Kubernetes - Manage TLS Certificates, CA, Certificate Signing Request CSR, Signers, Usage

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

kubernetes manage tls certificates it's a certificate authorities and certificate signing request which is called csr so before going to the tls let's try to understand https and where the tls comes into the picture etc so let's say you have one browser and there is a web server so you are trying to hit some website so your browser typically a chrome browser or any browser which is a loaded with all the public ca certificate ca certificate authority here so and as well as wherever the website you are trying to hit say youtube.com kubernetes.i or any website you are trying to hit this website is exposed as a https how this will have one web server certificate which is signed by this guy the certificate authority right so certificate authority will have a store here in the browser side and server side which is a signed certificate whenever you go and hit from your browser url this this is a client this is a server now this client sends a request to this server hey i wanted to hit your server then this server will send back the response saying this is the my certificate and this is the my public key and this will server will send back to the client now what the client will do client means to your chrome browser which will verify against the ca which is a certificate authority whether this particular guy whatever sent which is a legitimate or not then once it is verifies then this will send back client will generate one encrypted session key and send back then then after that server will send yes whatever the encrypted key you sent which is specific to this guy among the crores billions of users then server will yes acknowledge and then both guys are acknowledged then both the communications are encrypted so this is the communication is basically a typical https communication how it will work right then so here this is in the http layer which is application layer level if you look at the osi 7 layers the which is a middle layer is a transportation layer so application layer to the request will be forwarded to the transportation layer which is in the transportation level layer level tcp connection will be established so how it will be is this is your web browser and this is your web server first tcp connection so this web server will send some request which is called a sync and acknowledgement is no acknowledgement this guy's browser will send some number and then web server will return back with some other number and increases the this browser's number and says yes acknowledge then after that this guy browser will send back servers number incrementing by one and client number and send back to the server so this is called a tcp connection establish just a connection only a physical connection you mean all right so once this in this once this step is complete the both the parties will assume that yes there is a connection is established now second is a tls this is also called a tls handshake process as a second step what happens is you have a browser and you have web server right then first browser will send a hello message to the web server right out then server will send back yes hello means hello then this web server will send a certificate to the browser and that certificate and also requests a browser's client certificate then this browser will send the certificate back to web server right to why they are asking each other to identify each other mutual tls so and client basically what this client will send is there is some cryptographic hash value this browser will generate and send it to the server now client will say yes i'm done i'm finished then after the server also will say yes it's finished then after that both the parties will use this cryptographic cache value and all the communications are encrypted by using its own keys right and this is called a request response and both are encrypted this is how the a typical tls handshake process this is a very high level now next is a certificate authority right in the first step we have seen so basically certificate authority point of view there will be a root ca right see if you go to the browser say this is my youtube and say i open my certificate right so this is a root c root ca is given by whom if you look at the details right issued by google trust llc google trust llc and there is an intermediate ceo so let's go back here right this is a say if you go to the kubernetes dot io which is the same case right i'll close this this kubernetes dot io right this given its certificate right so these are root certificate right this is a root certificate and right then this root certificate basically usually it's a self-signed by the its own organization and root certificate science intermediate ca which is the middle one which is this is the one if you select r3 it looks like that and the issuer name will be there here so if you go here and if i select intermediate ca internet ca issuer is who the top level going right and this certificate is valid up to 20 35 this certificate is valid up to 20 25 so these are 20 years this is a 10 years right and this is just typically one year like that so root ca will science internet ca and intermediate ca signs the actual server certificate so that uh this is how the the ca will work and that's how the trust will be established uh based on the issuer and to whom he it's issued etc so if you drill down the more details here right scroll down this particular kubernetes dot io certificate issued to the it's uh basically it's a domain name right if you scroll down here right uh its algorithm and all will be there dns name kubernetes dot io www.kubernet so whatever all the kubernetes