[k8s] Certificate Security ====== ###### tags: `kubernetes` `security` [TOC] # Authentication   ```shell= kubectl get pods --kubeconfig config ``` > default file path: ***$HOME/.kube/config*** # TLS certificate   ## Certificate Authority (CA) **1. Generate Keys** ```shell= openssl genrsa -out ca.key 2048 ``` **2. Certificate Signing Request** > CN as `common name` ```shell= openssl req -new -key ca.key \ -subj "/CN=KUBERNETES-CA" \ -out ca.csr ``` **3. Sign Certificates** > ca.crt is self-signed by the CA using its own private key ```shell= openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt ``` ## Client Certifcates for Clients > for clients to validate the certificates sent by the server  **Examples: for nick user** ```shell= openssl genrsa -out nick.key 2048 openssl req -new -key nick.key \ -subj "/CN=nick/O=system:masters" \ -out nick.csr openssl x509 -req -in nick.csr -CAcreateserial -CA ca.crt -CAkey ca.key -days 1000 -out nick.crt ``` **View Certificates** ```shell= openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout ```  ## Certificates API ### 1. Create CertificateSignRequest Object ```shell= openssl genrsa -out jane.key 2048 openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr ``` ```yaml= # jane-csr.yaml apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: jane spec: signerName: kubernetes.io/kube-apiserver-client expirationSeconds: 86400 # one day request: groups: - system:authenticated usages: - client auth ``` ### 2. Review Requests ```shell= kubectl get csr ``` ### 3. Approve Requests ```sh= kubectl certificate approve jane ``` ### 4. Share Certs to Users ```sh= kubectl get csr jane -o yaml ```  # KubeConfig  ## Certificates in KubeConfig