CKA

Certificates API

백셀건전지 2021. 9. 25. 12:26
  • 누구든 CA key pair로 접근 권한을 얻으면 k8s 환경의 모든 인증서에 접근이 가능하므로, 안전한 곳에 보관해야.
  • K8S의 CA server는 master node
  • 매번 CSR 요청하여 사용자 인증서 수동으로 만드는 것을 대신하기 위해 Certificates API가 있음.

사용 방법

  1. openssl genrsa -out jane.key 2048
  2. openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr
  3. jane-csr.yaml 에 kind: CertificateSigningRequest 로 생성. 
  4. yaml 파일의 spec.request에 cat jane.csr | base64 문자열을 추가
  5. kubectl get csr 명령어로 요청 목록 확인
  6. 운영자는 kubectl certificate approve jane 명령어로 승인 가능
  7. kubectl get csr jane -o yaml 후 status.certificate에서 인증서 확인 가능. 다만 이는 base64로 인코딩되어 있음
  8. echo "base64 certificate" | base64 --decode 명령어로 평문 추출

 

  • 인증서 관련한 모든 작업은 controller-manager이 처리함

https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXdUOUI1NzY1dFdEWnJZWFJkR2tVbjVDS1VHSlMwTFg0KzNyS3MwZkVrZW95ClZodjZYQit2cE12SHhSK1VmU29od1lkOEdrZis0VzA3MDdGTDNPc0FZMFZjK3RraWY4SEwrOEZob0VjUDE1dXIKdDdpbUpibWUzTWdZYWY5dHA0SVR1U3d4U24zamU0MVZWZUdnbW5teHBNSUI3OVJvODE3YlI1V1FDOHdVVGdFNwpka2gwOC8vT2JzWkFyRU5GUUtOT0Rqa2tOVFpiUWM0RmFEK1dzSzhMd0VQODJNcXRDdWV0SHM1cGZ2Y3dhRTZDCmhaSTBxNnJnQndMOXBaUExnbWFzbVVJYlpaMUptak14ckw2T3plYlF6NjFZcnZRaFl2Q1FTVzk0a3N4TERtU0sKeG1kM1NNVHYxZmxtTytGTjVjQWZXTnNzUmxrVEZQTDVrZnpqMzIzZHNRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBSmpsK29tckZJamlCQndSTFY5WUdsNUp3TEdzenZFV2tBMEltekVRQytPUXhaYzFyNmpMCm5XTk1taGZCSzdmUDRHSlhQcU1OTU1rVWlNeUllVGxTQzV4aThLZXc1VkRvb3lmWmZZaXc2REVXbTdnSHVwSHIKaUJrOHowbklZSk5ENkdKejl1dWR4ZlNPVXlnc21ZU2k3cWwwT3RLenQ0KzFURUhQVGkvWG55VngyY2FwWDVrdgpwNjVjYlhvUjdRRHhBOTNQQXYxaXYxYVRBVG82eGtXRkFwcXRYZUZqTVU0cnE0SVhqY0EyaExyOXRDZVd1SlRNCjllbDhydHluV1czWFU5ZHRzbG9WNGlhOUFsQzZSR0tnMG1kbTZsOUk2MG5jaUU3Rkw5MTNSQUJ2WmMvbkdTWXIKYTZaYnE0ejNXemVjNU42QTlXdWRVbjlleXBoblpvYUdtRDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
  • request에 들어가야 될 값:
    akshay.csr | base64 | tr -d "\n"​

 

저작자표시 (새창열림)

'CKA' 카테고리의 다른 글

API Group  (0) 2021.09.29
KubeConfig  (0) 2021.09.27
TLS Certificates in Kubernetes  (0) 2021.09.25
TLS 이론  (0) 2021.09.23
Authentication  (0) 2021.09.17

'CKA'의 다른글

  • 현재글Certificates API

관련글

티스토리툴바