Differences between generated x509 certificates in kubernetes v1.10.11 and v1.11.5

4/15/2019

I have been creating an amazon AMI with kubernetes installed on it to use as a worker node in EKS, I install the kubelet binary from the amazon-eks s3 bucket.

After upgrading from k8s version 1.10.11 to 1.11.5 I noticed a difference in the x509 certificate that is generated when installing kubelet.

If I jump onto one of the worker nodes with 1.10.11 installed and run this command openssl s_client -connect localhost:10250 2>/dev/null | openssl x509 -noout -text I get the following output for X509v3 Subject Alternative Name:

DNS:ip-<my-ip>.eu-central-1.compute.internal, DNS:ip-<my-ip>, IP Address:<my-ip>

whereas, if I run the same command on a worker node with 1.11.5 installed I get the following output for X509v3 Subject Alternative Name:

DNS:ip-<my-ip>

The only change between the two nodes is the version of kubernetes installed.

Am I missing anything that is now required as of version 1.11.x to set the additional Subject Alternative Names as seemed to be previously done in v1.10.x? I require the IP address to be set in the certificate in the format IP Address:<my-ip> which I was getting for free in version 1.10.

FYI I am running kubelet with the following args:

ExecStart=/usr/bin/kubelet \
  --address=0.0.0.0 \
  --authentication-token-webhook \
  --authorization-mode=Webhook \
  --allow-privileged=true \
  --cloud-provider=aws \
  --cluster-dns=DNS_CLUSTER_IP \
  --cluster-domain=cluster.local \
  --cni-bin-dir=/opt/cni/bin \
  --cni-conf-dir=/etc/cni/net.d \
  --container-runtime=docker \
  --max-pods=MAX_PODS \
  --node-ip=INTERNAL_IP \
  --network-plugin=cni \
  --pod-infra-container-image=602401143452.dkr.ecr.REGION.amazonaws.com/eks/pause-amd64:3.1 \
  --cgroup-driver=cgroupfs \
  --register-node=true \
  --kubeconfig=/var/lib/kubelet/kubeconfig \
  --feature-gates=RotateKubeletServerCertificate=true \
  --anonymous-auth=false \
  --client-ca-file=CLIENT_CA_FILE \
  --node-labels=env=NODE_LABEL
-- mark f
kubernetes

1 Answer

4/16/2019

As far as handling the certificates there are not Kubernetes specific differences between 1.10.11 and 1.11.5. It might be related to specific EKS AMI for the nodes that you are using (make sure they are matching)

If not you can manually create the certificates for the kubelet using the same CA as the one in your Kubernetes master. For example:

easyrsa

./easyrsa --subject-alt-name="IP:${MASTER_IP},"\
"IP:-<my-ip>,"\
"DNS:ip-<my-ip>.eu-central-1.compute.internal,"\
"DNS:ip-<my-ip>,"\
--days=10000 \
build-server-full server nopass

openssl

Config (csr.conf):

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <my-ip>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = ip-<my-ip>.eu-central-1.compute.internal
DNS.2 = ip-<my-ip>
IP.1 = <my-ip>

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names

Create CSR:

$ openssl req -new -key server.key -out server.csr -config csr.conf

Create certificate:

$ openssl x509 -req -in server.csr -CA cluster-ca.crt -CAkey cluster-ca.key \
-CAcreateserial -out server.crt -days 10000 \
-extensions v3_ext -extfile csr.conf

cfssl

In a similar fashion you can use cfssl, described here.

-- Rico
Source: StackOverflow