$ openssl genrsa -out jane.key 2048
jane.key
$ openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr
cat jane.csr | base64
jane-csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: jane
spec:
groups
- system:authenticated
usage:
- digital signature
- key encipherment
- server auth
request:
[cat jane.csr | base64 부분 추가]
kubectl get csr
kubectl certificate approve jane
kubectl get csr jane -o yamlecho "LSo..Qp" | base64 --decode
cat /etc/kubernetes/manifest/kube-controller-manager.yaml
[Practice Test]
ㅁ A new member akshay joined our team. He requires access to our cluster. The Certificate Signing Request is at the /root location.
ㅁ Create a CertificateSigningRequest object with the name akshay with the contents of the akshay.csr file
cat akshay.csr | base64 | tr -d "\n"
akshay-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQW9SVktqNzIvYWtjQnRMbll6dkZieUh2QzhXV3piamdreThzZTJKS2xTdi9UCnAwdloybzZhbDFZQjRZUG8rRDFHNDR6dWl0Q2VMdUJiL2hsNlFReTg5UXpLZVRLdk1uT2twNU9JOVFoTVNiNEMKdHQzY0w2S0VDMHhQNDE0RFprUjBjaFhkYzlHZ1IvZm40bEluT3Nha3hnSS9veUY0VlFpUHluRzlwMlZsU1FONwpqV3hHSzJCV3lsMW5BRlM5cFdRTzBUREdoMko3RmRmN25XbnArSFA3bzFjK3ZNQTJqTUpvOTFpMFpmbk82NWtzClVob2NzYjBlYnVQTnFHY3ZZdkZWTG9kTlAreHd1OW1KdDAyTll6UnB5UjcrSGt3VlBoN3BKR3FYUVhyU2NRUzcKZmJWTDdEZkdERkxSakJIUDJSQTJoa2dVNDdZLzN4WDE5d2ZQZjhIZ01RSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBSEwweHBKMithc3hidHNRc0FxY2paVkhhYzAxOVBUUE14d0tkdGpqZXp3Q2FqcVdGLzhaCnFEeVBlQlRJL1lUM2tEQmpUbjk2dVJCelYvc1pXVk45QStvZHFwR0tQUllBRVhFanQxZFFkN2JTMTFaeXk4OTcKRzdPdkU0QVpCby9WR1lhb1U0eFREYi9pUmxhV1g4bnFTUksxVXR0NGY5N0IzaDV0VDZEWFVBc1RuaFdqTzFrbgpYNWZ2cjcxWHpaVDZNdTdFWE9iT0ZaZld4eXBURDZnRWVPcTVIL2hYRkl2bzBaTFFnOUJDSWZVRFh5emxkdjcrCldUdWFuTGtWTitFVEhPSnNVYVBFWExMYTFlRWRzeXp1ck4yQXhUb3F5Z0t3RFFrd3A1WjFLWm5qclVFS3pqeWcKamZQWlBkelpPUlRUNkdUbmw0MkxPMEg2ZDdadXA3UGJDZ0k9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- server authkubectl apply -f akshay-csr.yaml전체 CSR 확인
kubectl get csrNAME AGE SIGNERNAME REQUESTOR CONDITION
akshay 10s kubernetes.io/kube-apiserver-client kubernetes-admin Pending
csr-drpth 40m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane Approved,Issued
csr-hwx8z 39m kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:96771a Approved,Issued이중 akshay CSR 승인
kubectl certificate approve akshayCSR 상태 확인
kubectl get csr
pending된 CSR 승인
kubectl certficate approve akshay
ㅁ During a routine check you realized that there is a new CSR request in place. What is the name of this request
kubectl get csr
ㅁ You are not aware of a request cocming in. What groups is this CSR requesting access to? check the details about the request. Preferebly in YAML.
kubectl get csr/agent-smith -o yaml
ㅁ That doesn't look very right. Reject that request.
kubectl certificate deny agent-smith
ㅁ Let's get rid of it. Delete the new CSR object.
kubectl delete csr agent-smith
세부 사항은 아래 Site 확인
kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
Certificate Signing Requests
FEATURE STATE: Kubernetes v1.19 [stable] The Certificates API enables automation of X.509 credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 certificates from a Certificate Authority
kubernetes.io
'CKA &. CKAD > Security' 카테고리의 다른 글
| API Groups (0) | 2021.03.29 |
|---|---|
| Practice Test - KubeConfig (0) | 2021.03.29 |
| Practice Test - View Certificates (0) | 2021.03.29 |
| TLS Certificates (0) | 2021.03.29 |
| TLS in Kubernetes (0) | 2021.03.29 |
