K8S基本操作-37-K8S原生憑證簽署方式
K8S 中各部件通訊時如何保障安全
kube-apiserver, kube-controller-manager, kube-scheduler, etcd, kubelet, kube-proxy 都存在著自己的鑰匙與憑證。
具體來說,每個部件都有著對應的憑證與Key:
# 預設管理員
admin.crt
admin.key
# KUBE-SCHEDULER
scheduler.crt
scheduler.key
# KUBE-CONTROLLER-MANAGER
controllermanager.crt
controllermanager.key
# KUBE-PROXY
kube-proxy.crt
kube-proxy.key
# KUBE-API SERVER
apiserver-kubeletclient.crt
apiserver-kubeletclient.key
# KUBE-API SERVER
apiserver-etcdclient.crt
apiserver-etcdclient.key
# ETCD SERVER
etcdserver.crt
etcdserver.key
# KUBELET SERVER
kubelet.crt
kubelet.key
用於部件之間互相傳遞的加密與驗證。
沒意外的話,如果 Key 不外洩,在 K8S Cluster 網路中,是相對安全的環境。
K8S 中哪個 Pod 負責簽署憑證
Controller manager Pod 負責簽署憑證,當 Admin 用戶將需要簽署的憑證傳輸給 K8S 時,由該部件進行簽署。
組成如下:
- Controller manager
- CSR-APPROVING
- CSR-SIGNING
如何進行 K8S 內部憑證申請
Akshay 想建立自己的Key,然後生成 K8S 憑證,需要進行以下步驟:
1.生成鑰匙
生個鑰匙 akshay.key:
openssl genrsa -out akshay.key 2048
2.生成憑證請求
用鑰匙生成憑證請求:
openssl req -new -key akshay.key -subj "/CN=akshay" -out akshay.csr
這個憑證請求用以下指令轉成 Base64 字串:
cat akshay.csr | base64 -w 0
輸出:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXR0MVBjL3NPYnczaUVNTUhRaWYzOG1xTjhwZTRJSTEyaUlCRWxQZXM5SzFrCkdjZGtOd3A3Vit5TnhSRklTRHhhY2JNbGdnQXVrSUNsbmxEQTVvNzNKMWJENlZXTTg0WDJ0bmlXaHp3dVNmNGoKQlFWYVRFRlNPSy81WnIxemlHMElKY3dwKzZ1OHpCS3NsVkpqNHl0NW1mb0dQcXBGaFEyN2UrT1JFV2FGM0J0UwpOSEZRL0hsNU1YOENkeWVRVnU3WWVMWGQ4cTVQRnFPajRRY0lIZ0RRd2crbHpkYTk3NStjS2dtTWpUeVVrSDFjCnp5elBNUVgyNzFqUVE1RlhxNXpqZERpeDA0RGplRnpVMjR0ZDNjWEFXOWNWTDhkalBTOTFJMVQyaWl0V3RWNlgKUXVoZUtybFVnRnRUbUtOTmd5NWhmTmE4MU8vVzVLeEFleFdjTlBndEdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRDgvQ29UY0MrU1FhOG1TSmJ1ZlZsYXl3akRmNkMvVTZ4RkxiM0V6bDBnNzZBUEpWaytlCnpCb29ONys1ZCtNYmZ6SGk5YS8ycktuL2lGRGpGN0Q4Z0R0NFRWNlF5Z0NhbjcrTWN5MVNML1VxWFpZOFRHQUwKeVNZbVdqUzhFTmU3WHU5Skk0NU5RdkZiSXVLZ3RXZmJuaGF2c0c5bXZEQTlXUzh6SjR2dlpvY0lsNWh1YkJscApmTm5VZWJySERDS2pZNDZLOCtWOTVlT2dvSGxyOXE0V09yNW9IRFhhWWg1S1JXS0txbDBBeTdMZFp5bFYxQit5Cjl1RjdvRkU4aDV0cXV3L0JNSk05Z1ZRbk5TSkQ1TDB4Z3M1blVtQU1QSUlKQmE3dytpRTVPbnpiZ3FiZFlPMzUKTzRrQUs3MmVUYlQxYkRWNi9TTDduemVqdkcvTEQwYU50a289Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
然後將字串貼入申請用的 YAML 中:
akshay-csr.yaml
---
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDR>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
3.傳送給有 Admin 帳戶的人員然後啟用簽署請求
Admin 用戶收到後,用以下指令進行簽署請求:
