Skip to content

Commit 7402d17

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #38524 from tengqm/improve-certificates
Improve certificates
2 parents e6442db + 227cb35 commit 7402d17

File tree

1 file changed

+69
-53
lines changed

1 file changed

+69
-53
lines changed

content/en/docs/setup/best-practices/certificates.md

Lines changed: 69 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,12 @@ weight: 50
99
<!-- overview -->
1010

1111
Kubernetes requires PKI certificates for authentication over TLS.
12-
If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/), the certificates that your cluster requires are automatically generated.
13-
You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server.
12+
If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/), the certificates
13+
that your cluster requires are automatically generated.
14+
You can also generate your own certificates -- for example, to keep your private keys more secure
15+
by not storing them on the API server.
1416
This page explains the certificates that your cluster requires.
1517

16-
17-
1818
<!-- body -->
1919

2020
## How certificates are used by your cluster
@@ -33,24 +33,30 @@ Kubernetes requires PKI for the following operations:
3333
* Client and server certificates for the [front-proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
3434

3535
{{< note >}}
36-
`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
36+
`front-proxy` certificates are required only if you run kube-proxy to support
37+
[an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
3738
{{< /note >}}
3839

3940
etcd also implements mutual TLS to authenticate clients and peers.
4041

4142
## Where certificates are stored
4243

43-
If you install Kubernetes with kubeadm, most certificates are stored in `/etc/kubernetes/pki`. All paths in this documentation are relative to that directory, with the exception of user account certificates which kubeadm places in `/etc/kubernetes`.
44+
If you install Kubernetes with kubeadm, most certificates are stored in `/etc/kubernetes/pki`.
45+
All paths in this documentation are relative to that directory, with the exception of user account
46+
certificates which kubeadm places in `/etc/kubernetes`.
4447

4548
## Configure certificates manually
4649

47-
If you don't want kubeadm to generate the required certificates, you can create them using a single root CA or by providing all certificates. See [Certificates](/docs/tasks/administer-cluster/certificates/) for details on creating your own certificate authority.
48-
See [Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/) for more on managing certificates.
49-
50+
If you don't want kubeadm to generate the required certificates, you can create them using a
51+
single root CA or by providing all certificates. See [Certificates](/docs/tasks/administer-cluster/certificates/)
52+
for details on creating your own certificate authority. See
53+
[Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
54+
for more on managing certificates.
5055

5156
### Single root CA
5257

53-
You can create a single root CA, controlled by an administrator. This root CA can then create multiple intermediate CAs, and delegate all further creation to Kubernetes itself.
58+
You can create a single root CA, controlled by an administrator. This root CA can then create
59+
multiple intermediate CAs, and delegate all further creation to Kubernetes itself.
5460

5561
Required CAs:
5662

@@ -60,7 +66,8 @@ Required CAs:
6066
| etcd/ca.crt,key | etcd-ca | For all etcd-related functions |
6167
| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | For the [front-end proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/) |
6268

63-
On top of the above CAs, it is also necessary to get a public/private key pair for service account management, `sa.key` and `sa.pub`.
69+
On top of the above CAs, it is also necessary to get a public/private key pair for service account
70+
management, `sa.key` and `sa.pub`.
6471
The following example illustrates the CA key and certificate files shown in the previous table:
6572

6673
```
@@ -71,43 +78,49 @@ The following example illustrates the CA key and certificate files shown in the
7178
/etc/kubernetes/pki/front-proxy-ca.crt
7279
/etc/kubernetes/pki/front-proxy-ca.key
7380
```
81+
7482
### All certificates
7583

7684
If you don't wish to copy the CA private keys to your cluster, you can generate all certificates yourself.
7785

7886
Required certificates:
7987

80-
| Default CN | Parent CA | O (in Subject) | kind | hosts (SAN) |
81-
|-------------------------------|---------------------------|----------------|----------------------------------------|---------------------------------------------|
82-
| kube-etcd | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
83-
| kube-etcd-peer | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
84-
| kube-etcd-healthcheck-client | etcd-ca | | client | |
85-
| kube-apiserver-etcd-client | etcd-ca | system:masters | client | |
86-
| kube-apiserver | kubernetes-ca | | server | `<hostname>`, `<Host_IP>`, `<advertise_IP>`, `[1]` |
87-
| kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | |
88-
| front-proxy-client | kubernetes-front-proxy-ca | | client | |
88+
| Default CN | Parent CA | O (in Subject) | kind | hosts (SAN) |
89+
|-------------------------------|---------------------------|----------------|------------------|-----------------------------------------------------|
90+
| kube-etcd | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
91+
| kube-etcd-peer | etcd-ca | | server, client | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
92+
| kube-etcd-healthcheck-client | etcd-ca | | client | |
93+
| kube-apiserver-etcd-client | etcd-ca | system:masters | client | |
94+
| kube-apiserver | kubernetes-ca | | server | `<hostname>`, `<Host_IP>`, `<advertise_IP>`, `[1]` |
95+
| kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | |
96+
| front-proxy-client | kubernetes-front-proxy-ca | | client | |
8997