dot io and as well as its website ww so this is uh how the typical ca looks like right then certificate signing so as in the first step we have seen that the signing process right so how the signing will happen is you will be creating one public key and private key this is called a key pair key pair means one public and one private public is always public private is always is a private you will be keeping secretly storing you are not sharing with anybody so public key what it tells is who you are say i am gvr guys this private key is some encrypted keyword so why the private key will be used private key used to prove who i am and as well as a decrypt right then what happens is this public key will have some identity information then you will be raising a csr which is called generating a certificate signing request to whom a certificate authority say i wanted to create my certificate for my website so this is how i will do then with my identity information the csr will be sent to certificate authority certificate authority again in this they will have one private key and certificate authority what it will do is it will sign and give me a assigned certificate so in this process i just generated with my information but this guy is given a signature and this is a signed certificate so this side certificate i can use in my web server we have seen in the first step right so this is how the certificate signing process happens now signed certificate signed certificate how they will give just now we have seen that so in the kubernetes uh say let's go to the uh youtube right uh this is youtube and certificate and second action secure here and i'll just expand details right this google common name is this but when you scroll down here alternate domain names right same certificate will be used for star dot google api engine bdn.devo right there are many google google ca cloud.encode.jpg.uk right so for this all domain there is only one certificate is a sign certificate right so that's how the uh the the signed certificate will be given to the its alternate domain names so that this website can use now let's come to the kubernetes ca so that's what the topic here so kubernetes so basically ca point of view there are two different types of cs one is a public ca which is used for the websites and there is a private ce so public see right say for example uh kubernetes dot io is a some website let us consider and this kubernetes dot io is a public website all the developers are using red day today so this is issued by if you go scroll expand the details this organization is let's encrypt this is one of the bigger organization they guys signed and given this is the public ca and where the private ca used within the organization say i am working in one company one company has said ten thousand employees and say out of 10 000 there are 5000 kubernetes clusters all the clusters should use the 1ca which is issued by the one organization so you can create your own ca same like this and use it between the your organization within the organization that's how the whenever you create a kubernetes cluster with say one master node and one worker node it will use internally a private ca for its components what are the component means component means its kubernetes api server at cd right controller manager scheduler these are the kubernetes component if you look at the kubernetes architecture right and kubernetes have a ca which is a private ca its own ca which is typically a second level ca so that means this is a root ca intermediate ca and the server set so within the organization level you will be using your one intermediate ca that's enough there is no uh root ca right that's how the uh the kubernetes will use and will see and will prove as well so this kubernetes ca creates a certificate for all the components right and what are the certificates it will create ca one is a server certificate when i say server certificate means one certificate and one key file so key file is always there html and one client certificate means [Music] api server api server is a server and as well as it works like a client as well right see i have a i own a one shop i am a boss for the shop but when i go and buy somebody other shop i will become a customer right i'm a client so same likewise kubernetes exposes these two different kinds of certificates if it is a client certificate signed by the ca server certificate also signed by the ca as simple as that and every certificate will have a key as well that's for the this red color key now next kubernetes cs yeah so if you go to the kubernetes master node right uh say i'm in kubernetes uh two node kubernetes cluster right now i will go inside the master node right so i will message inside the master node just bear with me a second yes i am back here right so now so where the kubernetes certificates are stored in this particular location right say cd at c kubernetes right and pki right say ll right when i do the long list these are the certificates are stored and this is a centralized location where the all the certificate will be used see let's say tree right here now first ca dot certificate what is the ca dot certificate this is a root ca for whole kubernetes cluster this is a number one and this is the ca.cert this is a ca.cert which is located in this location right that's a number one number two there is a folder called xcd right which is this this is the one under its cd there is a csr and ca key so what exactly it is this is a second ca which is at cdca we will call so ap ca is a completely root ca and hcd is only for the hcdc now this kubernetes root ca what it will do it will create a server certificate and a client certificate it will sign basically right this is root ca means it's a