[WIP] Add document explaining certificates and PKI for Kubernetes #8232
Conversation
k8s-ci-robot
added
size/L
|
/cc @Bradamant3 |
|
Deploy preview for kubernetes-io-master-staging failed. Built with commit b1f3cd3 https://app.netlify.com/sites/kubernetes-io-master-staging/deploys/5b6d97b6fdd72a5ddc772fc8 |
|
/assign |
|
Needs inroads from existing documentation as well. |
|
Travis CI build is failing bc TOC entry is missing -- this is by design at this point. I told Liz I'd work with her to figure out the best place to put it -- not immediately obvious. Incoming links per previous comment also important, yes. Modifying PR title and putting hold accordingly /hold |
k8s-ci-robot
added
the
do-not-merge/hold
Bradamant3
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
The content of this page is mostly about kubeadm although the text sometimes is trying to make kubeadm just an example. I'd suggest this to be moved over to the kubeadm subtopic. The certificates topic is more than what kubeadm has implemented/supported, and there are many cases where people deploy their clusters using other tools. If we believe the generic concepts in the page can be extracted out as a top level reference topic, please do it. |
|
@tengqm if you've got suggestions about how this could be made more generally applicable I'd love to hear them! |
docs/reference/certificates.md
Outdated
|
|
||
| # Introduction | ||
|
|
||
| A tool like [kubeadm][kubeadm] can be used to generate your configuration for you. |
There was a problem hiding this comment.
Did you mean to use certificates here instead of configuration?
docs/reference/certificates.md
Outdated
| 1. Client certificates for the kubelet to authenticate to the master | ||
| 2. Server certificate for the api server endpoint | ||
| 3. Client certificates for administrators of the cluster authenticating to the API server | ||
| 4. Client certificates for service accounts authenticating to the API server. |
There was a problem hiding this comment.
This is being a bit pedantic, but technically the service accounts are using a generated public/private keypair only.
There was a problem hiding this comment.
Certificates are also used for the following:
- client certificate for the api server to talk to the kubelets
- client certificate for the api server to talk to etcd
- client certificate/kubeconfig for controller manager to talk to api server
- client certificate/kubeconfig for scheduler to talk to api server
There was a problem hiding this comment.
It may be good to mention the use of the front-proxy certs here as well, which are used to enable extension api servers as described here: https://kubernetes.io/docs/concepts/api-extension/apiserver-aggregation/
docs/reference/certificates.md
Outdated
|
|
||
| ## Where they're used | ||
|
|
||
| Kubernetes uses kubeadm for four primary things: |
docs/reference/certificates.md
Outdated
| ## Where they're used | ||
|
|
||
| Kubernetes uses kubeadm for four primary things: | ||
| 1. Client certificates for the kubelet to authenticate to the master |
docs/reference/certificates.md
Outdated
| 3. Client certificates for administrators of the cluster authenticating to the API server | ||
| 4. Client certificates for service accounts authenticating to the API server. | ||
|
|
||
| In addition, etcd uses mutual TLS for authenticating peers (in an HA cluster).$ |
docs/reference/certificates.md
Outdated
|
|
||
| The CAs needed for this to work are: | ||
|
|
||
| | path | CN | description | |
There was a problem hiding this comment.
should this be "path relative to /etc/kubernetes/pki" instead?
There was a problem hiding this comment.
s/CN/default CN/
The actual CN used should not matter for the CAs
docs/reference/certificates.md
Outdated
| | CN | Parent CA | O (in Subject) | kind | hosts (SAN) | | ||
| |-------------------------------|---------------------------|----------------|--------|---------------------------------------------| | ||
| | kube-etcd | etcd-ca | | server | localhost, 127.0.0.1 | | ||
| | kube-etcd-peel | etcd-ca | | peer | <hostname>, <Host IP>, localhost, 127.0.0.1 | |
docs/reference/certificates.md
Outdated
|
|
||
| [usage]: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 | ||
| [kubeadm]: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/ | ||
| [proxy]: https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#discovering-builtin-services |
There was a problem hiding this comment.
The front-proxy CA/certs are used for https://kubernetes.io/docs/concepts/api-extension/apiserver-aggregation/
|
@liztio My suggestion is as follows:
|
|
@liztio 👋 We've migrated the site's framework to Hugo. Please re-open this PR with changes to files in their post-migration location ( |
|
Reopening to remind me to help with this one as promised a while ago. PLEASE DO NOT CLOSE AGAIN. |
|
possible places to link from: |
timothysc
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
docs/reference/certificates.md
Outdated
| 8. Client and server certificates for the [front-proxy][proxy] | ||
|
|
||
|
|
||
| In addition, etcd uses mutual TLS for authenticating clients and peers (in an HA cluster). |
There was a problem hiding this comment.
Since we are generated certificates for the peer regardless of HA/non-HA, we can probably just remove the '(in a HA cluster)' qualifier here. Currently this reads a bit off to me because it's not clear to me that '(in a HA cluster)' only applies to the peer usage.
docs/reference/certificates.md
Outdated
|
|
||
| | Default CN | Parent CA | O (in Subject) | kind | hosts (SAN) | | ||
| |-------------------------------|---------------------------|----------------|--------|---------------------------------------------| | ||
| | kube-etcd | etcd-ca | | server | localhost, 127.0.0.1 | |
There was a problem hiding this comment.
