►
From YouTube: Identity with Certificates in Kubernetes
Description
Certificates are an integral part of a secure Kubernetes cluster deployment. They are mainly used to secure the Kubernetes API server using TLS, but certificates (and keys) are also used for other cluster functions such as client authentication, and encryption of secrets. It provides security and identity to all components of Kubernetes. What I am going to talk about:
1. What is a PKI and what are certificates?
2. Why does the world need them?
3. How do I create a CA, certificates and sign them?
4. What's the significance in Kubernetes?
5. How do I handle certificates in Kubernetes?
6. What are the tools to generate certificates?
7. How does Kubeadm automatically generate the certificates for K8s Cluster?
A
Hello,
everyone.
I
again
welcome
you
all
to
this
wonderful
event:
kubernetes
community
days
bengaluru-
I
am
super
excited
to
be
here
today.
My
name
is
akshat
khanna.
I
am
working
as
an
mts
intern
at
vmware
in
the
tkg
team.
I
am
a
final
year
student
pursuing
my
pteg
in
computer
science
from
srm
university
chennai
today
I'll
be
talking
about
identity
with
certificates
in
kubernetes.
A
A
Then
we
will
be
covering
how
these
certificates
are
actually
generated.
Then,
after
that
we'll
be
covering
certificate
generation.
Apis
in
kubernetes
then
comes
the
most
important
part
part.
That's
the
hands-on
demo
that
I'll
be
giving
after
that
I'll
be
covering
the
bootstrap
certificate,
bootstrapping
technique
and
the
rotation
steps.
So
without
further
ado,
let's
get
started.
A
Okay:
let's
talk
about
certificates
in
general,
what
are
certificates
and
pki
the
certificates?
Allow
parties
in
a
conversation
to
authenticate
themselves
and
talk
to
each
other
think
of
a
client
in
a
server
communication.
The
client
can
authenticate
the
server
and
the
server
can
authenticate
the
client.
It
confirms
that
the
communication
is
happening
between
the
correct
parties.
A
A
A
A
A
All
the
certificates
are
signed
validated
and
rotated
when
they
come
near
expiration
by
this
cluster
certificate
authority,
it
is
used
by
all
the
components
to
validate
and
authenticate
the
request,
the
ca
issues,
a
certificate
to
client
and
server
so
that
they
can
use
it.
You
can
view
in
this
diagram
the
certificate
authority
issues
the
certificate
to
a
server
and
the
client,
so
the
certificate
authority
is
the
root
trusted
service
and
after
it
issues
a
certificate
to
both
server
and
client,
they
can
talk
to
each
other
in
a
secure
manner.
A
A
A
A
Okay
in
kubernetes,
you
can
generate
the
certificates
in
using
two
methods.
First
is
using
it
automatically
generating
the
certificates
and
signing
them
using
the
cube
adm.
If
you
are
using
qradium,
otherwise,
you
can
manually
generate
the
certificates
using
the
certificate
generation
apis,
so
communities
offer
api
to
generate
your
certificates
and
use
them,
so
that
is
certificates,
dot,
kx,
dot,
io,
slash
v1,
so
it
creates
a
certificate
signing
request
and
that
certificate
signing
request.
Object
is
sent
to
the
api
server
or
the
kubernetes
api.
A
A
Then
a
cluster
administrator
csr
and
the
configuration
is
generated
after
this.
The
ca
is
generated.
So
ca
is
that,
as
I
explained
earlier,
also
csa
is
the
certificate
authority
or
the
root
root
service
which
all
the
other
components
does
and
all
the
certificates
are
signed
and
issued
by
ca.
So
this
sends
the
signed
certificate
and
key
to
the
trusted
services.
These
trusted
services
contact
to
each
other
or
communicate
to
each
other
in
a
secure
manner.
A
A
A
A
Yeah,
so
to
generate
your
certificate
signing
request,
we
have
to
run
the
command
cfssl
generate
key
and
cf
ssl
json
br
server.
So
in
this
we
need
to
specify
the
host.
Now.
This
is
my
dns
of
my
service
that
is
running
in
my
cluster,
and
this
is
the
dns
of
my
pod,
followed
by
the
internal
ip
of
my
service
and
the
ip
of
my
pod,
and
we
also
need
to
define
the
algorithm
that
should
be
used
to
generate
the
key.
So
when
I
execute
this
command,
it
gives
me
the
output.
A
A
A
Yeah,
so
here
we
have
to
run
the
command.
Qctl,
apply,
f
and
followed
by
the
configuration,
so
in
configuration
we
have
to
define
api
as
certificates,
dot,
kx,
dot,
io,
slash
v1
and
the
kind
would
be
the
certificate
signing
request
and
the
name
would
in
metadata.
The
name
would
be
the
identifier
name
of
our
csr
that
we
are
sending
so
I'll
name.
It
kcd
and
guru.
A
Okay,
so
this
is
the
csr
that
is
generated,
and
you
can
see
here
in
the
status
it
is
showing
in
the
pending
state.
So
whenever
a
csr
is
generated
and
sent
to
the
api
server,
it
is
in
the
pending
state,
because
the
cluster
administrator
or
the
kubernetes
cluster
administrator
has
to
approve
the
csr
before
processing
it.
