Kubernetes Certification Training Course : Lecture 7

In Kubernetes, every request through kubectl goes to Api-Server. The big point is : how is kubectl authenticated by Api-Server ? On Master, the file .kube/config contains all the information about the Api-Server: address, certificates, user name for connection with Api-Server, user certificates etc. This config is used for user authentication in Api-Server.

There are 4 ways to be authenticated by Api-Server :

  • csv file with usr, pwd
  • csv file with usr, token
  • Certificates
  • Service Accounts

And there are 2 ways of authorization :

  • Roles
  • Cluster Roles

It is not a good idea to use csv files for authenticating on Api-Server. So, certificates or service accounts are used. Certificates are applied to users, service accounts are applied to services.

The basic explanation of how SSL (Secure Socket Layer) connection works is here. In the process of so called SSL handshake, browser turns to CA (Certification Authority) to ensure the validity of certificate sent by server. CA is the third party authority responsible for issuing SSL certificates publicly trusted by web browsers. Note that it can be either one-way authentication (client authenticates the server) or two-way authentication (server also authenticates the client).

In Kubernetes, every connection is through SSL. /etc/kubernetes/pki folder contains information about public keys. Kubernetes has its inbuilt ca, it eliminates the need to turn to third party in outside world. By default, only the user with the name kubernetes-admin is defined in config, and its certificate and public key are defined as well.

Usually public keys are saved in files named by template *.crt, private keys are saved in files named by template *.key

How to introduce a new user ?

  1. Create public and private keys
  2. Raise a CSR (Certificate Signing Request)
  3. Role / Cluster Role
  4. Update config (.kube/config)

The sequence of commands for authentication (executing paragraphs 1 and  2) in Unix operating System is :

  1. mkdir -p /home/prod-user/certs
  2. cd /home/prod-user/certs
  3. openssl genrsa -out prod-user.key 2048 (generating private key, 2048 is a key size) Steps 1-3 are for creating public and private keys
  4. openssl req -new -key prod-user.key -out prod-user.csr -subj “/CN=prod-user/O=devops” (generating CSR (no worries about the error in the console output) )
  5. cat prod-user.csr | base64 | tr -d ‘\n’ (copy the command output to text editor)
  6. Click this link , copy and paste its contents to text editor and replace request parameter value with the output of the previous command. Save the script in the Master node.
  7. kubectl create -f <path to script file> Steps 4-7 are for raising a CSR
  8. kubectl certificate approve <csr name> (csr name can be taken by executing kubectl get csr command) (CSR should be approved by some third party CA)

  9. kubectl get csr prod-user -o jsonpath=”{.status.certificate}” | base64 –decode > prod-user.crt (creating public key)


Leave a Reply

Your email address will not be published. Required fields are marked *