Skip to main content

Security

First line of defense. Control access to the api -server itself.

Who can access the cluster, and what can they do?

Who —> Authentication What —> Authorization

Certificates

Kubernetes requires PKI for the following operations:

Client certificates for:

  • kubelet: to authenticate to the API server
  • Admins of the cluster to auth to the API server
  • API-Server to authenticate to the kubelets
  • API-Server to talk to ETCD (Can be under the ETCD CA)
  • Controller Manager to talk to the API Server
  • Scheduler to talk to the API Server
  • Proxy to talk to the API Server

Server certificates for:

  • Kubelet: to serve an HTTPS endpoint for the API server
  • API-Server to serve an HTTPS endpoint
  • Front Proxy to host an HTTPS Endpoint (??) optional

Mutual TLS Certificate for:

  • ETCD to authenticate clients & peers

Must have at least one CA You can have a CA for etc, and a CA for the k8s components

Different tools like easyrsa, openssl, or cfssl.

The CN for the admin user doesn’t need to be kube-admin, but it will show up in the logs.

Add group details to the certificate. For instance “system:masters” Add groups with the “/O=system:masters” in the CSR Subject System components must have name prefixed with “system:” in the Cert CN

When creating the kube-api server you need an openssl.cnf file to specify the DNS and IP addresses that K8s might be known on. kubernetes.default.svc.cluster.local, kubernetes.default.svc, etc. Add -config as an option to the openssl command

Node certs must follow “system:node:{nodename}” pattern for CN and added to group “O=System:nodes”

Certificate API (within Controller Manager)

  • CSR-Approving, CSR-Signing Controllers

Kubernetes as a CSR resource. An end user can create a key locally, generate a CSR, and have it signed by the admin. End user can download this CSR later.

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
    name: User
spec:
    groups:
    - system:authenticated
    usages:
    - digital signature
    - key encipherment
    - server auth
request: |
    base64 encoding of css (cat some user.csr | base64 | tr -d “\n”)

Once created: kubectl certificate approve User

kubectl get car jane -o yaml (.status .certificate is base64 encoded)