K8S基本操作-37-K8S原生憑證簽署方式

February 6, 2024

K8S 中各部件通訊時如何保障安全

kube-apiserver, kube-controller-manager, kube-scheduler, etcd, kubelet, kube-proxy 都存在著自己的鑰匙與憑證。

具體來說，每個部件都有著對應的憑證與Key:

# 預設管理員
admin.crt 
admin.key

# KUBE-SCHEDULER
scheduler.crt
scheduler.key

# KUBE-CONTROLLER-MANAGER
controllermanager.crt
controllermanager.key

# KUBE-PROXY
kube-proxy.crt
kube-proxy.key

# KUBE-API SERVER
apiserver-kubeletclient.crt
apiserver-kubeletclient.key

# KUBE-API SERVER
apiserver-etcdclient.crt
apiserver-etcdclient.key

# ETCD SERVER
etcdserver.crt 
etcdserver.key

# KUBELET SERVER
kubelet.crt
kubelet.key

用於部件之間互相傳遞的加密與驗證。

沒意外的話，如果 Key 不外洩，在 K8S Cluster 網路中，是相對安全的環境。

K8S 中哪個 Pod 負責簽署憑證

Controller manager Pod 負責簽署憑證，當 Admin 用戶將需要簽署的憑證傳輸給 K8S 時，由該部件進行簽署。

組成如下:

Controller manager
- CSR-APPROVING
- CSR-SIGNING

如何進行 K8S 內部憑證申請

Akshay 想建立自己的Key，然後生成 K8S 憑證，需要進行以下步驟:

1.生成鑰匙

生個鑰匙 akshay.key:

openssl genrsa -out akshay.key 2048

2.生成憑證請求

用鑰匙生成憑證請求:

openssl req -new -key akshay.key -subj "/CN=akshay" -out akshay.csr

這個憑證請求用以下指令轉成 Base64 字串:

cat akshay.csr | base64 -w 0

輸出:

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXR0MVBjL3NPYnczaUVNTUhRaWYzOG1xTjhwZTRJSTEyaUlCRWxQZXM5SzFrCkdjZGtOd3A3Vit5TnhSRklTRHhhY2JNbGdnQXVrSUNsbmxEQTVvNzNKMWJENlZXTTg0WDJ0bmlXaHp3dVNmNGoKQlFWYVRFRlNPSy81WnIxemlHMElKY3dwKzZ1OHpCS3NsVkpqNHl0NW1mb0dQcXBGaFEyN2UrT1JFV2FGM0J0UwpOSEZRL0hsNU1YOENkeWVRVnU3WWVMWGQ4cTVQRnFPajRRY0lIZ0RRd2crbHpkYTk3NStjS2dtTWpUeVVrSDFjCnp5elBNUVgyNzFqUVE1RlhxNXpqZERpeDA0RGplRnpVMjR0ZDNjWEFXOWNWTDhkalBTOTFJMVQyaWl0V3RWNlgKUXVoZUtybFVnRnRUbUtOTmd5NWhmTmE4MU8vVzVLeEFleFdjTlBndEdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRDgvQ29UY0MrU1FhOG1TSmJ1ZlZsYXl3akRmNkMvVTZ4RkxiM0V6bDBnNzZBUEpWaytlCnpCb29ONys1ZCtNYmZ6SGk5YS8ycktuL2lGRGpGN0Q4Z0R0NFRWNlF5Z0NhbjcrTWN5MVNML1VxWFpZOFRHQUwKeVNZbVdqUzhFTmU3WHU5Skk0NU5RdkZiSXVLZ3RXZmJuaGF2c0c5bXZEQTlXUzh6SjR2dlpvY0lsNWh1YkJscApmTm5VZWJySERDS2pZNDZLOCtWOTVlT2dvSGxyOXE0V09yNW9IRFhhWWg1S1JXS0txbDBBeTdMZFp5bFYxQit5Cjl1RjdvRkU4aDV0cXV3L0JNSk05Z1ZRbk5TSkQ1TDB4Z3M1blVtQU1QSUlKQmE3dytpRTVPbnpiZ3FiZFlPMzUKTzRrQUs3MmVUYlQxYkRWNi9TTDduemVqdkcvTEQwYU50a289Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

然後將字串貼入申請用的 YAML 中:

akshay-csr.yaml

---
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDR>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

