Practice Test - View Certificates
cat /etc/kubernetes/manifest/kube-apiserver.yamlspec:
containers:
- command:
- kube-apiserver
- --advertise-address=172.17.0.31
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
ㅁ Identify the certificate file used for the kube-api-server
[/etc/kubernetes/pki/apiserver.crt]
[/tmp/kube-apiserver.crt]
[/etc/apiserver.crt]
[/etc/kubernetes/pki/kube-apiserver.crt]
[/etc/apiserver.key]
ㅁ Identify the Certificate file used to authenticate kube-apiserver as a client to ETCD Server
[/etc/kubernetes/pki/apiserver-etcd-client.key]
[/etc/kubernetes/pki/apiserver-kubelet-client.crt]
[/etc/kubernetes/pki/apiserver-etcd.crt]
[/etc/kubernetes/pki/apiserver-etcd-client.crt]
[/etc/kubernetes/pki/apiserver.crt]
ㅁ Identify the key used to authenticate kubeapi-server to the kubelet server
[/etc/kubernetes/pki/apiserver-kubelet-client.key]
[/etc/kubernetes/pki/front-proxy-client.key]
[/etc/kubernetes/pki/apiserver-etcd-client.key]
[/etc/kubernetes/pki/apiserver-kubelet-client.crt]
[/etc/kubernetes/pki/apiserver.key]
cat /etc/kubernetes/manifest/etcd.yamlspec:
containers:
- command:
- etcd
- --advertise-client-urls=https://172.17.0.31:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://172.17.0.31:2380
- --initial-cluster=controlplane=https://172.17.0.31:2380
- --key-file=/etc/kubernetes/pki/etcd/server.key
- --listen-client-urls=https://127.0.0.1:2379,https://172.17.0.31:2379
- --listen-metrics-urls=http://127.0.0.1:2381
- --listen-peer-urls=https://172.17.0.31:2380
- --name=controlplane
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
ㅁ Identify the ETCD Server Certificate used to host ETCD server
[/etc/kubernetes/pki/apiserver-etcd-client.crt]
[/etc/kubernetes/pki/etcd/ca.crt]
[/etc/kubernetes/pki/apiserver.crt]
[/etc/kubernetes/pki/etcd/server.crt]
ㅁ Identify the ETCD Server CA Root Certificate used to serve ETCD Server
ETCD can have its own CA. So this may be a different CA certificate than the one used by kube-api server
[/etc/kubernetes/pki/ca.crt]
[/etc/kubernetes/pki/etcd/server.crt]
[/etc/kubernetes/pki/apiserver-kubelet-client.crt]
[/etc/kubernetes/pki/etcd/ca.crt]
$ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -nooutCertificate:
Data:
Version: 3 (0x2)
