CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .
2. Neependra Khare
● Founder and Principal Consultant at CloudYuga
● Certified Kubernetes Administrator
● Author of Docker Cookbook - 2015
● Author of “Introduction to Kubernetes” course on
Edx
● Running Docker Meetup Group in Bangalore, India
for more than 5 years now
4. Tutorial Content and Tool Details
● Tutorial Content
○ https://github.com/cloudyuga/k8s-hard-way
● CloudYuga’s tool to access the above
content in easier way
○ Sign up : https://pilot.cloudyuga.guru/
5. Security Certificates
A security certificate is a data file through which the identity,
authenticity and reliability of a communicating parties is
established.
https://blog.cloudflare.com/content/images/2015/06/anatomy-of-a-certificate.png
8. Server and Client Certificate
Server Certificate Client Certificates
Server certificates are used to authenticate server
identity to the client(s).
Client certificates are used to authenticate the client
(user) identity to the server.
Server Certificates are based on Public Key
Infrastructure.
Client certificates are based on Public Key Infrastructure.
Example: API Server Certificates Example: Admin User Certificate.
https://cheapsslsecurity.com/blog/client-certificate-vs-server-certificate-simplifying-the-difference/
10. PKI In K8s
➢ Kubernetes requires PKI certificates for authentication over
TLS
➢ CA is used by cluster components to validate the API server’s
certificate and by the API server to validate kubelet client
certificates.
➢ CA is used to generate different certificates that you’ll
distribute to components of the Kubernetes infrastructure.
11. Kubernetes Server and Client Certificate list
Client Certificates. [Private key and certificates signed by CA]
➢ The Admin Client Certificate
➢ The Kubelet Client Certificates (For each worker node)
➢ The Controller Manager Client Certificate
➢ The Kube Proxy Client Certificate
➢ The Scheduler Client Certificate
Server Certificates. [Private key and certificates signed by CA]
➢ The Kubernetes API Server Certificate
In this certificate, static IP address will be included in the list of subject alternative names for the Kubernetes API Server
certificate. These certificates are used to authenticate server identity to the client
{.
-hostname=10.32.0.1,${MASTER_1_PRIVATE_IP},${MASTER_2_PRIVATE_IP},${MASTER_1_PUBLIC_IP},${MASTER_2_PUBLIC_IP},${KUBERNETES_PUBLIC_AD
DRESS},127.0.0.1,kubernetes.default
-profile=kubernetes
}
12. $ openssl x509 -in kube-controller-manager.pem -text -noout
{
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
52:f3:73:9b:fd:13:14:50:f8:36:9e:1f:36:4c:17:fa:b7:3a:fe:18
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, ST=Karnataka, L=Bangalore, O=Kubernetes, OU=CA, CN=Kubernetes
Validity { ……… }
Subject: C=IN, ST=Karnataka, L=Bangalore, O=system:kube-controller-manager, OU=Kubernetes The Hard Way,
CN=system:kube-controller-manager
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
96:78:B4:5A:8C:AD:F6:9D:95:D5:86:35:F2:19:9E:79:62:C7:BD:63
X509v3 Authority Key Identifier:
keyid:1E:40:B9:6B:A7:49:E1:CD:B7:3C:AC:52:62:84:2B:95:8F:1B:CE:4D
15. Kubernetes One or Many CA’s
➢ Every Kubernetes cluster has a cluster root Certificate Authority (CA)
➢ This CA is used by cluster components to validate each others.
➢ This root CA can then create multiple intermediate CAs, and delegate all
further creation to Kubernetes itself.
16. The kubelet Kubernetes Configuration File
When generating kubeconfig files for Kubelets the client certificate
matching the Kubelet node name must be used. This will ensure Kubelets
are properly authorized by the Kubernetes Node Authorizer.
Worker Node-1
Kubelet
API Server
Worker Node-2
Kubelet
17. The kube-proxy Kubernetes Configuration File
➢ The kube-proxy Kubernetes Configuration will enable kube-proxy to
locate and authenticate to the Kubernetes API Servers.
➢ This Configuration file is configured in Kube-proxy service so it can talk
to API servers.
Worker Node
API ServerWorker Node-1 API Server
Worker Node-2
Kube-Proxy
Kube-Proxy
18. The kube-controller-manager Kubeconfig File
➢ This Kubernetes Configuration will enable kube-controller-manager to
locate and authenticate to the Kubernetes API Servers.
➢ kube-controller-manager Kubeconfig File must be added to
kube-controller-manager service
API ServersKube-Controllers
19. The kube-scheduler Kubeconfig File
➢ The kube-scheduler Kubeconfig file will allow kube-scheduler to locate
and authenticate to the Kubernetes API Servers.
➢ Must be added to manifest in kube-scheduler.yaml
API ServersKube-Scheduler
20. The Service Account Key Pair
The Kubernetes Controller Manager leverages a key pair to generate
and sign service account tokens as describe in the managing service
accounts documentation.
21. The admin user Kubernetes Configuration File
➢ This Kubeconfig file will allow admin user to locate and authenticate to
the Kubernetes API Servers.
➢ Configures administrator user for the cluster
Admin User
kubectl
Load Balancer
API Server
API Server
Master Node
Master Node