boss so it will sign right now if you look at the carefully here there is a front proxy ca right so you see here front proxy ca ca ca dot crt and client so kubernetes is also maintaining a front proxy ca as well so front proxy ca is basically to communicate with external [Music] users whenever external users connect to the kubernetes then the ca will be used right but overall idea is here kubernetes maintain a 3cs123 at cds for eight series it is a key value store database right and hcd has a health check client means this hcd connecting to the some health check server by using this certificate you got it and there is a pier this cd exposes there is a peer server and it's its own server so hcd has a different functionality and it has a it own certificate but point is it has a one c now next so kubernetes will have a three different cs now if you wanted to see that how to see that qb search check expiration command will tell you the so let's do that sudo seo so i need to be the uh so cube adm that uh sorts check expiration search check hyphen expiration right so when i do the qbm check certificate expiration right here that's what of course the same diagram which i have kept here right certificate authority how many certificate authorities are there in my equivalence cluster one is a ca which is called a root ca which is residual time nine years validity at cdca is nine years and front proxy also nine years this is specific to the my kubernetes cluster only if you create in your local machine scenes i created this cluster in my local machine this local is mac so if you create then it will be the different and it's certificate everything different now there is admin api server this api server is signed by whom root ca which is this at cd signed by whom at cdc yeah of course there are three cs yes just now i've seen scheduler scheduler signed by whom ca what else api server will connect in kubernetes right those will be used its cs so i hope this will give you the some idea right and its expiration so usually this will be typically one year and then after the one year it will be automatically renew right and there is a renewal command as well cuba dm certificate renew some at the document so this is the kubernetes component right so if you look at the api server apa server will have a server certificate client certificate hcd just now we have seen server certificate and client certificate and cubelet where the cubelet will reside cubelet will be residing in the individual worker nodes so every cubelet also have a server certificate and client certificate right so this is the diagram which i have taken from official documentation just go to the kubernetes and search for qnet component then this diagram will show just i added this right so and controller manager is basically it doesn't have anything because this eps server is talking to the this component which is internal component right so whatever is so here cubelet how it's talking to api server by using its client certificate whenever apa server wanted to talk to this guy in this direction then it will use as a client certificate to connect to cubelet cubelet also have a one server certificate right because there is sometimes aps server also need to talk back to cubelet right so both the directions the communication will happen and in this this communication will happen via this epa server will have a ad cd client certificate and connecting because api server will inject the entries into the hcd database right that's why cd exposes these two certificate of course otherwise if it is nobody's using then one server certificate is enough right so why the client if anybody want the customers of this guy will use as the client certificate as simple as that now here worker notes how the worker node will get a certificate let's say i have a kubernetes cluster one master and one worker node right i have added a new worker node due to the sum my workload i wanted to handle how this worker node will join and uh this qbps server will recognize that this guy is also part of our group so what the cubelet will do is cubelet create a csr same the first step what we have listen same cubelet will create a certificate signing request [Music] by using it there is a api exposed by the kubernetes which is let me show that right so this is a certificate signing request csr and if you go here and this documentation is there and there is a tl authentication so it's there in this particular documentation so this is the first it will create one csr by using this api means kubernetes api server exposes one api endpoint to create csrs to this guy because here our intention is to this worker node to joining into the this group right like a new joiner in the organization so so cubelet will send here to by using this api second send it to ap server with what information system dot node and dollar of instance so this instance whatever because this in sums name could be anything how this master guide should know that's this name so right system.node.instance and it will send to master node this is an identity of the and system.node is a group it will tell in their uh cubelet that hey aps server one worker node is joined in our group this is the please add it into the system dot node group with the its id then cube api server it will sign and approves the request with built-in signer so of course he is the signing capabilities if you go to the bank only if you guys only have a signing capabilities not everybody right like a bank manager where you apply for the loan the finally when bank manager will signs then your loan is granted something like that so this guy will sign and approves with the built-in signer whenever cubelet communicates its automated uh auto approves right and once this is signed then that whatever the signed certificate will be used by the worker node and then all the communication will happen here once it is signed you can download it and use it now given its communication right so here in the kubernetes there is a api server and of course it's hcd as we have seen in the previous api server will have a root ca yes we have seen in the uh right here root ca then second is a server certificate and client certificate yes we know and at cd also will have hcdc server certificate and client certificate yes we know that we have seen in the previous slide now this is a node uh say worker number one and where the cubelet is reset right so this cubelet will use client certificate and the call the communications to the epa server are encrypted by using a tls communication because same the initially whatever the procedure we have seen here tls three-way handshake and communications so this is between the transport layers here right because already there is communication and say let's say there is one part right this is a cubelet let's say in you have one part is running and this part has a default service account and config map as well right and this part wanted to talk to api server how it will use this will use ca certificate and sa token what exactly it is so let's prove that so i'm getting out of uh my server say let's say cubesat get pod so when i say get parts right there the hello world part is running just simple hollow world part right so cube ctl okay describe pod and uh hello world right simple enough if i open a hello world part right just scroll down a little bit carefully yeah better what i will do is uh ctl get mod cube ctl get getport and hello world right and then hyphen oh yaml i wanted to see in the yaml format now see this hello world pod has a there is a volume amount of service account what exactly this is a one just please note down this is a one second is if you scroll down right uh [Music] volumes right and there is a config map also mounted as a volume which is this is a config map right cube root ca.crt right there is this is a config map is mounted right two things one is a service account and second is so let's copy these and what i will do is keep i will go inside the part cube ctl execute in interactive way and hello world and bash auto completion is enabled right and now i'll go inside the port now i'm inside the board now first service account what is exactly the service account let's copy this cd i'll change it to this directory now ls one two three files are there one is cat ca.crt what is the ca.crt this ca.crt is mounted from cube root ca.crt how to prove that i will open a duplicate tab right now cubectl getconfig maps in cubesystem namespace [Music] so what is this it's a cube root ca dot crt this is which means whatever the root ca certificate is exposed as a configuration map since it's a public to the within the cluster same so if you wanted to if you are interested to know the uh how to how it looks and all right describe configmap cube root certificate start with miic and ends with the yr9 let's go back here start with miic and with the yr9 perfect right now and the second is what a token right cat token this is a one token so this token is from the secret right uh say let's say cube ctl get secret in default namespace this is a default token what is this token service account to token to communicate with the kubernetes api server as simple as that so that means let's go back to the slide this part using ca certificate and service account token these two to communicate with the ap server as simple as that right so whenever i'm creating a hello world mod i did not specify anything i just keep ctl run then this is a container i given that's it it's exposed now next this is a cubelet took qap server communication now there is a cube config right say let's go here and then say clear say cube ctl config view right this is a my keep config file where i am connected as a cube admin right cube ctl config uh current context i'm just connected either only one guy qnets admin right this one right here whenever i connect from the cube config file i will be using a client certificate and client key this is and also i can use a token as well these two ways either now then after that this cube config to here the communication is happened via again the tls so if you look at the my cube config file cube ctl config current context hyphen iphone cube ctl config view right and hyphen iphone raw if i do that it will show me the actual values hyphen iphone so if you scroll down here kubernetes admin user user user mean this guy this guy is using a two certificates client certificate data client certificate key right so which is these two client certificate client key then i am communicating with the api server so right my servers are located in a different place i am connected from the my local macbook right maybe if i share my cube config file you can also connect from the my local area network so this is how the communication will happen from the node to qbps server and cube config means from admin to qbp server right and you can do cube cdl apply do something means it will just do and internal communication happen between a qap and hcd is a internal communication which is c right now now so we have seen in the previous slide csr right csr how it looks right uh so if you go to the kubernetes documentation certificate signing request and manage dls certificates in a [Music] cluster so if this certificate signing request scroll down there is a csr which is created right um maybe i will show here uh yeah there is a certificate signing request this is all right so let's try to understand so means if you wanted to achieve this guy this guy or here to here