kubectl apply -f akshay-csr.yaml
檢查簽署請求:
kubectl get csr
輸出:
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
akshay 3m12s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending
簽署:
kubectl certificate approve akshay
如果要拒絕則使用以下指令:
kubectl certificate deny <CSR名稱>
kubectl delete csr <CSR名稱>
4.導出簽署好的 Certification
kubectl get csr akshay -o yaml > akshay-crt.yaml
檔案如下:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"akshay"},"spec":{"groups":["system:authenticated"],"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXR0MVBjL3NPYnczaUVNTUhRaWYzOG1xTjhwZTRJSTEyaUlCRWxQZXM5SzFrCkdjZGtOd3A3Vit5TnhSRklTRHhhY2JNbGdnQXVrSUNsbmxEQTVvNzNKMWJENlZXTTg0WDJ0bmlXaHp3dVNmNGoKQlFWYVRFRlNPSy81WnIxemlHMElKY3dwKzZ1OHpCS3NsVkpqNHl0NW1mb0dQcXBGaFEyN2UrT1JFV2FGM0J0UwpOSEZRL0hsNU1YOENkeWVRVnU3WWVMWGQ4cTVQRnFPajRRY0lIZ0RRd2crbHpkYTk3NStjS2dtTWpUeVVrSDFjCnp5elBNUVgyNzFqUVE1RlhxNXpqZERpeDA0RGplRnpVMjR0ZDNjWEFXOWNWTDhkalBTOTFJMVQyaWl0V3RWNlgKUXVoZUtybFVnRnRUbUtOTmd5NWhmTmE4MU8vVzVLeEFleFdjTlBndEdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRDgvQ29UY0MrU1FhOG1TSmJ1ZlZsYXl3akRmNkMvVTZ4RkxiM0V6bDBnNzZBUEpWaytlCnpCb29ONys1ZCtNYmZ6SGk5YS8ycktuL2lGRGpGN0Q4Z0R0NFRWNlF5Z0NhbjcrTWN5MVNML1VxWFpZOFRHQUwKeVNZbVdqUzhFTmU3WHU5Skk0NU5RdkZiSXVLZ3RXZmJuaGF2c0c5bXZEQTlXUzh6SjR2dlpvY0lsNWh1YkJscApmTm5VZWJySERDS2pZNDZLOCtWOTVlT2dvSGxyOXE0V09yNW9IRFhhWWg1S1JXS0txbDBBeTdMZFp5bFYxQit5Cjl1RjdvRkU4aDV0cXV3L0JNSk05Z1ZRbk5TSkQ1TDB4Z3M1blVtQU1QSUlKQmE3dytpRTVPbnpiZ3FiZFlPMzUKTzRrQUs3MmVUYlQxYkRWNi9TTDduemVqdkcvTEQwYU50a289Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
creationTimestamp: "2024-02-06T08:00:33Z"
name: akshay
resourceVersion: "1660"
uid: c26911df-e6da-43b8-a4b4-ef63bdf80289
spec:
groups:
- system:masters
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXR0MVBjL3NPYnczaUVNTUhRaWYzOG1xTjhwZTRJSTEyaUlCRWxQZXM5SzFrCkdjZGtOd3A3Vit5TnhSRklTRHhhY2JNbGdnQXVrSUNsbmxEQTVvNzNKMWJENlZXTTg0WDJ0bmlXaHp3dVNmNGoKQlFWYVRFRlNPSy81WnIxemlHMElKY3dwKzZ1OHpCS3NsVkpqNHl0NW1mb0dQcXBGaFEyN2UrT1JFV2FGM0J0UwpOSEZRL0hsNU1YOENkeWVRVnU3WWVMWGQ4cTVQRnFPajRRY0lIZ0RRd2crbHpkYTk3NStjS2dtTWpUeVVrSDFjCnp5elBNUVgyNzFqUVE1RlhxNXpqZERpeDA0RGplRnpVMjR0ZDNjWEFXOWNWTDhkalBTOTFJMVQyaWl0V3RWNlgKUXVoZUtybFVnRnRUbUtOTmd5NWhmTmE4MU8vVzVLeEFleFdjTlBndEdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRDgvQ29UY0MrU1FhOG1TSmJ1ZlZsYXl3akRmNkMvVTZ4RkxiM0V6bDBnNzZBUEpWaytlCnpCb29ONys1ZCtNYmZ6SGk5YS8ycktuL2lGRGpGN0Q4Z0R0NFRWNlF5Z0NhbjcrTWN5MVNML1VxWFpZOFRHQUwKeVNZbVdqUzhFTmU3WHU5Skk0NU5RdkZiSXVLZ3RXZmJuaGF2c0c5bXZEQTlXUzh6SjR2dlpvY0lsNWh1YkJscApmTm5VZWJySERDS2pZNDZLOCtWOTVlT2dvSGxyOXE0V09yNW9IRFhhWWg1S1JXS0txbDBBeTdMZFp5bFYxQit5Cjl1RjdvRkU4aDV0cXV3L0JNSk05Z1ZRbk5TSkQ1TDB4Z3M1blVtQU1QSUlKQmE3dytpRTVPbnpiZ3FiZFlPMzUKTzRrQUs3MmVUYlQxYkRWNi9TTDduemVqdkcvTEQwYU50a289Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
username: kubernetes-admin
status:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lSQUtHUHF5aCtQL1lqbmtESTEvR1hzZjB3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBeU1EWXdPREF4TWpCYUZ3MHlOVEF5TURVdwpPREF4TWpCYU1CRXhEekFOQmdOVkJBTVRCbUZyYzJoaGVUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQCkFEQ0NBUW9DZ2dFQkFMYmRUM1A3RG04TjRoRERCMEluOS9KcWpmS1h1Q0NOZG9pQVJKVDNyUFN0WkJuSFpEY0sKZTFmc2pjVVJTRWc4V25HekpZSUFMcENBcFo1UXdPYU85eWRXdytsVmpQT0Y5clo0bG9jOExrbitJd1VGV2t4QgpVaml2K1dhOWM0aHRDQ1hNS2Z1cnZNd1NySlZTWStNcmVabjZCajZxUllVTnUzdmprUkZtaGR3YlVqUnhVUHg1CmVURi9BbmNua0ZidTJIaTEzZkt1VHhham8rRUhDQjRBME1JUHBjM1d2ZStmbkNvSmpJMDhsSkI5WE04c3p6RUYKOXU5WTBFT1JWNnVjNDNRNHNkT0E0M2hjMU51TFhkM0Z3RnZYRlMvSFl6MHZkU05VOW9vclZyVmVsMExvWGlxNQpWSUJiVTVpalRZTXVZWHpXdk5UdjF1U3NRSHNWbkRUNExSa0NBd0VBQWFOR01FUXdFd1lEVlIwbEJBd3dDZ1lJCkt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRcTUrRUV3ZHFOOEhYd0RZVUMKUmpmWmk0VzZuekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBU1NJNFFacllqU3c2aG0ybVZPSXp6NG1yako2OAplZ01qdjBJSVpPTmU5RzNtZlQwRWlzazVrZGVRcGhSMDl6cmFKamZPSkgrT1RTOWlHaWRnZ1gyTjNLanYycXFhCjhDNnJYWUEyVVVJRk9jZHEydmNWNTJGOEV6Z3RqUFdwU2J0bnNLc05WMzFGVUVPNzY3dThpRmdISGJCVHlHdDYKZ1poaHU0T3psTCt4Z3M4NXE0L0Zra0o2UXVoVExtRnk1S1hTUnNZSW9TeWlpN0R4NnpiMjR4OC9vVTdGdGRXMQpNMTZyYTFiYzI3RjRRaXhSbmtuc256c2EzbVRaNHE3RjRRMDhYN0VRelJLSkxZNlhUSnNvVW95L0RSWnNyakszCnF3c3F1WVlSNUNyaVpaSjZFM2ZaNlJGQ3NnREtVVEpqdlJmRHpHSTlnZE5kR1RNand4azR6bitzVHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
conditions:
- lastTransitionTime: "2024-02-06T08:06:20Z"
lastUpdateTime: "2024-02-06T08:06:20Z"
message: This CSR was approved by kubectl certificate approve.
reason: KubectlApprove
status: "True"
type: Approved
用以下指令把其中 certificate 這段 Base64 decode 導出成 akshay.crt:
kubectl get csr akshay -o jsonpath='{.status.certificate}'| base64 -d > akshay.crt
把 akshay.crt 寄回去給 Akshay 即可。