Kubernetes Security - Certificates API

By -


Hello all! Welcome to new learning Kubernetes Certificate API in the series of "Kubernetes Security". a. Private key generation 


Kubernetes Certificate API


We must aware of what does certificate authority CA will do and in Kubernetes how it works.
CA server it is a server which is runs certificate API.

In your DevOps or DevSecOps team a New Kubernetes Admin joins you. Hhow to handle.

Private key, Public key valid pair of CA server sign automated in Kubernetes, it performs following steps:

1. Create CertificateSigningRequest object
2. Review Request
3. Approve Request
4. Share Certs to Users

Let's try how it works

 A user Maheshwari(Mahi) want to create certificate files first private key will be generated with RSA algorithm 'mahi.key' the key size could be 2048 bits. 
openssl genrsa -out mahi.key 2048
b. Certificate Signing request (CSR) object Request can be created by providing key and subject values the result can be stored into a csr file by performing the following command: 
openssl req -new -key mahi.key -subj "/CN=mahi" -out mahi.csr
c. Certificate Manifestation file can be created as any other Kubernetes object using YAML as mahi-csr.yaml where kind can be used as 'CertificateSigningRequest', under the request section we can add the csr content which can be encrypted with 'base64' Linux command along with the removal of newline chars. 
cat mahi.csr | base64 |tr -d "\n"
Now prepare the CSR request manifestation using above outcome.
Filename: mahi-csr.yaml 
  ---
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: mahi 
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0ViV0ZvYVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUs0eDJyd3QzU2F0ZDhxSThEUzJzVDlTcngydHMrQm5Ic202d2lCdkt0Vk5IeXdKCis3Q2VHR09JdlpWN3hOQ08vRkRpT3FXY05HMzhseFR6R2pwWkdqUDNoR2RZdHU1WFNnRjlBbkFGTVZENHBnOVIKOVQzVFBjbU1Rem9ZVllMUE44c2Y5Z3pWdGIrRHV5YTRPd0dVYUNuOUdvaW0yYUV0MTYxOWpmUzRSeEJPVXpjagpFaS9DWlAvY1VUd2dLZWNpTHRKWHhvSGYxRDVuVUhVUFFPQ1JWbGtJSDNkRmZYVWZHSjg3bmpNMzJyRXBqY3gxCkNVZWgzRktLNVA3ZC8rdFB2TUFuNEQ5MzgvLzlvZjBuLzZDa0pSMnZNUStIbkgyK000azArcGVpaWNwSUxQRS8KZVZuNk41UXpUSk5sWldHdmVTMU9ZYzdBczhGa2Q2OXZKanJHcHZjQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQXV0ZlpQTTlVODlqaFR5ZzhXSkdsRThlOStuWXZ2MjBJQ08wTVV3bVB6dWNvWU1NMlNiK0x5CmhiS0lod3pUVW9QTk91RGk5aEEwaElVS0tmdmxiNENTOHI1UmJneWdheDNMUHpENXlZS1ZZTGR5NmNYRW9EWmoKbUx5d1VpTHY4UnNKdjI3TUF4bEZoZnBrZXFodTZPVTJBaGlWR
signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
Now let's create it with CertificateSigningRequest 
kubectl create -f mahi-csr.yaml
You can see the CSR status using following command 
kubectl get csr
The CSR status can be any one of these values 'Approved', 'Issued', or 'Pending'

Kubernetes Certificates

Using 'kubectl certificate' object we Kubernetes Administrators can review the CertificateSigningREquest and then decide wheather to 'approve' or 'deny' the CSR. Before this we must recheck the status of the CSR from above 'kubectl get csr' command.
To aprove the CSR request which we have prepared in the steps for mahi user. When you do a review of the CSR file content 
kubectl certificate approve mahi
If you thing the request doesn't look good you can reject by denying it. 
kubectl certificate deny agent-xyz
To get rid of the inappropriate user csr request we can delete the csr. 
kubectl delete csr agent-xyz 

kubectl get csr # To confirm it is deleted
This approved certificate can be viewed in YAML format 
kubectl get csr mahi -o yaml
copy the certificate from the above output it is in base64 encrypted format so need to decode it. 
echo "copy paste the certificate value from above yaml output" | base64 --decode
you could see the first and last lines mentioned with BEGIN and END CERTIFICATE All the certificate operations carried out by Controller Manager, If you look inside this ControllerManager it is having CSR-APPROVING, CSR-SIGNING they are responsible for carrying out these specific tasks. If anyone has sign certifciates they need Root Certificate and key of CA that we can see details with: 
cat /etc/kubernetes/manifests/kube-controller-manager.yaml

Official Document reference: 

Comments

Post a Comment

Popular posts from this blog

Ansible 11 The uri module with examples

By -
Image
 Hey DevSecOps Automation specialist, Welcome back to the DevOps Hunter blog. In this post, I made it for learning more about all possible parameters that we can use when an application validation is done with the Ansible 'uri' module.  Why uri module? Web Application returns status HTTPCode 200 for success, 404 for failures, and also for 503 for Server internal issues. When you work on the restart of a web application we need to know the status of the application to proceed with the next move. So this uri module is most important for reboot and restart of web applications using ansible. The uri module parameters Supported parameters include: attributes, backup, body, body_format, client_cert, client_key, content, creates, delimiter, dest, directory_mode, follow, follow_redirects, force, force_basic_auth, group, headers, http_agent, method, mode, owner, regexp, remote_src, removes, return_content, selevel, serole, setype, seuser, src, status_code, timeout,...
Read more

Jenkins Active choices parameter - Dynamic input

By -
Image
Hello DevOps team!! Today I've revisited the experiment with the Jenkins ACTIVE CHOICE Parameter  to get the Dynamic parameters effect on the Build Job parameters. Installation Active Choice parameter - Groovy Script Prerequisite: Jenkins installed Up and running on your target master machine. Jenkins URL accessible   Step 1: Install Active Choice plugin On the Jenkins Dashboard, select the Manage Jenkins, Plugin- Manager, In the Available tab search for word 'Active', where you can see Active Choice plugin and choose installation option, and this will enables three different parameters in the "Add Paramters" list. They are : 1. Active choice parameter 2. Active Choice Reactive parameter 3. Active choice Reactive Reference parameter Here In my example I will use two of them, Firstly Active Choice Parameter for "environment". Create new item Name: active_project select a freestyle project click OK button. In the General tab, select the checkbo...
Read more

DevOps Weapons

By -
Image
To achieve faster application delivery and stable environments, the right tools must be used in DevOps environments. There is no single tool that fits all your needs such as server provisioning, configuration management, automated builds, code deployments, and monitoring. Many factors determine the use of a particular tool in your infrastructure.   In this article, we will look into core tools which can be used in a typical Devops environment. Version Control Tools: Git - An awesome tool to version your source code and collaborate. Terraform  - A tool used in building, changing, and versioning the infrastructure across platforms. Build Orchestration/Continuous Integration Tools: Jenkins - It is an open-source, lightweight CI tool written in Java, with high extensibility and a fast release cycle. Buildbot  - An open-source framework for automating software build, test and release process. CruiseControl  - A CI server written in  # Ruby ...
Read more