Kubernetes Certificate API
We must aware of what does certificate authority CA will do and in Kubernetes how it works.
CA server it is a server which is runs certificate API.
In your DevOps or DevSecOps team a New Kubernetes Admin joins you. Hhow to handle.
Private key, Public key valid pair of CA server sign automated in Kubernetes, it performs following steps:
1. Create CertificateSigningRequest object
2. Review Request
3. Approve Request
4. Share Certs to Users
Let's try how it works
A user Maheshwari(Mahi) want to create certificate files first private key will be generated with RSA algorithm 'mahi.key' the key size could be 2048 bits.
Filename: mahi-csr.yaml
To aprove the CSR request which we have prepared in the steps for mahi user. When you do a review of the CSR file content
openssl genrsa -out mahi.key 2048b. Certificate Signing request (CSR) object Request can be created by providing key and subject values the result can be stored into a csr file by performing the following command:
openssl req -new -key mahi.key -subj "/CN=mahi" -out mahi.csrc. Certificate Manifestation file can be created as any other Kubernetes object using YAML as mahi-csr.yaml where kind can be used as 'CertificateSigningRequest', under the request section we can add the csr content which can be encrypted with 'base64' Linux command along with the removal of newline chars.
cat mahi.csr | base64 |tr -d "\n"Now prepare the CSR request manifestation using above outcome.
Filename: mahi-csr.yaml
--- apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: mahi spec: groups: - system:authenticated request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0ViV0ZvYVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUs0eDJyd3QzU2F0ZDhxSThEUzJzVDlTcngydHMrQm5Ic202d2lCdkt0Vk5IeXdKCis3Q2VHR09JdlpWN3hOQ08vRkRpT3FXY05HMzhseFR6R2pwWkdqUDNoR2RZdHU1WFNnRjlBbkFGTVZENHBnOVIKOVQzVFBjbU1Rem9ZVllMUE44c2Y5Z3pWdGIrRHV5YTRPd0dVYUNuOUdvaW0yYUV0MTYxOWpmUzRSeEJPVXpjagpFaS9DWlAvY1VUd2dLZWNpTHRKWHhvSGYxRDVuVUhVUFFPQ1JWbGtJSDNkRmZYVWZHSjg3bmpNMzJyRXBqY3gxCkNVZWgzRktLNVA3ZC8rdFB2TUFuNEQ5MzgvLzlvZjBuLzZDa0pSMnZNUStIbkgyK000azArcGVpaWNwSUxQRS8KZVZuNk41UXpUSk5sWldHdmVTMU9ZYzdBczhGa2Q2OXZKanJHcHZjQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQXV0ZlpQTTlVODlqaFR5ZzhXSkdsRThlOStuWXZ2MjBJQ08wTVV3bVB6dWNvWU1NMlNiK0x5CmhiS0lod3pUVW9QTk91RGk5aEEwaElVS0tmdmxiNENTOHI1UmJneWdheDNMUHpENXlZS1ZZTGR5NmNYRW9EWmoKbUx5d1VpTHY4UnNKdjI3TUF4bEZoZnBrZXFodTZPVTJBaGlWR signerName: kubernetes.io/kube-apiserver-client usages: - client authNow let's create it with CertificateSigningRequest
kubectl create -f mahi-csr.yamlYou can see the CSR status using following command
kubectl get csrThe CSR status can be any one of these values 'Approved', 'Issued', or 'Pending'
Kubernetes Certificates
Using 'kubectl certificate' object we Kubernetes Administrators can review the CertificateSigningREquest and then decide wheather to 'approve' or 'deny' the CSR. Before this we must recheck the status of the CSR from above 'kubectl get csr' command.To aprove the CSR request which we have prepared in the steps for mahi user. When you do a review of the CSR file content
kubectl certificate approve mahiIf you thing the request doesn't look good you can reject by denying it.
kubectl certificate deny agent-xyzTo get rid of the inappropriate user csr request we can delete the csr.
kubectl delete csr agent-xyz kubectl get csr # To confirm it is deletedThis approved certificate can be viewed in YAML format
kubectl get csr mahi -o yamlcopy the certificate from the above output it is in base64 encrypted format so need to decode it.
echo "copy paste the certificate value from above yaml output" | base64 --decodeyou could see the first and last lines mentioned with BEGIN and END CERTIFICATE All the certificate operations carried out by Controller Manager, If you look inside this ControllerManager it is having CSR-APPROVING, CSR-SIGNING they are responsible for carrying out these specific tasks. If anyone has sign certifciates they need Root Certificate and key of CA that we can see details with:
cat /etc/kubernetes/manifests/kube-controller-manager.yaml
No comments:
Post a Comment