Creating a Certificate Authority and TLS Certificates for Kubernetes

Get Started
1 hour
  • 4 Learning Objectives

About this Hands-on Lab

The various components of Kubernetes require certificates in order to authenticate with one another. Provisioning a certificate authority and using it to generate those certificates is a necessary step in bootstrapping a Kubernetes cluster from scratch. This activity will guide you through the process of provisioning a certificate authority and generating the certificates Kubernetes needs.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Provision the certificate authority (CA).

You can provision the certificate authority like so:

{

cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}
EOF

cat > ca-csr.json << EOF
{
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "CA",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

}
Generate the necessary Kubernetes client certs, as well as kubelet client certs for two worker nodes.

Use these commands to generate the client certs.

Admin client cert:

{

cat > admin-csr.json << EOF
{
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:masters",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -profile=kubernetes 
  admin-csr.json | cfssljson -bare admin

}

Kubelet client certs:

{
cat > worker0.mylabserver.com-csr.json << EOF
{
  "CN": "system:node:worker0.mylabserver.com",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:nodes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -hostname=172.34.1.0,worker0.mylabserver.com 
  -profile=kubernetes 
  worker0.mylabserver.com-csr.json | cfssljson -bare worker0.mylabserver.com

cat > worker1.mylabserver.com-csr.json << EOF
{
  "CN": "system:node:worker1.mylabserver.com",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:nodes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -hostname=172.34.1.1,worker1.mylabserver.com 
  -profile=kubernetes 
  worker1.mylabserver.com-csr.json | cfssljson -bare worker1.mylabserver.com

}

Kube Controller Manager client cert:

{

cat > kube-controller-manager-csr.json << EOF
{
  "CN": "system:kube-controller-manager",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:kube-controller-manager",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -profile=kubernetes 
  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

}

Kube Proxy client cert:

{

cat > kube-proxy-csr.json << EOF
{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:node-proxier",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -profile=kubernetes 
  kube-proxy-csr.json | cfssljson -bare kube-proxy

}

Kube Scheduler client cert:

{

cat > kube-scheduler-csr.json << EOF
{
  "CN": "system:kube-scheduler",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:kube-scheduler",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -profile=kubernetes 
  kube-scheduler-csr.json | cfssljson -bare kube-scheduler

}
Generate the Kubernetes API server certificate.

You can generate the Kubernetes API server certificate like so:

{

cat > kubernetes-csr.json << EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -hostname=10.32.0.1,172.34.0.0,controller0.mylabserver.com,172.34.0.1,controller1.mylabserver.com,172.34.2.0,kubernetes.mylabserver.com,127.0.0.1,localhost,kubernetes.default 
  -profile=kubernetes 
  kubernetes-csr.json | cfssljson -bare kubernetes

}
Generate a Kubernetes service account key pair.

To generate the service account key pair, do the following:

{

cat > service-account-csr.json << EOF
{
  "CN": "service-accounts",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}
EOF

cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -profile=kubernetes 
  service-account-csr.json | cfssljson -bare service-account

}

Additional Resources

Your team is working on setting up a Kubernetes cluster with two controllers and two worker nodes. To enable all the components of Kubernetes to securely authenticate with each other, your team needs to provision a certificate authority and generate several certificates using that authority. Your task is to create the certificate authority and the necessary certificates.

You will need to log into the learning activity server using the Workspace Public IP. This server already has cfssl installed, so there is no need to install it.

In order to accomplish this, you need to:

  • Provision the certificate authority (CA)
  • Generate the necessary Kubernetes client certs, as well as kubelet client certs for two worker nodes.
  • Generate the Kubernetes API server certificate.
  • Generate a Kubernetes service account key pair.

Click the icon next to each task below for more information on how to complete each task. You can also check out the solution video for a detailed walkthrough.

Here is the cluster architecture for which you will need to generate certificates. Note that these are not real servers, just values that we will use for the purposes of this activity.

Controllers:

  • Hostname: controller0.mylabserver.com, IP: 172.34.0.0
  • Hostname: controller1.mylabserver.com, IP: 172.34.0.1

Workers:

  • Hostname: worker0.mylabserver.com, IP: 172.34.1.0
  • Hostname: worker1.mylabserver.com, IP: 172.34.1.1

Kubernetes API Load Balancer:

  • Hostname: kubernetes.mylabserver.com, IP: 172.34.2.0
What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?