Kubernetes: Generate Certificates for Normal Users Using Certificates API
Certificates API automates generating, signing, and managing certificates for Kubernetes components, making it easier for admins to manage user CSR. The process of creating client certificates for normal users involves generating a private key, creating a CSR, sending it to the admin, creating a CertificateSigningRequest object in Kubernetes, approving or rejecting the CSR, and providing the signed certificate to the user. Once the user receives the certificate, they can use it to authenticate to the cluster using client certificate authentication via curl or kubectl commands.
Table of Contents
· Certificates API
· Create Client Certificates for Normal Users
∘ 1. User generates a private key
∘ 2. User generates a Certificate Signing Request(CSR)
∘ 3. User sends the CSR to the Admin
∘ 4. Admin creates a CertificateSigningRequest object
∘ 5. Admin approves or rejects the CSR
∘ 6. Admin provides the signed certificate to the User
In Kubernetes, it is not possible to add a normal user via an API call.
However, a user can be authenticated if they present a valid certificate that is signed by the cluster’s certificate authority. The username is determined by Kubernetes based on the common name field in the “subject” of the certificate.
Certificates API
Certificates API is a built-in feature in Kubernetes that enables administrators to automate the process of generating, signing, and managing certificates for various Kubernetes components. It provides an efficient way for administrators to manage user Certificate Signing Requests (CSRs) by allowing them to create, approve, and sign CSRs using Kubernetes API objects. This helps to simplify the process of managing certificates, especially when working with a large number of users or clusters.
Create Client Certificates for Normal Users
1. User generates a private key
A user generates a private key using a tool like OpenSSL. A private key is a cryptographic key that is used to sign and decrypt data.
$ openssl genrsa -out user.key 2048
This command generates a new private key named “user.key” with a length of 2048 bits.
2. User generates a Certificate Signing Request (CSR)
The user generates a Certificate Signing Request (CSR) using the private key generated in the previous step.
$ openssl req -new -key user.key -out user.csr -subj "/CN=username"
The
-subj
flag specifies the subject of the CSR, which should contain at least the Common Name (CN) of the user.
3. User sends the CSR to the Admin
The user sends the CSR to the administrator who will be responsible for approving the request and signing the certificate.
4. Admin creates a CertificateSigningRequest object
The administrator creates a CertificateSigningRequest object in Kubernetes using a YAML manifest file that includes the details of the user’s CSR.
Generate base64-encoded CSR:
$ cat user.csr | base64 | tr -d "\n"
user-crt.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: user-csr
spec:
request: <base64-encoded-csr>
signerName: kubernetes.io/kubelet-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
The
request
field should be set to the base64-encoded CSR generated by the user. ThesignerName
field should be set to the name of the certificate signer that will be used to sign the certificate. Theusages
field should be set to the list of intended usages for the certificate, which in this case includes digital signature, key encipherment, and client authentication.
Create the CertificateSigningRequest object:
$ kubectl create -f user-crt.yaml
5. Admin approves or rejects the CSR
Get the list of CSRs:
$ kubectl get csr
Approve the CSR:
$ kubectl certificate approve user-csr
This command will sign the CSR using the appropriate signer and create a signed certificate object in Kubernetes.
Deny the CSR:
$ kubectl certificate deny user-csr
6. Admin provides the signed certificate to the User
Extract the signed certificate:
$ kubectl get csr user-csr -o jsonpath='{.status.certificate}'| base64 -d > user.crt
The administrator provides the signed certificate to the user. With the signed certificate in hand, the user can now use it to authenticate to the Kubernetes cluster using client certificate authentication.
$ curl https://your-api-server.com/api/v1/namespaces/default/pods \
--cacert ca.crt
--cert user.crt
--key user.key
$ kubectl get pods
--server=https://your-api-server.com
--certificate-authority=ca.crt
--client-certificate=user.crt
--client-key=user.key
These are my personal notes for CKA exam preparation on Kubernetes. Please feel free to correct me if you notice any errors. 😊
Reference: