Kubernetes: How do I access the CA to sign a new user certificate?

April 30, 2019 3k views
DigitalOcean Kubernetes

I’m going through a RBAC tutorial for Kubernetes and have hit a roadblock. It looks like I need to sign user certs using Kubernetes’s CA. Since I can’t seem to access the master node, is there a way for me to access the CA or at least just sign new user cert requests with it?

1 Answer

Hi

Yes you can use the build in CA in your cluster to create client certificates. Background information on how to use the CA: https://kubernetes.io/docs/concepts/cluster-administration/certificates/

Basically here is what I did:

Assuming I have a user.json like this:

{
    "CN": "haugom",
    "key": {
        "algo": "rsa",
        "size": 4096
    },
    "names": [{
        "O": "haugom",
        "email": "some@email"
    }]
}

You can then generate a CSR for this. In this example I use cfssl to generate the CSR:

cfssl genkey user.json  | cfssljson -bare client

You can now use kubectl to submit a CSR for your cluster:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: haugom
spec:
  groups:
  - system:authenticated
  - haugom
  request: $(cat client.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

The request field is base64 encoded version of your csr file.

To view your CSR: kubectl get csr

To approve it:

kubectl certificate approve haugom

Decode it:

kubectl get csr haugom -o jsonpath='{.status.certificate}' | base64 -d > client.pem

You can now use the client-key.pem and client.pem to build a kubeconfig.

You can then create RBAC rolebindings on your cluster assigning to either –user=haugom or –group=haugom (assuming you used “O”: “haugom” like I did in this example)

/G

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!