K
Q

Kubernetes cluster certificate authority on DigitalOcean

12/23/2019

I'm trying to configure RBAC to add new user with limited access. I'm following this tutorial: https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access

It asks me to approve user sign request using Kubernetes CA:

Locate your Kubernetes cluster certificate authority (CA). This will be responsible for approving the request and generating the necessary certificate to access the cluster API. Its location is normally /etc/kubernetes/pki/. In the case of Minikube, it would be ~/.minikube/. Check that the files ca.crt and ca.key exist in the location.

So I need to run the command:

openssl x509 -req -in employee.csr -CA CA_LOCATION/ca.crt -CAkey CA_LOCATION/ca.key -CAcreateserial -out employee.crt -days 500

But in DigitalOcean I can't access Kubernetes internals (can't touch node droplets).

Is it possible to approve certificate sign request with DigitalOcean?

-- Kirill
certificate
digital-ocean
kubernetes
openssl
rbac

Similar Questions

kubernetes service getting auto deleted after each deployment
kubernetes resource level RBAC with object filtering
Adding Nginx-Ingress/Certmanager as Dependency in Helm Charts
Error in helm chart "cannot unmarshal TOML integer into float64"
How to map traffic from 127.0.0.1 to Kubernetes Ingress Controller

1 Answer

12/24/2019

You can use the build in CA in your cluster to create client certificates.

Background information on how to use the CA: cluster-administration-certificates.

Steps to reproduce:

  1. Make sure that you have created JSON user configuration file

Example JSON file:

{
    "CN": "example-user",
    "key": {
        "algo": "rsa",
        "size": 4096
    },
    "names": [{
        "O": "example-user",
        "email": "some@email"
    }]
}
  1. Generate CSR for it
  2. Use kubectl command to submit a CSR
  3. the request field is base64 encoded version of your csr file
  4. View your CSR, execute command: kubectl get csr
  5. Approve CSR, execute command: kubectl certificate approve example-user
  6. Decode certificate,execute command: kubectl get csr example-user -o jsonpath='{.status.certificate}' | base64 -d > client.pem
  7. You can now use the client-key.pem and client.pem to build a kubeconfig
  8. You can then create RBAC rolebindings on your cluster assigning to either –user=example-user or –group=example-user (assuming you used “O”: “example-user” is defined in this example)

Here you can find more information: certificates.

-- MaggieO
Source: StackOverflow