Serial Number: 7180269681194863858 (0x63a5713b7b208cf2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Mar 29 00:01:49 2021 GMT
Not After : Mar 29 00:01:49 2022 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d9:19:9f:81:9e:42:dd:0e:1f:56:83:02:d3:6c:
f1:43:71:10:03:ea:8d:8d:9b:7d:8e:1f:a1:11:fb:
31:6b:38:8e:f3:27:0a:de:7e:a2:2b:88:b1:70:aa:
f5:c0:66:ac:23:27:20:28:3b:6e:ed:e9:40:83:31:
f5:73:3a:bf:c2:8f:6a:a6:8e:67:6a:b0:2f:b8:89:
42:40:52:28:7b:3b:54:74:7f:1a:9c:d0:79:ec:ef:
2f:52:c7:0d:98:60:5d:73:47:0b:1f:40:71:fa:0e:
de:6c:83:8a:87:22:0c:ca:b6:f1:5f:0d:6b:46:b6:
1a:a0:43:cd:0b:3e:28:0f:f6:db:5b:b0:46:ef:5a:
a6:2c:c1:e6:9c:f1:3d:7d:64:d7:ce:f4:ef:0c:59:
31:8f:4f:14:83:4b:cd:30:6f:c3:a6:d8:ba:57:e7:
35:f1:0d:28:bf:32:d2:f8:52:33:5b:ec:93:31:2f:
87:70:43:b5:c5:44:54:24:e5:b4:e3:18:2c:f8:25:
ef:73:05:28:5c:62:42:ae:c8:66:3d:e1:17:6c:9b:
5a:b3:67:ff:60:2d:34:06:5a:23:ec:3e:b5:68:f8:
9d:df:76:cd:f0:96:80:46:a7:fe:08:35:e8:20:79:
f8:83:03:5d:8a:8e:5d:09:58:d1:8f:d2:d0:92:b3:
d6:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:172.17.0.31
Signature Algorithm: sha256WithRSAEncryption
5e:7a:69:83:5c:b0:8a:b7:b3:5c:ff:21:f2:56:00:bb:81:c2:
7c:ee:6e:83:21:02:22:3e:37:1f:36:af:cc:b9:4e:97:6b:d3:
eb:c2:b8:4d:c8:f5:87:31:f4:12:8f:e5:31:79:0e:73:97:1e:
7a:85:f6:cd:1e:3c:71:25:83:b9:9c:10:98:ed:fd:ac:c1:80:
30:96:70:1c:55:31:ee:75:98:c7:60:76:a2:5c:e5:92:ce:27:
a5:ac:2a:23:71:b5:09:83:09:86:7e:31:9e:42:30:fd:32:87:
f0:22:9d:67:65:75:90:33:39:6a:39:4c:bf:eb:20:9c:8a:47:
e6:bd:e7:74:3c:bc:8c:67:ce:50:e1:fb:bc:3c:7b:63:c5:ff:
a4:5e:b1:28:4d:75:f6:74:5c:ba:fa:c6:49:a4:14:51:fa:12:
6c:94:25:f5:1f:6f:07:62:3e:ba:b3:e1:45:fc:a6:48:1a:26:
53:26:8c:31:79:55:2d:0c:7d:93:b9:98:22:5a:14:1c:a4:63:
fc:35:c0:70:73:a3:fe:ab:1e:8d:90:2c:27:61:85:28:1b:8a:
ff:77:e5:c9:e4:b6:ff:38:b6:76:71:45:a8:c8:43:03:be:7a:
cf:7b:1e:d5:a8:5f:7e:40:cc:1b:4f:f3:5f:ae:b7:44:1a:a1:
96:6a:11:d6ㅁ What is the Common Name (CN) configured on the Kube API Server Certificate?
OpenSSL Syntax: openssl x509 -in file-path.crt -text -noout
[kubeapi-server]
[kubernetes]
[kube-apiserver]
[kube-api-server]
[api-server]
ㅁ What is the name of the CA who issued the kube API Server Certificate
[kubernetes]
[kube-apiserver]
[kubernetes-ca]
[ca]
ㅁ Which of the below alternate names is not configured on the Kube API Certificate?
