Transport Layer Security (TLS) Basics
Early days it was called Secure Socket Layer (SSL) now it is renamed as TLS. In this post we will explore more TLS certificate files. and their usage in different Kubernetes Cluster components. TLS Certificates for Kubernetes Cluster components is basic thing to do a High Availability(HA) in Production configurations and troubleshoot various security for users, applications, and administration level issues.
Public Key Infrastructure used in the Kubernetes Cluster Security |
Certificate files
The certificate files are nothing but key pair that have private key, public key. And Public Key which we can consider as a Lock visible to public. The example certificate file can be having extension as .crt or .pem the files like server.crt, server.pem client.crt or client.pem. Whereas Private key it will be owned by the person who generated it. This file cannot be distributed, instead it will be used when Lock is visible to it uses this key to unlock and get the data or send the data in a encrypted format. Most of the private key file extensions can be .key or .pem sample files are server.key or server-key.pem (to differ with server side public key filename changed) client.key or client-key.pem.
There could be three types of certificates
- Server Certificates - Server side
- Root Certificates - are reside at CA
- Client Certificates - at browser or client side in Kubernetes component client side
Why we need TLS certificates?
Let's take a online payment transaction example. Customer 'X' wants to transfer the money to a ecommerce vendor online. When user send user details such as username=xxx,password=yyy,trnamount=100. Hacker is going to do an attack in the middle customer - vendor try to get the user details and able to get the control on the transactions. This is called middle-man attack.To avoid this kind of attacks on your e-business, we need end-to-end secure communication for this use TLS certificates between web-server and web-clients.
Where can I get the Certificates?
We need to submit the certificate request to Certificate Authority (CA). There ae many CA which are internationally available.
- VeriSign
- GeoTrust
- Let's Encrypt
- DigiCert
- ETCD database related definitions are in etcd.yaml
- Controller-manager - The definitions related to different controller-managers are available in kube-controller-manager.yaml
- kube-apiserver - Whole cluster work entry and exits are happen through apiserver its definitions are in kube-apiserver.yaml
- kube-scheduler - Pods, Network node are controlled using schedulers and their related definitions are in kube-scheduler.yaml
How do you Identify the certificate files used for the kube-apiserver?
To identify certificate files used for the kube-apiserver can be viewedview /etc/kubernetes/manifests/kube-apiserver.yamlIn this file under the containers section we can see there are several - command having different certificate path where apiserver related we have --tls-cert-file, --tls-private-key-file values are used for apiserver.
Kube-apiserver certificate details from the manifest file |
To identify the key used to authenticate kube-apiserver to the kubelet server uses /etc/kubernetes/pki/apiserver-kubelet-client.key
To identify the certificate file used to authenticate kube-apiserver to the kubelet server uses /etc/kubernetes/pki/apiserver-kubelet-client.crt
ETCD Server CA Root Certificate used to serve ETCD Server. It's a best practice to have different CA (Certificate Authority) for ETCD server than kube-apiserver. Trusted CA provide certifcate file available at /etc/kubernetes/pki/etcd/ca.crt
How do you find the Common Name (CN) configured on the Kube API server certificate?
Kubernetes apiserver certificate data configured to view we can use 'openssl' command.opsnssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Viewing the Kube-apiserver certificate file using openssl command |
- controlplane
- kubernetes
- kubernetes.default
- kubernetes.default.svc
- kubernetes.default.svc.cluster.local
openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -text -noout
Viewing the ETCD Server certificate content |
No comments:
Post a Comment