Reputation: 1778
How do you add a certificate authority (CA) to k8s?
I am trying to use my own CAs on k8s for internal https communication.
I read the documentation Certificate Management with kubeadm where I use on my conf file the paths as described:
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
controllerManager:
extraArgs:
cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt
cluster-signing-key-file: /etc/kubernetes/pki/ca.key
When I launch the master prime node I get the following error:
error execution phase certs/apiserver: couldn't load CA certificate ca: ca certificate is not a certificate authority
I tried to find a way to define the authority and I found this Certificates. I do think that this is what I am looking for as this is referring to how to produce your own self signed CAs.
The CAs that I want to apply are from an official authority.
Is there something that I am missing here and I can not figure out?
I am running on 1.19.2 version
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:41:02Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:32:58Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Upvotes: 3
Views: 12912
Answers (1)
Reputation: 44549
You have got a private key and server certificate signed by an external CA with it's private key. You really do not have the CA's private key itself.
If you were using the self signed CA option then you actually got the private key of CA with you and kubeadm could use that to sign and generate all the server and client certificates for the control plane components.
You need to follow the External CA mode of kubeadm where in you just provide the ca.crt in /etc/kubernetes/pki/ca.crt location.
This will make use of the server certificate to host Kubernetes API Server over https which is what you are trying to achieve.
Please note the following
In this case you will not be able to use kubernetes to issue certificate by approving certificate signing request because you do not have the private key of the CA to sign a CSR.
Since kubeadm is running in external CA mode; all the certificates for the control plane components must be provided by the user, because kubeadm cannot generate them by itself.
Upvotes: 4
Related Questions
- Kubernetes add ca certificate to pods' trust root
- How to add certificates to Kube config file
- How to use Kubernetes SSL certificates
- In k8s, how to automatically add a root certificate of a self-signed certificate between pods?
- Provide certificate file into pod in k8s
- How to add extra nodes to the certificate-authority-data from a self signed k8s cluster?
- k8s-signed certificate not trusted within pod
- How Do I Properly Set --kubelet-certificate-authority apiserver parameter?
- K8 Certificate Authority for Web Applications in Private Domain
- Installing certificates on Kubernetes