k8s 09: PKI infrastructure and Certificate

To have API server to accept requests via HTTPS, PKI needs to be setup.

In this demo cluster, I use controller-1 node to create CA and other certificate.

Set up CA

1. Install tools

Official document reference is here. Because of a bug in 1.2.0 of cfssl, it needs some workaround though.

[ controller-1 ]

2. Initialize CA

Once tools are installed, it’s time to initialize CA. It is quite straightforward.

[ controller-1 ]

Generate certificate and key for respective services

In the next few steps, we generate a few certificates and keys in order each services to work correctly. Because we’re going to use RBAC authorisation, CN needs to be specifically set for in-built values(default roles) for those certificates of client. You can find those roles and details of RBAC here.

1. API server

This step generates server certificate for API server.

2. Kubectl

This step generates client certificate and key for kubectl

3. Kubelet

Kubelet requires special authorization mode “Node authorizer”. And it needs to specify group as well as user(in this case nodename). Hence, the certificate is different from node to node, and need to be generated separately. For detail of node authorization, refer here.

4. kube-proxy

This step generates client certificate and key for kube-proxy

5. coredns

This step generates client certificate and key for coredns