3.傳送給有 Admin 帳戶的人員然後啟用簽署請求

Admin 用戶收到後，用以下指令進行簽署請求:

kubectl apply -f akshay-csr.yaml

檢查簽署請求:

kubectl get csr

輸出:

NAME        AGE     SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
akshay      3m12s   kubernetes.io/kube-apiserver-client           kubernetes-admin           <none>              Pending

簽署:

kubectl certificate approve akshay

如果要拒絕則使用以下指令:

kubectl certificate deny <CSR名稱>
kubectl delete csr <CSR名稱>

4.導出簽署好的 Certification

kubectl get csr akshay -o yaml > akshay-crt.yaml

檔案如下:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"akshay"},"spec":{"groups":["system:authenticated"],"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXR0MVBjL3NPYnczaUVNTUhRaWYzOG1xTjhwZTRJSTEyaUlCRWxQZXM5SzFrCkdjZGtOd3A3Vit5TnhSRklTRHhhY2JNbGdnQXVrSUNsbmxEQTVvNzNKMWJENlZXTTg0WDJ0bmlXaHp3dVNmNGoKQlFWYVRFRlNPSy81WnIxemlHMElKY3dwKzZ1OHpCS3NsVkpqNHl0NW1mb0dQcXBGaFEyN2UrT1JFV2FGM0J0UwpOSEZRL0hsNU1YOENkeWVRVnU3WWVMWGQ4cTVQRnFPajRRY0lIZ0RRd2crbHpkYTk3NStjS2dtTWpUeVVrSDFjCnp5elBNUVgyNzFqUVE1RlhxNXpqZERpeDA0RGplRnpVMjR0ZDNjWEFXOWNWTDhkalBTOTFJMVQyaWl0V3RWNlgKUXVoZUtybFVnRnRUbUtOTmd5NWhmTmE4MU8vVzVLeEFleFdjTlBndEdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRDgvQ29UY0MrU1FhOG1TSmJ1ZlZsYXl3akRmNkMvVTZ4RkxiM0V6bDBnNzZBUEpWaytlCnpCb29ONys1ZCtNYmZ6SGk5YS8ycktuL2lGRGpGN0Q4Z0R0NFRWNlF5Z0NhbjcrTWN5MVNML1VxWFpZOFRHQUwKeVNZbVdqUzhFTmU3WHU5Skk0NU5RdkZiSXVLZ3RXZmJuaGF2c0c5bXZEQTlXUzh6SjR2dlpvY0lsNWh1YkJscApmTm5VZWJySERDS2pZNDZLOCtWOTVlT2dvSGxyOXE0V09yNW9IRFhhWWg1S1JXS0txbDBBeTdMZFp5bFYxQit5Cjl1RjdvRkU4aDV0cXV3L0JNSk05Z1ZRbk5TSkQ1TDB4Z3M1blVtQU1QSUlKQmE3dytpRTVPbnpiZ3FiZFlPMzUKTzRrQUs3MmVUYlQxYkRWNi9TTDduemVqdkcvTEQwYU50a289Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}      
  creationTimestamp: "2024-02-06T08:00:33Z"
  name: akshay
  resourceVersion: "1660"
  uid: c26911df-e6da-43b8-a4b4-ef63bdf80289
spec:
  groups:
  - system:masters
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXR0MVBjL3NPYnczaUVNTUhRaWYzOG1xTjhwZTRJSTEyaUlCRWxQZXM5SzFrCkdjZGtOd3A3Vit5TnhSRklTRHhhY2JNbGdnQXVrSUNsbmxEQTVvNzNKMWJENlZXTTg0WDJ0bmlXaHp3dVNmNGoKQlFWYVRFRlNPSy81WnIxemlHMElKY3dwKzZ1OHpCS3NsVkpqNHl0NW1mb0dQcXBGaFEyN2UrT1JFV2FGM0J0UwpOSEZRL0hsNU1YOENkeWVRVnU3WWVMWGQ4cTVQRnFPajRRY0lIZ0RRd2crbHpkYTk3NStjS2dtTWpUeVVrSDFjCnp5elBNUVgyNzFqUVE1RlhxNXpqZERpeDA0RGplRnpVMjR0ZDNjWEFXOWNWTDhkalBTOTFJMVQyaWl0V3RWNlgKUXVoZUtybFVnRnRUbUtOTmd5NWhmTmE4MU8vVzVLeEFleFdjTlBndEdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRDgvQ29UY0MrU1FhOG1TSmJ1ZlZsYXl3akRmNkMvVTZ4RkxiM0V6bDBnNzZBUEpWaytlCnpCb29ONys1ZCtNYmZ6SGk5YS8ycktuL2lGRGpGN0Q4Z0R0NFRWNlF5Z0NhbjcrTWN5MVNML1VxWFpZOFRHQUwKeVNZbVdqUzhFTmU3WHU5Skk0NU5RdkZiSXVLZ3RXZmJuaGF2c0c5bXZEQTlXUzh6SjR2dlpvY0lsNWh1YkJscApmTm5VZWJySERDS2pZNDZLOCtWOTVlT2dvSGxyOXE0V09yNW9IRFhhWWg1S1JXS0txbDBBeTdMZFp5bFYxQit5Cjl1RjdvRkU4aDV0cXV3L0JNSk05Z1ZRbk5TSkQ1TDB4Z3M1blVtQU1QSUlKQmE3dytpRTVPbnpiZ3FiZFlPMzUKTzRrQUs3MmVUYlQxYkRWNi9TTDduemVqdkcvTEQwYU50a289Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
  username: kubernetes-admin
status:
  certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lSQUtHUHF5aCtQL1lqbmtESTEvR1hzZjB3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBeU1EWXdPREF4TWpCYUZ3MHlOVEF5TURVdwpPREF4TWpCYU1CRXhEekFOQmdOVkJBTVRCbUZyYzJoaGVUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQCkFEQ0NBUW9DZ2dFQkFMYmRUM1A3RG04TjRoRERCMEluOS9KcWpmS1h1Q0NOZG9pQVJKVDNyUFN0WkJuSFpEY0sKZTFmc2pjVVJTRWc4V25HekpZSUFMcENBcFo1UXdPYU85eWRXdytsVmpQT0Y5clo0bG9jOExrbitJd1VGV2t4QgpVaml2K1dhOWM0aHRDQ1hNS2Z1cnZNd1NySlZTWStNcmVabjZCajZxUllVTnUzdmprUkZtaGR3YlVqUnhVUHg1CmVURi9BbmNua0ZidTJIaTEzZkt1VHhham8rRUhDQjRBME1JUHBjM1d2ZStmbkNvSmpJMDhsSkI5WE04c3p6RUYKOXU5WTBFT1JWNnVjNDNRNHNkT0E0M2hjMU51TFhkM0Z3RnZYRlMvSFl6MHZkU05VOW9vclZyVmVsMExvWGlxNQpWSUJiVTVpalRZTXVZWHpXdk5UdjF1U3NRSHNWbkRUNExSa0NBd0VBQWFOR01FUXdFd1lEVlIwbEJBd3dDZ1lJCkt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRcTUrRUV3ZHFOOEhYd0RZVUMKUmpmWmk0VzZuekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBU1NJNFFacllqU3c2aG0ybVZPSXp6NG1yako2OAplZ01qdjBJSVpPTmU5RzNtZlQwRWlzazVrZGVRcGhSMDl6cmFKamZPSkgrT1RTOWlHaWRnZ1gyTjNLanYycXFhCjhDNnJYWUEyVVVJRk9jZHEydmNWNTJGOEV6Z3RqUFdwU2J0bnNLc05WMzFGVUVPNzY3dThpRmdISGJCVHlHdDYKZ1poaHU0T3psTCt4Z3M4NXE0L0Zra0o2UXVoVExtRnk1S1hTUnNZSW9TeWlpN0R4NnpiMjR4OC9vVTdGdGRXMQpNMTZyYTFiYzI3RjRRaXhSbmtuc256c2EzbVRaNHE3RjRRMDhYN0VRelJLSkxZNlhUSnNvVW95L0RSWnNyakszCnF3c3F1WVlSNUNyaVpaSjZFM2ZaNlJGQ3NnREtVVEpqdlJmRHpHSTlnZE5kR1RNand4azR6bitzVHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  conditions:
  - lastTransitionTime: "2024-02-06T08:06:20Z"
    lastUpdateTime: "2024-02-06T08:06:20Z"
    message: This CSR was approved by kubectl certificate approve.
    reason: KubectlApprove
    status: "True"
    type: Approved

用以下指令把其中 certificate 這段 Base64 decode 導出成 akshay.crt:

 kubectl get csr akshay -o jsonpath='{.status.certificate}'| base64 -d > akshay.crt

把 akshay.crt 寄回去給 Akshay 即可。