I have certain questions regarding importing the existing certificates.
How are certificates used internally in Kubernetes (e.g. between api server and workers, master controller, etc.)? Is there a CA in Kubernetes? (how) does it generate certificates for internal use?
What certificates are required at each layer?
Certificates in Kubernetes are primarily used to secure communication from and to the API server. Taken from the official Kubernetes documentation:
Every Kubernetes cluster has a cluster root Certificate Authority (CA). The CA is generally used by cluster components to validate the API server’s certificate, by the API server to validate kubelet client certificates, etc. To support this, the CA certificate bundle is distributed to every node in the cluster and is distributed as a secret attached to default service accounts. Optionally, your workloads can use this CA to establish trust. Your application can request a certificate signing using the certificates.k8s.io API using a protocol that is similar to the ACME draft.
When creating a cluster with kubeadm, the tool at first creates a CA in /etc/kubernetes/pki
and signs all following certificates with its private key. The ca is later distributed on all nodes for verification and also found base64 encoded in /etc/kubernetes/admin.conf
for verification of the api server via kubectl
.
It is possible to use your own CA for cluster creation by placing it and your private key as ca.crt
and ca.key
in /etc/kubernetes/pki
before invoking kubeadm init
or any folder later specified with --cert-dir
.
There are many other ways to install Kubernetes but they all essentially create a CA before any actual Kubernetes code runs or require one to exist beforehand.