So
it
is
the
status
still
pending
and
you
can
see
all
the
data
here
like
the
signer,
the
dns
of
the
pod
service
and
the
ip
and
all
the
info
that
is
listed
here.
A
A
Now
we
can
see,
we
got
the
response
that
the
csr
that
was
generated
is
now
approved
and
now,
let's
check
again
the
status
qctl
getcsr
and
now
we
can
see
it
is
approved.
Next
we
have
to
sign
the
certificate
signing
request
that
we
have
generated
so
to
sign
the
certificate
generator
certificate
signing
request.
There
should
be
a
certified
authority,
so
certificate
authority
is
the
main
route
authority
which
is
responsible
for
certificate,
signing
and
issuing
the
certificate
to
a
component
in
a
cluster.
A
So
we
have
to
create
the
certificate
authority
to
create
a
certificate
authority.
We
have
to
run
the
command
cfsl
generate
cert
and
cfssl
json
brca.
So
ca
here
stands
for
the
certificate
authority.
We
have
to
give
the
name
of
a
signer,
so
I'll
give
the
name
of
the
signer
as
kcd,
and
also
we
have
to
give
the
algorithm
to
generate
the
key,
and
when
we
execute
this
command,
we
can
see
the
ca
key
and
the
certificate
from
the
csr
is
generated.
A
Now,
let's
check
that
yeah.
So
I
can
see
that
the
key-
and
this
is
the
csr-
and
this
is
the
certificate,
so
everything
is
generated
now
after
this
once
we
have
generated
now
it's
time
for
issuing
the
certificate
to
so
to
issue
the
certificate.
We
require
some
kind
of
configuration
where
we
will
define
all
the
things.
So
this
is
the
configuration
file
that
I
have
generated
already
so
I'll
show
the
contents
of
this
okay.
A
So,
in
this
server
signing
config.json,
I
have
defined
expiry
for
the
csr
and
the
certificate
along
with
some
different
parameters,
so
you
can
also
go
ahead
and
create
this
config
file
to
issue
the
certificate.
Now,
let's
go
ahead
and
issue
the
csr,
okay,
so
after
to
issue
the
csr,
what
we
have
to
do
is
we
have
to
run
the
few
of
the
commands.
A
A
And
also
this-
and
this
should
be
passed
in
the
base64
decoded
format,
so
that
it
is
visible
in
the
unencrypted
form
and
then
we
can
sign
this.
So
let's
execute
this
command
and
I
got
the
output
as
a
signed
certificate
with
serial
number
this.
So
now
our
certificate
is
signed
now.
The
next
thing
that
we
have
to
do
is
upload
the
signed
certificate
to
the
api
server,
and
to
do
that,
we
have
to
run
the
command.
A
Qctl
get
csr
followed
by
the
name
of
the
csr
that
we
have
given
in
the
previous
steps,
so
it
is
kcd
and
we
have.
We
want
to
get
the
output
in
the
form
of
json
so
that
we
have
defined
here
and
followed
by
the
name
of
the
certificate
and
the
key
that
we
generated
in
the
previous
step
that
we
are
passing
along
with
the
certificate
here
and
also
we
have
to
in
this
third
line.
A
A
Now
we
can
see
that
this
is
our
csr,
along
with
the
condition
approved
and
issued.
So
now
our
certificate
is
successfully
approved
by
the
administrator
and
issued
to
the
component
after
it
is
issued.
We
can
also
see
that
cr
certificate
so
to
see
the
certificate
we
have
to
run
the
command
cube,
ctl
get
csr
followed
by
the
csr
name,
so
we
will
give
our
name
that
we
created
in
the
previous
steps
that
is
kcd
bangalore.
A
I
hope
you
learned
something
new
today
and
after
this,
the
next
thing
that
we
are
covering
is
certified,
bootstrap
and
rotation.
So
when
I,
when
you
saw
that
I
issued
the
certificate
and
all
those
things,
so
these
are
few
of
the
steps
that
were
taking
place
behind
the
scenes.
That
was
like
that
there
is
a
approving
controller
that
approves
the
csr
automatically
and
there
is
also
a
signer
controller
that
signs
the
certificate
for
you
when
we
wrote
the
command
okay.
Now
what
is
certificate
rotation?
A
This
is
the
last
topic
that
we
are
covering
today,
so
by
default
that
these
certificates
are
generated
for
one
year
so
that
they
are
not
to
be
renewed
too
frequently,
but
there
might
be
a
case
in
which
your
certificate
is
near
expiration.
So
in
that
case
there
is
automatically
a
key
and
a
request
for
a
new
certificate
is
generated
to
the
api
server
and
it
can
give
you
a
new
certificate
and
that
can
be
used
for
authentication
of
the
connections.
A
Okay
now
coming
up.
Next,
we
have
is
the
any
how
you
can
enable
client
certificate
rotation
so
for
doing
that
there
is
a
queue
when
you
run
a
cubelet
process
in
that
you
can
give
the
command
rotate
certificate,
that
that
will
automatically
request
a
new
certificate
when
your
certificate
approaches
approaches,
expiration
and
also
you
can
give
the
duration
of
the
certificate
and
csr
how
for
how
long
it
should
be
available.
That
is
in
the
second
point,
the
argument
is
cluster
signing
duration.