9098
[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)
9199
the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
92100
`kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)
93101

94-
where `kind` maps to one or more of the [x509 key usage](https://pkg.go.dev/k8s.io/api/certificates/v1beta1#KeyUsage) types:
102+
where `kind` maps to one or more of the x509 key usage, which is also documented in the
103+
`.spec.usages` of a [CertificateSigningRequest](/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1#CertificateSigningRequest)
104+
type:
95105

96106
| kind | Key usage |
97107
|--------|---------------------------------------------------------------------------------|
98108
| server | digital signature, key encipherment, server auth |
99109
| client | digital signature, key encipherment, client auth |
100110

101111
{{< note >}}
102-
Hosts/SAN listed above are the recommended ones for getting a working cluster; if required by a specific setup, it is possible to add additional SANs on all the server certificates.
112+
Hosts/SAN listed above are the recommended ones for getting a working cluster; if required by a
113+
specific setup, it is possible to add additional SANs on all the server certificates.
103114
{{< /note >}}
104115

105116
{{< note >}}
106117
For kubeadm users only:
107118

108-
* The scenario where you are copying to your cluster CA certificates without private keys is referred as external CA in the kubeadm documentation.
109-
* If you are comparing the above list with a kubeadm generated PKI, please be aware that `kube-etcd`, `kube-etcd-peer` and `kube-etcd-healthcheck-client` certificates
110-
are not generated in case of external etcd.
119+
* The scenario where you are copying to your cluster CA certificates without private keys is
120+
referred as external CA in the kubeadm documentation.
121+
* If you are comparing the above list with a kubeadm generated PKI, please be aware that
122+
`kube-etcd`, `kube-etcd-peer` and `kube-etcd-healthcheck-client` certificates are not generated
123+
in case of external etcd.
111124

112125
{{< /note >}}
113126

@@ -116,31 +129,32 @@ For kubeadm users only:
116129
Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)).
117130
Paths should be specified using the given argument regardless of location.
118131

119-
| Default CN | recommended key path | recommended cert path | command | key argument | cert argument |
120-
|------------------------------|------------------------------|-----------------------------|----------------|------------------------------|-------------------------------------------|
121-
| etcd-ca | etcd/ca.key | etcd/ca.crt | kube-apiserver | | --etcd-cafile |
122-
| kube-apiserver-etcd-client | apiserver-etcd-client.key | apiserver-etcd-client.crt | kube-apiserver | --etcd-keyfile | --etcd-certfile |
123-
| kubernetes-ca | ca.key | ca.crt | kube-apiserver | | --client-ca-file |
124-
| kubernetes-ca | ca.key | ca.crt | kube-controller-manager | --cluster-signing-key-file | --client-ca-file, --root-ca-file, --cluster-signing-cert-file |
125-
| kube-apiserver | apiserver.key | apiserver.crt | kube-apiserver | --tls-private-key-file | --tls-cert-file |
126-
| kube-apiserver-kubelet-client| apiserver-kubelet-client.key | apiserver-kubelet-client.crt| kube-apiserver | --kubelet-client-key | --kubelet-client-certificate |
127-
| front-proxy-ca | front-proxy-ca.key | front-proxy-ca.crt | kube-apiserver | | --requestheader-client-ca-file |
128-
| front-proxy-ca | front-proxy-ca.key | front-proxy-ca.crt | kube-controller-manager | | --requestheader-client-ca-file |
129-
| front-proxy-client | front-proxy-client.key | front-proxy-client.crt | kube-apiserver | --proxy-client-key-file | --proxy-client-cert-file |
130-
| etcd-ca | etcd/ca.key | etcd/ca.crt | etcd | | --trusted-ca-file, --peer-trusted-ca-file |
131-
| kube-etcd | etcd/server.key | etcd/server.crt | etcd | --key-file | --cert-file |
132-
| kube-etcd-peer | etcd/peer.key | etcd/peer.crt | etcd | --peer-key-file | --peer-cert-file |
133-
| etcd-ca | | etcd/ca.crt | etcdctl | | --cacert |
134-
| kube-etcd-healthcheck-client | etcd/healthcheck-client.key | etcd/healthcheck-client.crt | etcdctl | --key | --cert |
132+
| Default CN | recommended key path | recommended cert path | command | key argument | cert argument |
133+
|------------------------------|------------------------------|-----------------------------|-------------------------|------------------------------|-------------------------------------------|
134+
| etcd-ca | etcd/ca.key | etcd/ca.crt | kube-apiserver | | --etcd-cafile |
135+
| kube-apiserver-etcd-client | apiserver-etcd-client.key | apiserver-etcd-client.crt | kube-apiserver | --etcd-keyfile | --etcd-certfile |
136+
| kubernetes-ca | ca.key | ca.crt | kube-apiserver | | --client-ca-file |
137+
| kubernetes-ca | ca.key | ca.crt | kube-controller-manager | --cluster-signing-key-file | --client-ca-file, --root-ca-file, --cluster-signing-cert-file |
138+
| kube-apiserver | apiserver.key | apiserver.crt | kube-apiserver | --tls-private-key-file | --tls-cert-file |
139+
| kube-apiserver-kubelet-client| apiserver-kubelet-client.key | apiserver-kubelet-client.crt| kube-apiserver | --kubelet-client-key | --kubelet-client-certificate |
140+
| front-proxy-ca | front-proxy-ca.key | front-proxy-ca.crt | kube-apiserver | | --requestheader-client-ca-file |
141+
| front-proxy-ca | front-proxy-ca.key | front-proxy-ca.crt | kube-controller-manager | | --requestheader-client-ca-file |
142+
| front-proxy-client | front-proxy-client.key | front-proxy-client.crt | kube-apiserver | --proxy-client-key-file | --proxy-client-cert-file |
143+
| etcd-ca | etcd/ca.key | etcd/ca.crt | etcd | | --trusted-ca-file, --peer-trusted-ca-file |
144+
| kube-etcd | etcd/server.key | etcd/server.crt | etcd | --key-file | --cert-file |
145+
| kube-etcd-peer | etcd/peer.key | etcd/peer.crt | etcd | --peer-key-file | --peer-cert-file |
146+
| etcd-ca | | etcd/ca.crt | etcdctl | | --cacert |
147+
| kube-etcd-healthcheck-client | etcd/healthcheck-client.key | etcd/healthcheck-client.crt | etcdctl | --key | --cert |
135148