[kube-master]
[controlplane]
[kubernetes.default.svc]
[kubernetes]
openssl -x509 -in /etc/kubernetes/pki/etcd/server.crt -text -nooutCertificate:
Data:
Version: 3 (0x2)
Serial Number: 6805234504088490968 (0x5e710cb9cd6d13d8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: Mar 29 00:01:50 2021 GMT
Not After : Mar 29 00:01:50 2022 GMT
Subject: CN = controlplane
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:9e:60:cd:28:51:8d:e7:50:82:31:82:15:06:
b9:b9:a1:1c:6d:70:aa:f3:92:17:98:78:e0:6e:9d:
7b:0f:a3:40:6a:05:f0:63:4b:62:0d:26:7c:c1:bc:
01:ce:60:ef:a4:88:54:12:06:d8:6e:14:9f:b9:2f:
f6:db:7e:20:af:4b:22:ef:44:96:cf:eb:e9:4e:8e:
0c:b0:37:6f:8c:d1:ad:44:c8:80:2d:a8:af:6d:6b:
9e:4e:33:b2:4b:14:d9:d5:82:47:9a:10:ad:cd:3b:
5d:26:72:8a:1f:e3:85:61:37:fe:d5:b6:c8:9f:d6:
c3:52:d6:7f:4b:ee:7a:52:0f:3b:c3:d1:b0:ec:cb:
6b:18:9c:31:0b:21:6d:b1:9b:bf:c6:e5:70:a8:bc:
6b:3b:43:a5:26:5c:d1:63:35:d4:b9:02:cb:2d:bd:
9a:30:ff:7d:39:fd:63:ee:68:86:b2:e2:69:9f:a3:
b1:d3:c7:ba:e4:1c:a6:3c:42:c8:44:f9:07:bf:2e:
75:6a:0f:08:3c:6c:4c:44:d5:57:bb:d8:61:61:b3:
c9:81:16:20:79:b5:9b:b9:e0:65:27:04:6e:0d:8c:
8a:cf:8b:e7:7e:39:b0:ef:ff:28:9a:06:d0:7b:b9:
84:f0:df:3f:84:e7:82:82:d9:00:b3:98:8d:f9:2f:
e8:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:localhost, IP Address:172.17.0.31, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
4e:da:d3:47:8d:1e:aa:26:71:10:a9:11:bd:b1:2a:6d:ee:89:
4b:4b:e1:eb:bd:8b:a8:5a:a1:77:e9:7c:63:67:26:34:be:b0:
4b:08:16:13:82:13:59:6e:1d:50:41:65:ba:3d:2f:d7:af:f5:
bc:cd:6c:40:91:92:f2:f0:ed:85:f1:f2:89:4c:00:a7:5c:23:
03:74:db:45:09:7d:6c:52:97:ed:e1:ce:2b:62:12:ef:3a:6e:
02:27:8e:e4:0a:3f:ef:54:d3:11:bb:17:f7:ee:40:5b:88:06:
96:ef:20:e2:2b:62:cd:8f:eb:a2:f3:33:5c:71:29:c9:ab:cd:
a0:99:1e:a4:fe:33:7d:7a:d4:4a:9a:7d:19:bd:85:e3:a2:fd:
aa:25:85:ec:56:38:ca:1f:fa:36:af:6e:84:82:99:f7:4b:19:
6c:ad:2a:70:a1:47:e7:36:e5:c7:fa:63:99:a7:d0:a1:e6:23:
43:56:3e:8c:3f:bc:6b:12:8e:06:a9:4b:5a:d2:eb:05:6d:4a:
bd:9d:d9:99:01:44:fb:28:53:b5:ea:4c:0c:de:e8:d4:03:5e:
9b:d7:bf:75:11:c3:e2:fd:62:7a:27:91:6b:a5:e9:30:34:e7:
73:92:67:b2:5e:ed:2a:28:55:d7:f7:9d:75:04:ca:7c:4a:31:
16:34:c7:e5ㅁ Waht is the Common Name (CN) configured on the ETCD Server certificate?
[etcd-server]
[kubernetes]
[controlplane]
[etcd]
ㅁ How long, fromt the issued date , is the Kube-API Server Certificate valid for?
file: /etc/kubernetes/pki/apiserver.crt
[6 months]
[1 Year]
[10 Year]
[2 Year]
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Validity
Not Before: Mar 29 00:01:49 2021 GMT
Not After : Mar 29 00:01:49 2022 GMT
ㅁ How long from the issued data, is the Root CA Certificate valid for?
file: /etc/kubernetes/pki/ca.crt
[6 months]
[1 Year]
[10 Year]
[2 Year]
openssl x509 -in /etc/kubernetes/pki/ca.crt -text -noout Validity
Not Before: Mar 29 00:01:49 2021 GMT
Not After : Mar 27 00:01:49 2031 GMT
ㅁ Kubectl suddenly stops reponsponding to your commands. check it out ! Someone recently modified the /etc/kubernetes/manifest/etcd.yaml file
You are asked to invetigate and fix the issue. Once you fix the issue wait for something for kubectl to resond. Check the logs of the ETCD container.