Open SSL을 통한 인증서 Pair 생성
ㅁ Certificate Authority (CA)
ㅇ Generate Keys (ca.key)
$ openssl genrsa -out ca.key 2048
ca.keyㅇ Certificate Signing Request
$ openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr
ca.csrㅇ Sign Certificates
$ openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
ca.crt
ㅁ ADMIN USER
ㅇ Generate Keys
$ openssl genrsa -out admin.key 2048
admin.keyㅇ Certificate Signing Request
$ openssl req -new -key admin.key -subj "/CN=kube-admin" -out admin.csr
admin.csrㅇ Sign Certificates
$ openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -out admin.crt
admin.crt
CA 서버 인증서 전달
curl https://kube-apiserver:6443/api/v1/pods \
--key admin.key --cert admin.crt
--cacert ca.crt{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/pods",
},
"items": []
}kube-config.yaml
apiVersion: v1
clusters:
- cluster:
certificate-authority: ca.crt
server: https://kube-apiserver:6443
name: kubernetes
kind: Config
users:
- name: kubernetes-admin
user:
client-certificate: admin.crt
client-key: admin.key
[ETCD SERVERS]
cat etcd.yaml
- etcd
- --advertise-client-urls=https://127.0.0.1:2379
- --key-file=/path-to-certs/etcdserver.key
- --cert-file=/path-to-certs/etcdserver.crt
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://127.0.0.1:2380
- --initial-cluster=master=https://127.0.0.1:2380
- --listen-client-urls=https://127.0.0.1:2379
- --listen-peer-urls=https://127.0.0.1:2380
- --name=master
- --peer-cert-file=/path-to-certs/etcdpeer1.crt
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
[KUBE API SERVER]
$ openssl genrsa -out apiserver.key 2048
apiserver.key$ openssl req -new -key apiserver.key -subj \
$ "/CN=kube-apiserver" -out apiserver.csr
apiserver.csropenssl.cnf
[req]
req_extensions = v3_req
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,
subjectAltName: @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = 172.17.0.87$ openssl x509 -req -in apiserver.csr \
$ -CA ca.crt -CAkey ca.key -out apiserver.crt
apiserver.crt
ExecStart=/usr/local/bin/kube-apiserver \\
--advertise-address=${INTERNAL_IP} \\
--allow-privileged=true \\
--apiserver-count=3 \\
--authorization-mode=Node,RBAC \\
--bind-address=0.0.0.0 \\
--enable-swagger-ui=true \\
--etcd-cafile=/var/lib/kubernetes/ca.pem \\
--etcd-certfile=/var/lib/kubernetes/apiserver-etcd-client.crt \\
--etcd-keyfile=/var/lib/kubernetes/apiserver-etcd-client.key \\
--etcd-servers=https://127.0.0.1:2379 \\
--event-ttl=1h \\
--kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
--kubelet-client-certificate=/var/lib/kubernetes/apiserver-etcd-client.crt \\
--kubelet-client-key=/var/lib/kubernetes/apiserver-etcd-client.key \\
--kubelet-https=true \\
--runtime-config=api/all \\
--service-account-key-file=/var/lib/kubernetes/service-account.pem \\
--service-cluster-ip-range=10.32.0.0/24 \\
--service-node-port-range=30000-32767 \\
--client-ca-file=/var/lib/kubernetes/ca.pem \\
--tls-cert-file=/var/lib/kubernetes/apiserver.crt \\
--tls-private-key-file=/var/lib/kubernetes/apiserver.key \\
--v=2
'CKA &. CKAD > Security' 카테고리의 다른 글
| Practice Test - Certificates API (0) | 2021.03.29 |
|---|---|
| Practice Test - View Certificates (0) | 2021.03.29 |
| TLS Certificates (0) | 2021.03.29 |
| TLS (0) | 2021.03.28 |
| Authentication (0) | 2021.03.28 |