Since v1.11 now uses etcd 3.2.x, we currently have to create the etcd serving certificate with both server and client usages. Upstream etcd issue tracking this is here: etcd-io/etcd#9785
docs/reference/certificates.md
Outdated
| |-------------------------------|---------------------------|----------------|--------|---------------------------------------------| | ||
| | kube-etcd | etcd-ca | | server | localhost, 127.0.0.1 | | ||
| | kube-etcd-peer | etcd-ca | | peer | <hostname>, <Host IP>, localhost, 127.0.0.1 | | ||
| | kube-etcd-healthcheck-client | etcd-ca | system:masters | peer | | |
There was a problem hiding this comment.
kind for the kube-etcd-healthcheck-client cert should be client
There was a problem hiding this comment.
Where will the kube-etcd-healthcheck-client CN be used? And it acts as a system:masters subject.
There was a problem hiding this comment.
It is used by the healthcheck for the etcd static pod deployed by kubeadm.
This is currently how the kube-etcd-healthcheck-client cert is created using kubeadm today.
The system:masters subject here is a bit misleading and isn't necessary. Since this cert is created using the etcd CA it does not grant any additional permissions above and beyond any other cert that is created from that CA since we aren't enabling RBAC for etcd (at least yet).
docs/reference/certificates.md
Outdated
| | kube-etcd-healthcheck-client | etcd-ca | system:masters | peer | | | ||
| | kube-apiserver-etcd-client | etcd-ca | system:masters | client | | | ||
| | kube-apiserver | kubernetes-ca | | server | <hostname>, <Host IP>, <advertise IP> , [1] | | ||
| | kube-apiserver-client | kubernetes-ca | system:master | client | | |
There was a problem hiding this comment.
I think kube-apiserver-client might be a typo here. I'm not sure if it is extraneous or should be named something else, though.
docs/reference/certificates.md
Outdated
| | filename | credential name | Default CN | O (in Subject) | | ||
| |-------------------------|----------------------------|--------------------------------|----------------| | ||
| | admin.conf | default-admin | kubernetes-admin | system:masters | | ||
| | kubelet.conf | default-auth | system:node:<hostname> | system:nodes | |
There was a problem hiding this comment.
The credential name for kubelet.conf should be system:node:<nodename>
docs/reference/certificates.md
Outdated
| KUBECONFIG=<path> kubectl config set-cluster default-cluster --server=https://<host ip>:6443 --certificate-authority <path to kubernetes ca> --embed-certs | ||
| KUBECONFIG=<path> kubectl config set-credentials <credential-name> --client-key <path-to-key>.pem --client-certificate <path-to-cert>.pem --embed-certs | ||
| KUBECONFIG=<path> kubectl config set-context default-system --cluster default-cluster --user <credential-name> | ||
| KUBECONFIG=<path> kubectl config use-context default-system |
There was a problem hiding this comment.
Path is used here, but appears to be referenced below.
docs/reference/certificates.md
Outdated
| | default-admin | admin.conf | kubectl | used by a user to administer the cluster | | ||
| | default-auth | kubelet.conf | kubelet | one will be needed for every node in the cluster. | | ||
| | default-controller-manager | controller-manager.conf | kube-controller-manager | add to manifest in `manifests/kube-controller-manager.yaml` | | ||
| | default-scheduler | scheduler.conf | kube-scheduler | add to manifest in `manifests/kube-scheduler.yaml` | |
There was a problem hiding this comment.
I'd suggest adding path to the above table and removing name from this table.
|
@liztio Please respond to the remaining feedback. Thx |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@chenopis done, sorry it took so long! |
Bradamant3
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
added WIP to make sure we don't accidentally merge. Pushed copyedit commit to this version so that @liztio can take a look. I'll then push up new PR based on hugo from their fork. N.B. this version does not resolve the links markup issue in Hugo. (not needed for content review) |
docs/reference/certificates.md
Outdated
| In that case, you will also need to make all of these: | ||
| | ca.crt,key | kubernetes-ca | Kubernetes general CA | | ||
| | etcd/ca.crt,key | etcd-ca | For all etcd-related functions | | ||
| | front-proxy-ca.crt,key | kubernetes-front-proxy-ca | For the [front-end proxy][proxy] | |
There was a problem hiding this comment.
It looked as though this and the previous line somehow got reversed in the version that I edited. If I've misunderstood something obscure, my apologies (but if I've misunderstood, we should explain a bit more too).
docs/reference/certificates.md
Outdated
| | kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | | | ||
| | front-proxy-client | kubernetes-front-proxy-ca | | client | | | ||
|
|
||
| [1]: `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`, `kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local` |
There was a problem hiding this comment.
Changed markup for this and other notes because they weren't rendering at all in the original.
|
Finally closing unmerged bc we at long last have the Hugo PR. |
This file is intended to help people understand the PKI around Kubernetes and how it can be configured when not delegating management to automated scripts.
I don't need to be on the approvers list, I just didn't know who else to put there.