yuanying
6/17/2015 - 7:35 AM

Build a secure kubernetes api server

Build a secure kubernetes api server

secure-k8s-api-server.md
content_copyfile_download
  • Rendered
  • Source

Build a secure kubernetes api server

Add Security Group

$ nova secgroup-add-rule \
       k8sbay-wlun44ixfi2o-secgroup_kubernetes-ahsiqsc4vgqj \
       tcp 6443 6443 0.0.0.0/0

CA

$ openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................................................++
...............................................................................++
e is 65537 (0x10001)

$ openssl req -new -x509 -days 1000 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Server

$ openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
..................................+++
....................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:k8s-master
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Set Common Name to access the api server. Not IP address.

$ openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-master
Getting CA Private Key

Client

$ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr
Generating a 2048 bit RSA private key
......................+++
......+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:k8s-minion
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ openssl x509 -req -days 1000 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-minion
Getting CA Private Key

Set the diffent serial number with server.

Start the kube-api server

$ /usr/bin/kube-apiserver --logtostderr=true --v=0 \
  --etcd_servers=http://127.0.0.1:4001 \
  --allow_privileged=true \
  --portal_net=10.254.0.0/16 \
  --admission_control=NamespaceAutoProvision,LimitRanger,ResourceQuota \
  --runtime_config=api/v1beta3 \
  --tls_cert_file=/home/minion/keys/server.crt \
  --tls_private_key_file=/home/minion/keys/server.key \
  --client_ca_file=/home/minion/keys/ca.crt \
  --bind_address=0.0.0.0

Client Access

Copy client key and certificate to minion node and login to minion and modify /etc/hosts.

$ sudo vi /etc/hosts
$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

10.0.0.3    k8s-master

Check client access.

$ curl -v https://k8s-master:6443/version\
    --key ./client.key \
    --cert ./client.crt \
    --cacert ./ca.crt

$ kubectl version -s https://k8s-master:6443 \
    --certificate-authority=ca.crt \
    --client-certificate=client.crt \
    --client-key=client.key