The important directories in the reckoning are /etc/kubernetes/pki/
The file ca.key and ca.crt are the Certificate Authority key and certificate respectively.
STEP 1: Generating the key and .csr(Certificate Signing Request)
Lets now generate the .key and .csr. certificates for 1 year with openssl:
[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout builduser01.key -days 365 -out builduser01.csr -sha256 -subj "/C=IN/ST=TG/L=/O=/OU=/CN=/subjectAltName=DNS.1="
Verification of the CSR:
[root@node01 ssl]# openssl req -in linuxcent.com.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=IN, ST=TG/subjectAltName=DNS.1= -- INFORMATION RETRACTED -- Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:00:e4:b4:24:d7:22:ec:5d:c1:37:8c:d1:a0:62:17: 96:24:77:8d:75:4e:d5:74:15:4d:61:e0:8b:66:d6: Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 87:ef:83:b2:a6:f5:3a:f3:6f:1c:e4:02:ec:bf:5d:75:64:1d:
STEP 2: Digitally Signing .csr and generating .crt using root CA files.
Now we will using the root ca.key and ca.crt to digitally sign this csr and generate a .crt
[root@node01 ssl]# openssl x509 -req -in builduser01.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out builduser01.crt -days 365 -sha256 Signature ok subject=/C=IN/ST=TG/subjectAltName=DNS.1= Getting CA Private Key
We have successfully generated the .crt
file from the .csr
along with the .key
file from STEP1 with the below names. builduser01.crt
and builduser01.key
How to create user accounts on kubernetes
We now will create a builduser-config
to create a kubeconfig
for new user.
Injecting the cluster and the API server information into the kubernetes config file:
[root@node01 ssl]# kubectl config --kubeconfig=builduser-config set-cluster kubernetes --server=https://10.100.0.10:6443 --insecure-skip-tls-verify
We are now injecting the CA certificate information into the config file:
[root@node01 ssl]# kubectl config --kubeconfig=builduser-config set-cluster kubernetes --server=https://10.100.0.10:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Injecting the credentials key and cert file data into the config file.
[root@node01 ssl]# kubectl config --kubeconfig=builduser-config set-credentials builduser01 --client-certificate=linuxcent.com.crt --client-key=linuxcent.com.key --embed-certs=true
Using –embed-certs=true, we can dump the cert and key file data into the config file instead of writing the path names
[root@node01 ssl]# kubectl config --kubeconfig=builduser-config set-credentials builduser01 --username=builduser01 --password=password123
Using the username and password is not explicitly required while the keys are being used.
Now copy the builduser-config
to the $HOME/.kube/config
and connect to the kubernetes cluster.