cat /etc/kubernetes/manifest/kube-apiserver.yamlspec:
containers:
- command:
- kube-apiserver
- --advertise-address=172.17.0.31
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
ㅁ Identify the certificate file used for the kube-api-server
[/etc/kubernetes/pki/apiserver.crt]
[/tmp/kube-apiserver.crt]
[/etc/apiserver.crt]
[/etc/kubernetes/pki/kube-apiserver.crt]
[/etc/apiserver.key]
ㅁ Identify the Certificate file used to authenticate kube-apiserver as a client to ETCD Server
[/etc/kubernetes/pki/apiserver-etcd-client.key]
[/etc/kubernetes/pki/apiserver-kubelet-client.crt]
[/etc/kubernetes/pki/apiserver-etcd.crt]
[/etc/kubernetes/pki/apiserver-etcd-client.crt]
[/etc/kubernetes/pki/apiserver.crt]
ㅁ Identify the key used to authenticate kubeapi-server to the kubelet server
[/etc/kubernetes/pki/apiserver-kubelet-client.key]
[/etc/kubernetes/pki/front-proxy-client.key]
[/etc/kubernetes/pki/apiserver-etcd-client.key]
[/etc/kubernetes/pki/apiserver-kubelet-client.crt]
[/etc/kubernetes/pki/apiserver.key]
cat /etc/kubernetes/manifest/etcd.yamlspec:
containers:
- command:
- etcd
- --advertise-client-urls=https://172.17.0.31:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://172.17.0.31:2380
- --initial-cluster=controlplane=https://172.17.0.31:2380
- --key-file=/etc/kubernetes/pki/etcd/server.key
- --listen-client-urls=https://127.0.0.1:2379,https://172.17.0.31:2379
- --listen-metrics-urls=http://127.0.0.1:2381
- --listen-peer-urls=https://172.17.0.31:2380
- --name=controlplane
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
ㅁ Identify the ETCD Server Certificate used to host ETCD server
[/etc/kubernetes/pki/apiserver-etcd-client.crt]
[/etc/kubernetes/pki/etcd/ca.crt]
[/etc/kubernetes/pki/apiserver.crt]
[/etc/kubernetes/pki/etcd/server.crt]
ㅁ Identify the ETCD Server CA Root Certificate used to serve ETCD Server
ETCD can have its own CA. So this may be a different CA certificate than the one used by kube-api server
[/etc/kubernetes/pki/ca.crt]
[/etc/kubernetes/pki/etcd/server.crt]
[/etc/kubernetes/pki/apiserver-kubelet-client.crt]
[/etc/kubernetes/pki/etcd/ca.crt]
$ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -nooutCertificate:
Data:
Version: 3 (0x2)
Serial Number: 7180269681194863858 (0x63a5713b7b208cf2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Mar 29 00:01:49 2021 GMT
Not After : Mar 29 00:01:49 2022 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d9:19:9f:81:9e:42:dd:0e:1f:56:83:02:d3:6c:
f1:43:71:10:03:ea:8d:8d:9b:7d:8e:1f:a1:11:fb:
31:6b:38:8e:f3:27:0a:de:7e:a2:2b:88:b1:70:aa:
f5:c0:66:ac:23:27:20:28:3b:6e:ed:e9:40:83:31:
f5:73:3a:bf:c2:8f:6a:a6:8e:67:6a:b0:2f:b8:89:
