Samuel's Blog | K8s certs

PKI certificates

Kubernetes requires PKI for the following operations:

Client certificates for the kubelet to authenticate to the API server
Server certificate for the API server endpoint
Client certificates for administrators of the cluster to authenticate to the API server
Client certificates for the API server to talk to the kubelets
Client certificate for the API server to talk to etcd
Client certificate/kubeconfig for the controller manager to talk to the API server
Client certificate/kubeconfig for the scheduler to talk to the API server.
Client and server certificates for the front-proxy

etcd also implements mutual TLS to authenticate clients and peers.

On top of the above CAs, it is also necessary to get a public/private key pair for service account management, sa.key and sa.pub.

Certificate paths
refer

Configure certificates for user accounts

filename	                credential name	             Default CN	                        O (in Subject)	
admin.conf	              default-admin	               kubernetes-admin	                  system:masters	
kubelet.conf	            default-auth	               system:node:<nodeName> (see note)	system:nodes	
controller-manager.conf	  default-controller-manager	 system:kube-controller-manager		
scheduler.conf	          default-scheduler	           system:kube-scheduler

renew certs
refer

all certs
refer

root@k8s-master:/etc/kubernetes/pki# tree
.
|-- apiserver.crt
|-- apiserver-etcd-client.crt
|-- apiserver-etcd-client.key
|-- apiserver.key
|-- apiserver-kubelet-client.crt
|-- apiserver-kubelet-client.key
|-- ca.crt
|-- ca.key
|-- etcd
|   |-- ca.crt
|   |-- ca.key
|   |-- healthcheck-client.crt
|   |-- healthcheck-client.key
|   |-- peer.crt
|   |-- peer.key
|   |-- server.crt
|   `-- server.key
|-- front-proxy-ca.crt
|-- front-proxy-ca.key
|-- front-proxy-client.crt
|-- front-proxy-client.key
|-- sa.key
`-- sa.pub

1 directory, 22 files

K8s certs

Recent Posts

Tags