Reputation: 32104
client certificate needed when configuring kubectl
:)
I have kubenretes 1.9.3 installed on my local Gentoo Linux cluster.
I'm trying to configure kubectl as documented at https://kubernetes.io/docs/getting-started-guides/scratch/
the kubernetes docs state to configure kubectl with $CLI_CERT and $CLI_KEY. so far in the documentation I set $CA_CERT and $MASTER_KEY. don't know which other certificate i need to create that are required.
the docs stated to use $CLI_CERT and $CLI_KEY but I can't find how to create them.
I used easyrsa to create the certificates.
these are the files that I have:
./reqs/server.req
./issued/server.crt
./certs_by_serial/577957B555C21B8DC4B1641E97378EFF.pem
./index.txt.attr
./serial
./private
./private/ca.key
./private/server.key
./.rnd
./ca.crt
this is the environment variables that I set:
export MASTER_IP="192.168.1.3"
export MASTER_CLUSTER_IP="10.0.0.1"
export KUB_DIR="/opt/kubernetes"
export KEYS_DIR="${KUB_DIR}/keys"
export CA_CERT="${KEYS_DIR}/ca.crt"
export MASTER_CERT="${KEYS_DIR}/server.crt"
export MASTER_KEY="${KEYS_DIR}/server.key"
export USER=ufk
export USER_UID=1
export API_SERVER_DIR=${KUB_DIR}/kube-apiserver
export KNOWN_TOKENS_CSV=${API_SERVER_DIR}/known_tokens.csv
export CURRENT_USER=$(who am i | awk '{print $1}')
export CLUSTER_NAME="tux-in-cluster"
export CONTEXT_NAME="tux-in-context"
export CLI_CERT=
export CLI_KEY=
export RSA_BIN=/usr/share/easy-rsa/easyrsa
and this is how I created the certificates:
echo init pki...
$RSA_BIN init-pki
echo generate CA...
$RSA_BIN --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
echo Generate server certificate and key...
$RSA_BIN --subject-alt-name="IP:${MASTER_IP},"\
"IP:${MASTER_CLUSTER_IP},"\
"DNS:kubernetes,"\
"DNS:kubernetes.default,"\
"DNS:kubernetes.default.svc,"\
"DNS:kubernetes.default.svc.cluster,"\
"DNS:kubernetes.default.svc.cluster.local" \
--days=10000 \
build-server-full server nopass
what am I missing ?
Upvotes: 0
Views: 1912
Answers (1)
Reputation: 22244
the docs stated to use $CLI_CERT and $CLI_KEY but I can't find how to create them.
You will have a "user" who runs the kubectl command to create e.g. a pod. This "user" needs to prove that it is a legitimate user who has the access to the API server and have the proper authorization to create a pod.
You need to create this user (especially for an administrator) and client certificate/key to prove itself as a legitimate user whose certificate is signed by the ca.crt.
- Create an admin cert as in The Admin Client Certificate in the Provisioning a CA and Generating TLS Certificates page, for example.
- Use the admin cert as in Configuring kubectl for Remote Access to configure the kubeconfig for the admin user.
To configure additional users, such as operators who start/stop/monitor the cluster, etc, please have a look at Configure RBAC In Your Kubernetes Cluster to setup appropriate roles, users, and role bindings to the users.
Upvotes: 1
Related Questions
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- SSL/TLS certificates management in Kubernetes
- How to add certificates to Kube config file
- How to use Kubernetes SSL certificates
- kubectl get certificates : No resources found using cert-manager
- kubectl - error x509 certificate signed by unknown authority
- Get permanent certificate to access to kubectl
- How Do I Properly Set --kubelet-certificate-authority apiserver parameter?
- K3s - create user with client certificate
- Kubernetes on localhost: setup certificates