Skip to content

Latest commit

 

History

History
96 lines (54 loc) · 1.86 KB

07-TLS-in-Kubernetes-Certificate-Creation.md

File metadata and controls

96 lines (54 loc) · 1.86 KB

TLS in kubernetes - Certificate Creation

In this section, we will take a look at TLS certificate creation in kubernetes

Generate Certificates

  • There are different tools available such as easyrsa, openssl or cfssl etc. or many others for generating certificates.

Certificate Authority (CA)

  • Generate Keys
    $ openssl genrsa -out ca.key 2048
    
  • Generate CSR
    $ openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr
    
  • Sign certificates
    $ openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
    

ca1

Generating Client Certificates

Admin User Certificates

  • Generate Keys

    $ openssl genrsa -out admin.key 2048
    
  • Generate CSR

    $ openssl req -new -key admin.key -subj "/CN=kube-admin" -out admin.csr
    
  • Sign certificates

    $ openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -out admin.crt
    

    ca2

  • Certificate with admin privilages

    $ openssl req -new -key admin.key -subj "/CN=kube-admin/O=system:masters" -out admin.csr
    

We follow the same procedure to generate client certificate for all other components that access the kube-apiserver.

crt1

crt2

crt3

crt4

Generating Server Certificates

ETCD Server certificate

etc1

etc2

Kube-apiserver certificate

api1

api2

Kubectl Nodes (Server Cert)

kctl1

Kubectl Nodes (Client Cert)

kctl2