Today I’m going to cover concepts aligned with CKA in terms of security.
Certificate Signing Requests have to be approved by the kubernetes administrator to be allowed
For this tutorial I’m going to be running AKS in Azure you can run K8s in you’re preferred platform such as GCP, AWS or DigitalOcean.
kubectl get pods -A
I’m running this command to understand my environment of the cluster this grabs the pods in the entire cluster.
So what does all this mean? The namespace is the environment reference you can use these to isolate your workloads as you start up kubernetes the kube-system namespace will house most of you resources that are needed to be actively running. We have the Kube-Proxy / CoreDNS / CSI / Metrics Server (this doesn’t typically come with cluster if you’re bootstrapping) and a few others out of the box.
So let’s explore the existing certificate signing requests
kubectl get csr
What if we need more info from those specifically?
kubectl get csr csr-72s5j -o yaml
The output of this will be in a more readable format for us to understand the CSR
So now we can see the yaml format along with creation and some more information such as system:authenticated, system:bootstrappers.
Let’s start with a few commands to create a private key in our shell
openssl genrsa -out ck-devops.key 2048
openssl req -new -key ck-devops.key -out ck-devops.csr
After you answer the set of questions that are going to be a part of your Certificate Signing Request we will then run the command “ls” and then use the following to get the information to add to our YAML request.
cat csr-devops.csr
This is sensitive (don’t show this or share) you’ll need to place this in a safe place this will be used for our next part.
vim csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ck-devops
spec:
request: LS0tLS1CRUdJTiBDRVJUSU.......(see reference)
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400
usages:
- client auth
Make sure you save this with :wq! then we will apply to our cluster in the following command.
As we can see after the apply we are now in a pending state (as we are on the control plane we will approve this in the next command)
kubectl certificate approve ck-devops
Let’s run the command to get our users and see our update
kubectl get csr
We can see our ck-devops change from pending to Approved, Issued we can get more information once we run the following command.
kubectl get csr ck-devops -o yaml
This output shows us the yaml request along with the annotations of the request we sent in from our YAML configuration.
What’s next? Creating a role and rolebinding…. we will cover this in a separate post, this was just a quick overview of using YAML and getting more comfortable with CLI of Kubectl.
Ensure you delete your resources if they are hosted in the cloud so your not spending your money on the usage bill $$$.