5.1.2.1. CA Initialization
The authentication center is a Certificate Authority (CA) that issues and manages root certificates. Root certificates serve as a trusted source for establishing secure connections between Kubernetes cluster components. They provide authentication and encryption of communications between nodes, services, and clients, ensuring the integrity and confidentiality of transmitted data.
5.1.2.1.1. ETCD
Purpose: CA for all etcd cluster certificates. Signs server, client, and peer certificates for etcd:
etcd-server(client connections, port 2379),etcd-peer(inter-node replication, port 2380), andetcd-healthcheck-client(health checks). Also used by kube-apiserver to verify the connection to etcd via theapiserver-etcd-clientcertificate.
Note: this section only describes the process of creating ETCD CA root certificates.
- HardWay
- Kubeadm
Working directory
mkdir -p /etc/kubernetes/openssl
mkdir -p /etc/kubernetes/pki/etcd
Configuration
cat <<EOF > /etc/kubernetes/openssl/etcd-ca.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[req_distinguished_name]
CN = "etcd-ca"
[v3_ca]
keyUsage = critical, keyCertSign, keyEncipherment, digitalSignature
basicConstraints = critical,CA:TRUE
EOF
Private key generation
openssl genrsa \
-out /etc/kubernetes/pki/etcd/ca.key 2048
Public key generation
openssl req \
-x509 \
-new \
-nodes \
-key /etc/kubernetes/pki/etcd/ca.key \
-sha256 \
-days 3650 \
-out /etc/kubernetes/pki/etcd/ca.crt \
-config /etc/kubernetes/openssl/etcd-ca.conf
Certificate readiness check
This section depends on the following sections:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/etcd/ca.crt
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
etcd-ca Oct 20, 2034 22:04 UTC 9y no
Certificate generation
kubeadm init phase certs etcd-ca \
--config=/var/run/kubeadm/kubeadm.yaml
After running the command, we get the following output.
#### Create ETCD CA
[certs] Generating "etcd/ca" certificate and key