I was trying to automate the process of signing Kubernetes certificates for new users.
The official documentation (here) suggests using Kubectl. In particular they suggest using the command :
kubectl certificate approve csr_name
and obtain a base64 encoded certificate via :
kubectl get csr/csr_name -o yaml
and looking at the status.certificate field. Since I have access to the cluster certificates ( at /etc/kubernetes/pki) and since I wanted to further automate the process I was wondering which certificate and key are used by Kubernetes in the signing process. I've tried with apiserver, ca and kubeadmin (.crt and .key) and openssl as follows :
openssl x509 -req my.csr -days 365 -CA /etc/kubernetes/*.crt -CAkey /etc/kubernetes/*.key -CAcreateserial -out my.crt
where *.crt and *.key are the various files mentioned above. But the results are always different from that of the kubectl command. Any idea what I am missing?
Thanks in advance!
Very partial answer for this moment
1. CA for etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy
Since I have access to the cluster certificates ( at /etc/kubernetes/pki) and since I wanted to further automate the process I was wondering which certificate and key are used by Kubernetes in the signing process.
There is a great Kubernetes The Hard Way tutotial that give you great opportunity to check,test and try by your own how to manually create kubernetes cluster using manually create all the certificates for core resources.
Provisioning a CA and Generating TLS Certificates
you will provision a PKI Infrastructure using CloudFlare's PKI toolkit, cfssl, then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.
Generating Kubernetes Configuration Files for Authentication
you will generate Kubernetes configuration files, also known as kubeconfigs, which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers.
2. New user creation you can use Kubernetes: How do I access the CA to sign a new user certificate? as a reference. Copy pasting for history in case original post would be removed
you can use the build in CA in your cluster to create client certificates. Background information on how to use the CA: https://kubernetes.io/docs/concepts/cluster-administration/certificates/
Assuming you have a user.json
{
"CN": "mfrank",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [{
"O": "mfrank",
"email": "some@email"
}]
}
You can then generate a CSR for this. In this example I use cfssl to generate the CSR:
cfssl genkey user.json | cfssljson -bare client
You can now use kubectl to submit a CSR for your cluster:
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: mfrank
spec:
groups:
- system:authenticated
- mfrank
request: $(cat client.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
The request field is base64 encoded version of your csr file.
To view your CSR: kubectl get csr
To approve it:
kubectl certificate approve mfrank
Decode it:
kubectl get csr mfrank -o jsonpath='{.status.certificate}' | base64 -d > client.pem
You can now use the client-key.pem and client.pem to build a kubeconfig.
You can then create RBAC rolebindings on your cluster assigning to either –user=mfrank or –group=mfrank (assuming you used “O”: “mfrank”)