-scheduler, kube-controller-manager.
Among all the servers kubeapi-server is the only server that talks to the etcd server.
  • So kubeapi-server is a client to the etcd server. But it can use the same keys that it used as a server as its client keys.
  • Or we can generate a new pair of certificates specifically for the kubeapi-server to authenticate to the etcd server.
  • kubeapi-server also talks to the kubelet and for this also it can use its original certificates or generate new ones specifically for this purpose.

attachments/Pasted image 20221013143518.jpg

kubeapi-server may need 2 (talking to kubelet, etcd) client certificates, kubelet (talking to kubeapi-server) needs 1 client certificates.
  • We need a CA for signing all these certificates.

    • attachments/Pasted image 20221013143918.jpg
  • k8s requires us to have at least 1 CA for our cluster.

    • We can have more than one. Like one for all the components and one for the etcd client (kubeapi-server) and server certificates.

Generating Certificates for the cluster

CA certificates

  • We will use openssl to generate the certificates.
  • We first create a private key for CA: openssl genrsa -out ca.key 2048
  • We then use the openssl req command with the private key we just created to generate a CSR (Certificate Signing Request)
    • A CSR is like certificate with a PUBLIC key and all other details but no signature.
  • We then sign the CSR.
    • Since it is for the CA it is self signed by the CA using its own private key.
  • Going forward we will use the CA private key to sign the CSRs generated by other components.

  • attachments/Pasted image 20221013145240.jpg

Client Certificates

  • Admin user:
    • CN is the name of the admin user.
      • Name doesn't have to be kube-admin.
      • But this is the name that kubectl client authenticates with when we run the kubectl command. We will see this name in edit logs too.

Last updated: 2022-10-31