Search code examples
kubernetescakubectl

client certificate needed when configuring kubectl

:)

I have kubenretes 1.9.3 installed on my local Gentoo Linux cluster.

I'm trying to configure kubectl as documented at https://kubernetes.io/docs/getting-started-guides/scratch/

the kubernetes docs state to configure kubectl with $CLI_CERT and $CLI_KEY. so far in the documentation I set $CA_CERT and $MASTER_KEY. don't know which other certificate i need to create that are required.

the docs stated to use $CLI_CERT and $CLI_KEY but I can't find how to create them.

I used easyrsa to create the certificates.

these are the files that I have:

./reqs/server.req
./issued/server.crt
./certs_by_serial/577957B555C21B8DC4B1641E97378EFF.pem
./index.txt.attr
./serial
./private
./private/ca.key
./private/server.key
./.rnd
./ca.crt

this is the environment variables that I set:

export MASTER_IP="192.168.1.3"
export MASTER_CLUSTER_IP="10.0.0.1"

export KUB_DIR="/opt/kubernetes"
export KEYS_DIR="${KUB_DIR}/keys"

export CA_CERT="${KEYS_DIR}/ca.crt"
export MASTER_CERT="${KEYS_DIR}/server.crt"
export MASTER_KEY="${KEYS_DIR}/server.key"

export USER=ufk
export USER_UID=1


export API_SERVER_DIR=${KUB_DIR}/kube-apiserver
export KNOWN_TOKENS_CSV=${API_SERVER_DIR}/known_tokens.csv

export CURRENT_USER=$(who am i | awk '{print $1}')

export CLUSTER_NAME="tux-in-cluster"
export CONTEXT_NAME="tux-in-context"
export CLI_CERT=
export CLI_KEY=

export RSA_BIN=/usr/share/easy-rsa/easyrsa

and this is how I created the certificates:

echo init pki...
$RSA_BIN init-pki

echo generate CA...
$RSA_BIN --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass

echo Generate server certificate and key...
$RSA_BIN --subject-alt-name="IP:${MASTER_IP},"\
"IP:${MASTER_CLUSTER_IP},"\
"DNS:kubernetes,"\
"DNS:kubernetes.default,"\
"DNS:kubernetes.default.svc,"\
"DNS:kubernetes.default.svc.cluster,"\
"DNS:kubernetes.default.svc.cluster.local" \
--days=10000 \
build-server-full server nopass

what am I missing ?

Solution

  • the docs stated to use $CLI_CERT and $CLI_KEY but I can't find how to create them.

    You will have a "user" who runs the kubectl command to create e.g. a pod. This "user" needs to prove that it is a legitimate user who has the access to the API server and have the proper authorization to create a pod.

    You need to create this user (especially for an administrator) and client certificate/key to prove itself as a legitimate user whose certificate is signed by the ca.crt.

    1. Create an admin cert as in The Admin Client Certificate in the Provisioning a CA and Generating TLS Certificates page, for example.
    2. Use the admin cert as in Configuring kubectl for Remote Access to configure the kubeconfig for the admin user.

    To configure additional users, such as operators who start/stop/monitor the cluster, etc, please have a look at Configure RBAC In Your Kubernetes Cluster to setup appropriate roles, users, and role bindings to the users.