42:40:52:28:7b:3b:54:74:7f:1a:9c:d0:79:ec:ef:
2f:52:c7:0d:98:60:5d:73:47:0b:1f:40:71:fa:0e:
de:6c:83:8a:87:22:0c:ca:b6:f1:5f:0d:6b:46:b6:
1a:a0:43:cd:0b:3e:28:0f:f6:db:5b:b0:46:ef:5a:
a6:2c:c1:e6:9c:f1:3d:7d:64:d7:ce:f4:ef:0c:59:
31:8f:4f:14:83:4b:cd:30:6f:c3:a6:d8:ba:57:e7:
35:f1:0d:28:bf:32:d2:f8:52:33:5b:ec:93:31:2f:
87:70:43:b5:c5:44:54:24:e5:b4:e3:18:2c:f8:25:
ef:73:05:28:5c:62:42:ae:c8:66:3d:e1:17:6c:9b:
5a:b3:67:ff:60:2d:34:06:5a:23:ec:3e:b5:68:f8:
9d:df:76:cd:f0:96:80:46:a7:fe:08:35:e8:20:79:
f8:83:03:5d:8a:8e:5d:09:58:d1:8f:d2:d0:92:b3:
d6:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:172.17.0.31
Signature Algorithm: sha256WithRSAEncryption
5e:7a:69:83:5c:b0:8a:b7:b3:5c:ff:21:f2:56:00:bb:81:c2:
7c:ee:6e:83:21:02:22:3e:37:1f:36:af:cc:b9:4e:97:6b:d3:
eb:c2:b8:4d:c8:f5:87:31:f4:12:8f:e5:31:79:0e:73:97:1e:
7a:85:f6:cd:1e:3c:71:25:83:b9:9c:10:98:ed:fd:ac:c1:80:
30:96:70:1c:55:31:ee:75:98:c7:60:76:a2:5c:e5:92:ce:27:
a5:ac:2a:23:71:b5:09:83:09:86:7e:31:9e:42:30:fd:32:87:
f0:22:9d:67:65:75:90:33:39:6a:39:4c:bf:eb:20:9c:8a:47:
e6:bd:e7:74:3c:bc:8c:67:ce:50:e1:fb:bc:3c:7b:63:c5:ff:
a4:5e:b1:28:4d:75:f6:74:5c:ba:fa:c6:49:a4:14:51:fa:12:
6c:94:25:f5:1f:6f:07:62:3e:ba:b3:e1:45:fc:a6:48:1a:26:
53:26:8c:31:79:55:2d:0c:7d:93:b9:98:22:5a:14:1c:a4:63:
fc:35:c0:70:73:a3:fe:ab:1e:8d:90:2c:27:61:85:28:1b:8a:
ff:77:e5:c9:e4:b6:ff:38:b6:76:71:45:a8:c8:43:03:be:7a:
cf:7b:1e:d5:a8:5f:7e:40:cc:1b:4f:f3:5f:ae:b7:44:1a:a1:
96:6a:11:d6ㅁ What is the Common Name (CN) configured on the Kube API Server Certificate?
OpenSSL Syntax: openssl x509 -in file-path.crt -text -noout
[kubeapi-server]
[kubernetes]
[kube-apiserver]
[kube-api-server]
[api-server]
ㅁ What is the name of the CA who issued the kube API Server Certificate
[kubernetes]
[kube-apiserver]
[kubernetes-ca]
[ca]
ㅁ Which of the below alternate names is not configured on the Kube API Certificate?
[kube-master]
[controlplane]
[kubernetes.default.svc]
[kubernetes]
openssl -x509 -in /etc/kubernetes/pki/etcd/server.crt -text -nooutCertificate:
Data:
Version: 3 (0x2)
Serial Number: 6805234504088490968 (0x5e710cb9cd6d13d8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: Mar 29 00:01:50 2021 GMT
Not After : Mar 29 00:01:50 2022 GMT
Subject: CN = controlplane
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:9e:60:cd:28:51:8d:e7:50:82:31:82:15:06:
b9:b9:a1:1c:6d:70:aa:f3:92:17:98:78:e0:6e:9d:
7b:0f:a3:40:6a:05:f0:63:4b:62:0d:26:7c:c1:bc:
01:ce:60:ef:a4:88:54:12:06:d8:6e:14:9f:b9:2f:
f6:db:7e:20:af:4b:22:ef:44:96:cf:eb:e9:4e:8e:
0c:b0:37:6f:8c:d1:ad:44:c8:80:2d:a8:af:6d:6b:
9e:4e:33:b2:4b:14:d9:d5:82:47:9a:10:ad:cd:3b:
5d:26:72:8a:1f:e3:85:61:37:fe:d5:b6:c8:9f:d6:
c3:52:d6:7f:4b:ee:7a:52:0f:3b:c3:d1:b0:ec:cb:
6b:18:9c:31:0b:21:6d:b1:9b:bf:c6:e5:70:a8:bc:
6b:3b:43:a5:26:5c:d1:63:35:d4:b9:02:cb:2d:bd:
9a:30:ff:7d:39:fd:63:ee:68:86:b2:e2:69:9f:a3:
b1:d3:c7:ba:e4:1c:a6:3c:42:c8:44:f9:07:bf:2e:
75:6a:0f:08:3c:6c:4c:44:d5:57:bb:d8:61:61:b3:
c9:81:16:20:79:b5:9b:b9:e0:65:27:04:6e:0d:8c:
8a:cf:8b:e7:7e:39:b0:ef:ff:28:9a:06:d0:7b:b9:
84:f0:df:3f:84:e7:82:82:d9:00:b3:98:8d:f9:2f:
e8:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:localhost, IP Address:172.17.0.31, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
4e:da:d3:47:8d:1e:aa:26:71:10:a9:11:bd:b1:2a:6d:ee:89:
4b:4b:e1:eb:bd:8b:a8:5a:a1:77:e9:7c:63:67:26:34:be:b0:
4b:08:16:13:82:13:59:6e:1d:50:41:65:ba:3d:2f:d7:af:f5:
bc:cd:6c:40:91:92:f2:f0:ed:85:f1:f2:89:4c:00:a7:5c:23:
03:74:db:45:09:7d:6c:52:97:ed:e1:ce:2b:62:12:ef:3a:6e:
02:27:8e:e4:0a:3f:ef:54:d3:11:bb:17:f7:ee:40:5b:88:06:
96:ef:20:e2:2b:62:cd:8f:eb:a2:f3:33:5c:71:29:c9:ab:cd:
a0:99:1e:a4:fe:33:7d:7a:d4:4a:9a:7d:19:bd:85:e3:a2:fd:
aa:25:85:ec:56:38:ca:1f:fa:36:af:6e:84:82:99:f7:4b:19:
6c:ad:2a:70:a1:47:e7:36:e5:c7:fa:63:99:a7:d0:a1:e6:23:
43:56:3e:8c:3f:bc:6b:12:8e:06:a9:4b:5a:d2:eb:05:6d:4a:
bd:9d:d9:99:01:44:fb:28:53:b5:ea:4c:0c:de:e8:d4:03:5e:
9b:d7:bf:75:11:c3:e2:fd:62:7a:27:91:6b:a5:e9:30:34:e7:
73:92:67:b2:5e:ed:2a:28:55:d7:f7:9d:75:04:ca:7c:4a:31:
16:34:c7:e5ㅁ Waht is the Common Name (CN) configured on the ETCD Server certificate?
[etcd-server]
[kubernetes]
[controlplane]
[etcd]
ㅁ How long, fromt the issued date , is the Kube-API Server Certificate valid for?
file: /etc/kubernetes/pki/apiserver.crt
[6 months]
[1 Year]
[10 Year]
[2 Year]
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Validity
Not Before: Mar 29 00:01:49 2021 GMT
Not After : Mar 29 00:01:49 2022 GMT
ㅁ How long from the issued data, is the Root CA Certificate valid for?
file: /etc/kubernetes/pki/ca.crt
[6 months]
[1 Year]
[10 Year]
[2 Year]
openssl x509 -in /etc/kubernetes/pki/ca.crt -text -noout Validity
Not Before: Mar 29 00:01:49 2021 GMT
Not After : Mar 27 00:01:49 2031 GMT
ㅁ Kubectl suddenly stops reponsponding to your commands. check it out ! Someone recently modified the /etc/kubernetes/manifest/etcd.yaml file
You are asked to invetigate and fix the issue. Once you fix the issue wait for something for kubectl to resond. Check the logs of the ETCD container.
'CKA &. CKAD > Security' 카테고리의 다른 글
| Practice Test - KubeConfig (0) | 2021.03.29 |
|---|---|
| Practice Test - Certificates API (0) | 2021.03.29 |
| TLS Certificates (0) | 2021.03.29 |
| TLS in Kubernetes (0) | 2021.03.29 |
| TLS (0) | 2021.03.28 |
