Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeadm cert documentation #11093

Merged
merged 3 commits into from
Nov 29, 2018
+124 −0
Merged

kubeadm cert documentation #11093

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a4ec6df
kubeadm certificate API and CSR documentation
liztio Nov 19, 2018
4aaed61
copyedits
Nov 28, 2018
590d6e0
fix typo
Nov 28, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
copyedits
JENNIFER RONDEAU committed Nov 28, 2018

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
commit 4aaed616aae43837bdf9ab60a497cb4883649f95
71 changes: 39 additions & 32 deletions content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
View file
Original file line number Diff line number Diff line change
@@ -7,39 +7,45 @@ content_template: templates/task

{{% capture overview %}}

This page explains various kubeadm-specific topics related to certificate management
This page explains how to manage certificates manually with kubeadm.

{{% /capture %}}

{{% capture prerequisites %}}

These are advanced topics for particular scenarios. Most kubeadm users with generic configuration will not need to use them. Read on if you are looking to integrate a kubeadm-built cluster into a larger organisation's certificate infrastructure.
These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If kubeadm with the default configuration satisfies your needs, you should let kubeadm manage certificates instead.

You should be familiar with [PKI certificates and requirements in Kubernetes](/docs/setup/certificates/).

{{% /capture %}}

{{% capture steps %}}

# Renewing certificates using the certificates API
## Renew certificates with the certificates API

Kubeadm can renew certificates with the `kubeadm alpha certs renew` commands.

Kubeadm can renew certificates using the `kubeadm alpha certs renew` commands.
Typically this is done by loading on-disk CA certificates and keys and using them to issue new certificates.
This works fine when using an entirely self-contained certificate tree, but may not make sense when certificates are managed externally.
This approach works well if your certificate tree is self-contained. However, if your certificates are externally
managed, you might need a different approach.

As an alternative, Kubernetes provides its own [API for managing certificates][manage-tls].
You can direct `kubeadm` to use this API with `kubeadm alpha certs renew --use-api`.
With kubeadm, you can use this API by running `kubeadm alpha certs renew --use-api`.

## Setting up a signer
## Set up a signer

The Kubernetes certificate authority does not work out of the box.
The Kubernetes Certificate Authority does not work out of the box.
You can configure an external signer such as [cert-manager][cert-manager-issuer], or you can use the build-in signer.
The built-in signer is part of [`kube-controller-manager`][kcm].
Activating it requires that you pass in the `--cluster-signing-cert-file` and `--cluster-signing-key-file` arguments.
To activate the build-in signer, you pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` arguments.

There are several ways of doing this:
You pass these arguments in any of the following ways:

* Edit `/etc/kubernetes/manifests/kube-controller-manager.yaml` to add the arguments to the command.
Keep in mind that this may be overwritten during the next upgrade.
Remember that your changes could be overwritten when you upgrade.

* If you're creating a new cluster, you can use a kubeadm [configuration file][config]:

```yaml
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
@@ -48,16 +54,19 @@ There are several ways of doing this:
cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt
cluster-signing-key-file: /etc/kubernetes/pki/ca.key
```

* You can also upload a config file using [`kubeadm config upload from-files`][config-upload]

[cert-manager-issuer]: https://cert-manager.readthedocs.io/en/latest/tutorials/ca/creating-ca-issuer.html
[kcm]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
[config]: https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1
[config-upload]: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-config/#cmd-config-from-file

## Approving requests
### Approve requests

Unless you've set up an external signer such as [cert-manager][cert-manager], you will need to manually approve certificates. This is done using the [`kubectl certificates`][certs] command.
The `kubeadm` command will output the name of the certificate you need to approve, then block and wait for approval to occur:
If you set up an external signer such as [cert-manager][cert-manager], certificate signing requests (CRSs) are automatically approved.
Otherwise, you must manually approve certificates with the [`kubectl certificates`][certs] command.
The following kubeadm command outputs the name of the certificate to approve, then blocks and waits for approval to occur:

```shell
$ sudo kubeadm alpha certs renew apiserver --use-api &
@@ -74,38 +83,36 @@ You can view a list of pending certificates with `kubectl get csr`.
[cert-manager]: https://github.com/jetstack/cert-manager
[certs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#certificate

# Using Certificate Requests with Kubeadm
## Certificate requests with kubeadm

To better integrate with external CAs, kubeadm can also produce certificate signing requests (CSRs).
A CSR represents a request for a CA to produce a signed certificate for a client.
In kubeadm terms, any certificate that would normally be signed by an on-disk CA can be produced as a CSR instead, but CAs themselves cannot.

## Requesting CSRs
A CSR represents a request to a CA for a signed certificate for a client.
In kubeadm terms, any certificate that would normally be signed by an on-disk CA can be produced as a CSR instead. A CA, however, cannot be produced as a CSR.

### kubeadm init
You can request an individual CSR with `kubeadm init phase certs apiserver --use-csr`.
The `--use-csr` flag can only be applied to individual phases; once [all certificates are in place][certs] you can run `kubeadm init --external-ca`.
You can create an individual CSR with `kubeadm init phase certs apiserver --use-csr`.
The `--use-csr` flag can be applied only to individual phases. After [all certificates are in place][certs], you can run `kubeadm init --external-ca`.

You can pass in a directory to output the CSRs with `--csr-dir`.
If it is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
Both the CSR and the accompanying private key are given in the output. Once a certificate is signed, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`).
You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
If `--csr-dire` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
Both the CSR and the accompanying private key are given in the output. After a certificate is signed, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`).

### certs renew
### Renew certificates

Certificates can also be renewed using `kubeadm alpha certs renew --use-csr`.
Like with `kubeadm init`, an output directory can be specified with `--csr-dir`.
Certificates can be renewed with `kubeadm alpha certs renew --use-csr`.
As with `kubeadm init`, an output directory can be specified with the `--csr-dir` flag.
To use the new certificates, copy the signed certificate and private key into the PKI directory (by default `/etc/kubernetes/pki`)

## Cert usage

CSRs contain a certificate's name, domains, and IPs, but it does _not_ specify usages.
It is the responsibility of the CA to specify [the correct cert usages][cert-table] when issuing a certificate.
* In `openssl` this is done using the [`openssl ca` command][openssl-ca].
A CSR contains a certificate's name, domains, and IPs, but it does not specify usages.
It is the responsibility of the CA to specify [the correct cert usages][cert-table] when issuing a certificate.

* In `openssl` this is done with the [`openssl ca` command][openssl-ca].
* In `cfssl` you specify [usages in the config file][cfssl-usages]

## CA selection

Kubeadm sets up [three CAs][cert-cas] by default. Be sure you sign the CSRs with a corresponding CA.
Kubeadm sets up [three CAs][cert-cas] by default. Make sure to sign the CSRs with a corresponding CA.

[openssl-ca]: https://superuser.com/questions/738612/openssl-ca-keyusage-extension
[cfssl-usages]: https://github.com/cloudflare/cfssl/blob/master/doc/cmd/cfssl.txt#L170