K
Q

Kubernetes create 5 year certificate for kubeapi

4/8/2018

While creating the kubernetes cluster using kubeadm in Centos 7, its creating one year kubeapi certificate. For me this is short time for the cluster. How can I create 5 year certificate during cluster setup?

* SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* Server certificate:
*       subject: CN=kube-apiserver
*       start date: Dec 20 14:32:00 2017 GMT
*       expire date: Dec 20 14:32:00 2018 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes

I tried this didn't work:

openssl genrsa -out ca.key 2048
export MASTER_IP=192.168.16.171
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
kubeadm reset
rm -rf /etc/kubernetes
mkdir -p /etc/kubernetes/ca/pki
cp ca.key ca.crt /etc/kubernetes/ca/pki/
kubeadm init
curl -k -v https://localhost:6443

Server certificate:
*       subject: CN=kube-apiserver
*       start date: Apr 15 21:07:24 2018 GMT
*       expire date: Apr 15 21:07:25 2019 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes

Thanks SR

-- sfgroups
kubernetes

Similar Questions

How to install specific version of Kubernetes?
Can one use a standard package-installed etcd rather than install-etcd.sh?
kubernetes PodSecurityPolicy set to runAsNonRoot, container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
Setting up kubeadm cluster with ubuntu and pi

2 Answers

4/8/2018

Follow the Kubernetes documentation on certificates to the CA certificate.

If you choose openssl or easyrsa use --days=1825, if you are going with cfssl then in ca-config.json specify 5y for .signing.default.expiry.

Put the resulting ca.crt and ca.key in /etc/kubernetes/ca/pki. When you run kubeadm init it will detect those files and will not overwrite them; it will use that CA key & certificate to sign the other certificates needed.

-- Janos Lenart
Source: StackOverflow
4/16/2018

After looking at the code, there is no option to change the API certificate expire date. It set to 1 year in the code.

https://github.com/kubernetes/client-go/blob/master/util/cert/cert.go

// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
    now := time.Now()
    tmpl := x509.Certificate{
        SerialNumber: new(big.Int).SetInt64(0),
        Subject: pkix.Name{
            CommonName:   cfg.CommonName,
            Organization: cfg.Organization,
        },
        NotBefore:             now.UTC(),
        NotAfter:              now.Add(duration365d * 10).UTC(),
        KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
        BasicConstraintsValid: true,
        IsCA: true,
    }

    certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
    if err != nil {
        return nil, err
    }
    return x509.ParseCertificate(certDERBytes)
}
-- sfgroups
Source: StackOverflow