bookmark_borderTLS Generate Certificates in Kubernetes

To generate certificates, there are different tools available such as easyrsa, openssl, or cfssl.

OPENSSL

Certificate authority

Kubernetes Server

  • Kube-apiserver [apiserver.crt, apiserver.key]
  • ETCD Server [etcdserver.crt, apiserver.key]
  • Kubelet Server [kubelet.crt, kubelet.key]

Client Server

  • Admin Server [admin.crt, admin.key]
  • Kube-scheduler [kube-scheduler.crt, kube-scheduler.key]
  • Kube-controller-manager [kube-controller-mananger.crt, kube-controller-manager.key]
  • Kube-proxy [kube-proxy.crt, kube-proxy.key]

Certificate authority

ca.key

$ openSSL genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................................................................................+++
....................................................................................................+++
e is 65537 (0x10001)

ca.csr

$ openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

First, we create a private key using OpenSSL command, OpenSSL genrsa -out ca.key then we use the OpenSSL requests command along with the key we just created to generate a certificate signing request the certificate signing request is like a certificate with all of your details but with no signature in the certificate signing request with specified the name of the component this certificate is for in the common name or CN field.

ca.crt

$ openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/CN=KUBERNETES-CA
Getting Private key

This is self-signed by the CA using its own private key that it generated.

The CA now has its private key and root certificate file.

Client Server

  • Admin Server [admin.crt, admin.key]
$ openssl genrsa -out admin.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................+++
............................................+++
e is 65537 (0x10001)
$ openssl req -new -key admin.key -subj "/CN=kube-admin" -out admin.csr

// with Group details
$ openssl req -new -key admin.key -subj "/CN=kube-admin/O=system:masters" -out admin.csr
$ openssl x509 -req -in admin.csr -CA ca.crt -CA key ca.key -out admin.crt
  • Kube-scheduler [kube-scheduler.crt, kube-scheduler.key]
  • Kube-controller-manager [kube-controller-mananger.crt, kube-controller-manager.key]
  • Kube-proxy [kube-proxy.crt, kube-proxy.key]

Kubernetes Server

  • Kube-apiserver [apiserver.crt, apiserver.key]
  • ETCD Server [etcdserver.crt, apiserver.key]
  • Kubelet Server [kubelet.crt, kubelet.key]

etc

What do you do with these certificates?

Take the admin certificate for instance to manage the cluster. You can use the certificate instead of a user and password in a REST API call you make to the kube-apiserver. You specify the key the certificate and the ca certificate as options

curl https://kube-apiserver:6443/api/v1/pods \
   --key admin.key --cert admin.crt
   --cacert ca.crt

Whenever you configure a server or a client with certificates you will need to specify the CA root certificate as well.

ANOTE.DEV