K
Q

kubernetes: CA file when deploying via kops

1/9/2018

I have created a cluster on aws using kops.

However I am unable to find the file used as/by the certificate authority for spawning off client certs.

Does kops create such a thing by default?

If so, what is the recommended process for creating client certs?

The kops documentation is not very clear about this.

-- pkaramol
kops
kubernetes
kubernetes-security

Similar Questions

Kubernetes pod cpu usage calculation method for HPA
Resource monitoring for Kubernetes Pods
Does Kubernetes reschedule pods to other minions if the minions join latter?
Kubernetes UDP service not running with Google Cloud Load balancer

1 Answer

1/9/2018

I've done it like this in the past:

  1. Download the kops-generated CA certificate and signing key from S3:
    • s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key
    • s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt
  2. Generate a client key: openssl genrsa -out client-key.pem 2048

  3. Generate a CSR:

    openssl req -new \
  -key client-key.pem \
  -out client-csr.pem \
  -subj "/CN=<CLIENT_CN>/O=dev"`

  4. Generate a client certificate:

    openssl x509 -req \
  -in client-csr.pem \
  -CA <PATH_TO_DOWNLOADED_CA_CERT> \
  -CAkey <PATH_TO_DOWNLOADED_CA_KEY> \
  -CAcreateserial \
  -out client-crt.pem \
  -days 10000

  5. Base64-encode the client key, client certificate, and CA certificate, and populate those values in a config.yml, e.g. this

  6. Distribute the populated config.yml to your developers.

5 and 6 can obviously be distributed by whatever means you want, don't need to make the config.yml for your developers.

-- Amit Kumar Gupta
Source: StackOverflow