starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst
Elisamara Aoki Goncalves 10fd3a0bb8 Front-proxy-client and front-proxy-ca certificates are not documented (r8,dsR8) 
Add front-proxy-client and front-proxy-ca certificates to the list.

Closes-bug: 2019959

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: Ie940da7352e80322c9d462c7cc219ceec879597d
2023-05-17 17:29:33 -03:00

5.2 KiB
Raw Blame History

Kubernetes Certificates

For Kubernetes, HTTPS is always enabled for both internal and external endpoints.

Kubernetes automatically creates all of its client and server certificates, and signs them with a Kubernetes Root . This includes the server certificate for the external kube-apiserver API endpoint. By default, the Kubernetes Root is automatically generated at install time.

If desired, you can externally generate a Root certificate and key, and configure it as the Kubernetes Root during installation. Currently, StarlingX supports only Internal mode with Kubernetes, which only supports a Root for the Kubernetes Root , not an Intermediate .

The public certificate of the Kubernetes Root , whether auto-generated or specified, needs to be configured as a trusted by external servers connecting to 's Kubernetes API endpoint (e.g. via a remotely installed kubectl client).

Note

Some platform services (sysinv, cert-mon and VIM for example) also use X509 certificates to access Kubernetes by HTTPS.

It is optional that you update the Kubernetes Root with a custom Root CA certificate and key, generated by yourself, and trusted by your external servers connecting to s Kubernetes API endpoint. The s Kubernetes Root certificate and key are configured as part of the bootstrap during installation.

Note

You must use a Root certificate; Intermediate certificates are not supported by upstream Kubernetes.

Kubernetes certificates include:

  • Kubernetes Root Certificate
  • Cluster admin client certificate used by kubectl
  • kube-controller-manager client certificate
  • kube-scheduler client certificate
  • kube-apiserver server certificate
  • kube-apiserver's kubelet client certificate
  • kubelet client certificate

Kubernetes Root CA Certificate

The Kubernetes Root certificate signs all the other Kubernetes certificates. This is also the certificate various components use to verify server and client certificates signed by the Kubernetes Root certificate. For example, applications running in pods use Kubernetes Root certificate embedded in service account token to verify the kube-apiserver's server certificate when it makes calls to the kube-apiserver.

Kubernetes Root certificate and corresponding private key are stored in file system:

  • /etc/kubernetes/pki/ca.crt
  • /etc/kubernetes/pki/ca.key

Note

Kubernetes Root certificate is also embedded in various configuration files and service account token.

Cluster admin client certificate used by kubectl

This is the client certificate signed by Kubernetes Root and embedded in /etc/kubernetes/admin.conf. It is used by kubectl command to identify itself to the kube-apiserver.

kube-controller-manager client certificate

This is the client certificate signed by Kubernetes Root and embedded in /etc/kubernetes/controller-manager.conf. It is used by kube-controller-manager pod to identify itself to kube-apiserver.

kube-scheduler client certificate

This is the client certificate signed by Kubernetes Root and embedded in /etc/kubernetes/scheduler.conf. It is used by kube-scheduler pod to identify itself to the kube-apiserver.

kube-apiserver server certificate

This is the kube-apiserver's serving certificate. Clients connecting to the kube-apiserver will verify this certificate using Kubernetes Root certificate. The certificate and the corresponding private key are stored in file system:

  • /etc/kubernetes/pki/apiserver.crt
  • /etc/kubernetes/pki/apiserver.key

kube-apiserver's kubelet client certificate

kube-apiserver's client certificate for communications with kubelet. kube-apiserver identifies itself with this certificate when it connects to kubelet. The certificate and the corresponding private keys are stored in file system:

  • /etc/kubernetes/pki/apiserver-kubelet-client.crt
  • /etc/kubernetes/pki/apiserver-kubelet-client.key

kubelet client certificate

This is the kubelets client certificate (with private key in it). kubelet identifies itself with this certificate when it connects to kube-apiserver. kubelet has Kubernetes Root certificate in /etc/kubernetes/kubelet.conf to verify peer certificates.

The certificate and its corresponding private key are store in file system as one file:

  • /var/lib/kubelet/pki/kubelet-client-current.pem

This certificate is configured to auto renew.

front-proxy-client certificate

Client certificates signed by front-proxy Root certificate. It is used by apiserver/aggregator to connect to aggregated apiserver(extension APIserver).

front-proxy-ca certificate

The front-proxy Root certificate. front-proxy certificates are required only if you run kube-proxy to support an extension API server.

update-renew-kubernetes-certificates-52b00bd0bdae manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9 kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d