136149
Same considerations apply for the service account key pair:
137150

138-
| private key path | public key path | command | argument |
139-
|------------------------------|-----------------------------|-------------------------|--------------------------------------|
140-
| sa.key | | kube-controller-manager | --service-account-private-key-file |
141-
| | sa.pub | kube-apiserver | --service-account-key-file |
151+
| private key path | public key path | command | argument |
152+
|-------------------|------------------|-------------------------|--------------------------------------|
153+
| sa.key | | kube-controller-manager | --service-account-private-key-file |
154+
| | sa.pub | kube-apiserver | --service-account-key-file |
142155

143-
The following example illustrates the file paths [from the previous tables](/docs/setup/best-practices/certificates/#certificate-paths) you need to provide if you are generating all of your own keys and certificates:
156+
The following example illustrates the file paths [from the previous tables](#certificate-paths)
157+
you need to provide if you are generating all of your own keys and certificates:
144158

145159
```
146160
/etc/kubernetes/pki/etcd/ca.key
@@ -170,15 +184,17 @@ The following example illustrates the file paths [from the previous tables](/doc
170184

171185
You must manually configure these administrator account and service accounts:
172186

173-
| filename | credential name | Default CN | O (in Subject) |
174-
|-------------------------|----------------------------|--------------------------------|----------------|
175-
| admin.conf | default-admin | kubernetes-admin | system:masters |
187+
| filename | credential name | Default CN | O (in Subject) |
188+
|-------------------------|----------------------------|-------------------------------------|----------------|
189+
| admin.conf | default-admin | kubernetes-admin | system:masters |
176190
| kubelet.conf | default-auth | system:node:`<nodeName>` (see note) | system:nodes |
177-
| controller-manager.conf | default-controller-manager | system:kube-controller-manager | |
178-
| scheduler.conf | default-scheduler | system:kube-scheduler | |
191+
| controller-manager.conf | default-controller-manager | system:kube-controller-manager | |
192+
| scheduler.conf | default-scheduler | system:kube-scheduler | |
179193

180194
{{< note >}}
181-
The value of `<nodeName>` for `kubelet.conf` **must** match precisely the value of the node name provided by the kubelet as it registers with the apiserver. For further details, read the [Node Authorization](/docs/reference/access-authn-authz/node/).
195+
The value of `<nodeName>` for `kubelet.conf` **must** match precisely the value of the node name
196+
provided by the kubelet as it registers with the apiserver. For further details, read the
197+
[Node Authorization](/docs/reference/access-authn-authz/node/).
182198
{{< /note >}}
183199

184200
1. For each config, generate an x509 cert/key pair with the given CN and O.
@@ -196,7 +212,7 @@ These files are used as follows:
196212

197213
| filename | command | comment |
198214
|-------------------------|-------------------------|-----------------------------------------------------------------------|
199-
| admin.conf | kubectl | Configures administrator user for the cluster |
215+
| admin.conf | kubectl | Configures administrator user for the cluster |
200216
| kubelet.conf | kubelet | One required for each node in the cluster. |
201217
| controller-manager.conf | kube-controller-manager | Must be added to manifest in `manifests/kube-controller-manager.yaml` |
202218
| scheduler.conf | kube-scheduler | Must be added to manifest in `manifests/kube-scheduler.yaml` |

0 commit comments

Comments
 (0)