TLS Certificates

$ cat /etc/kuernetes/manifests/kube-apiserver.yaml

spec:
  containers:
  - command:
    - kube-apiserver
    - --authorization-mode=Node,RBAC
    - --advertise-address=172.17.0.32
    - --allow-privileged=true
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --disable-admission-plugins=PersistentVolumeLabel
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apisever.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

/etc/kubernetes/pki/apiserver.crt

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout

kubeadm CA

Certificate Path (/etc/kubernetes/pki)	CN NAme	ALT Names	Organization	Issuer	Expiration
apiserver.crt	kube-apiserver	DNS:master DNS:kubernetes DNS:kubernetes.default DNS:kubernetes.default.svc IP Address:10.96.0.1 IP Address:172.17.0.27		kubernetes
apiserver.key
ca.crt	kubernetes			kubernetes
apiserver-kubelet-client.crt	kube-apiserver-kubelet-client		system:masters	kubernetes
apiserver-kubelet-client.key
apiserver-etcd-client.crt	kube-apiserver-etcd-client		system:masters	self
apiserver-etcd-client.key
./etcd/ca.crt	kubernetes			kubernetes

jounalctl -u etcd.service -l

View logs

kubectl logs etcd-master

kubernetes certs checker

https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/tools/kubernetes-certs-checker.xlsx

'CKA &. CKAD > Security' 카테고리의 다른 글

Practice Test - Certificates API (0)	2021.03.29
Practice Test - View Certificates (0)	2021.03.29
TLS in Kubernetes (0)	2021.03.29
TLS (0)	2021.03.28
Authentication (0)	2021.03.28

Clark의 IT Container

TLS Certificates

'CKA &. CKAD > Security' 카테고리의 다른 글

티스토리툴바

TLS Certificates

'CKA &. CKAD > Security' 카테고리의 다른 글

'CKA &. CKAD/Security' Related Articles

티스토리툴바