anything you wanted to communicate with the qbp server you need to create csr how you will create by using this is the ml so here kind is a certificate signing request and you will give a sum name group so here what i am trying to do i am trying to create a user as a venkat so you see here cube ctl config current context so here in the current context admin is here so i wanted to create a user as a ven cut and he i want to be part of a system dot authenticated group which is a csr yaml definition has second is a request who is requesting venkat dot csr so first i will create a my own csr right then i will be a 64 encode and just send it here then signer i am asking who signature cube api server client so in the kubernetes csr there are signers so here my use case is what my target i wanted to create a one user which is as a when cut right as a cube config user so i just wanted to use as a client authentication so if you wanted to know about this particular details right this is a csr then second csr another example right so you let just look at cubectl explain this is the best way right uh say certificate signing request when i keep see tell explain right uh and it's a definition and all maybe go and read that right and it's a spec i'm most interested in the spec so now dot spec right when i do the dot spec right here right first groups whatever the request group membership okay and if you don't specify automatically this will be populated and the request is basically whatever the certificate request pembroke here is clearly mentioned that pemblock which is a pm certificate then signer right signer so i am creating a csr but whose sign right one is cube api server client second is cube api server client cubelet then means apa servers client second is cubelets client then cubelet serving so these are the three different signers but you can create your own signer as well yes there is a fourth one you can create your own fourth one right so yeah so here there is another csr which is i want to be a part of system.authenticator and i created some hello world uh server i created hello world application that hello world application wanted to to be called by the aps server means apa server will call this hello world application in that case i need to have some authorized right so like admission controller i am creating so admission controller is connecting to hello world so in that case i will use the signer external signer which is learn with gvr.i gbr.ivo.serving which is i just given a domain and these are the usage and another important is the usage is here right usage for what purpose you will use request for tls client certificate request for serving a tls advocate i want the certificate for serving not for the client the previous example is a client previous example is what this venkat is a user he is a client for qbp server but whereas this is serving the certificate which to be to to be called by qb server right he is not calling qbap server will call this particular hello world so in that case usage you will be specify digital signature key and shipment and server authority in the previous one you see client authentication only right so that's what this documentation is said for what is the purpose you can use that and there are various valid purposes as well valid use cases right i think i hope you get the what is csr now csr signers as we have seen in the just now here there one is a cube api server client second is a cube api server client cubelet right and like a kind of a cubelet cumulative being called by the e psr one so the second one third one is a cubelet serving so cubelet serving is also a one of the uh serving basically issues for the tls endpoints yeah so these are the three and there is a custom signer as well so which is the line with gvr type the serving now csr key usage as we have seen right this usage so uh all the valid values are these are the values say if you wanted to do for email protection or mime so there are many it's a very advanced topic where if you wanted to implement some custom plugin for the kubernetes as admission controller then you can specify this certificate and use for that right so yeah and then tls client these three use tls serving then use this so that's what the as per the documentation now csr command keep ctl get csr cube ctrl describe csr right so if you go here right give ctl get csr right so this one so and these are the commands um and if you go to this official documentation right which is this github this is the what the which is uh yeah this is the one given its enhancement and there is a diagram this is the one so basically uh so before going that let's go the steps so basically i have a kubernetes cluster so what i will create i have created a certificate key pair using a cfssl so first step is i have to create a certificate pair by using a cfssl what is cfssl which is a cloud fair ssl uh why we need to use apart from openssl is basically this is developed in the golang and which has a more secure features and you can do the self signed customs here and all and in the kubernetes the hard way uh in here also uh if then they have used and it has a very more capabilities than the regular open ssl you can go and explain so whenever you create a certificate pair it will create one csr and key file or pem file that's the first step second you will create a certificate signing request which is go to the documentation which is something like this and we'll see the demo as well now third is [Music] then once the certificate signing request is done then you will be approving then second here i wanted to use as a custom ca i don't want the existing signers so here signers are three people i don't want that signer i want to use a my own signer so this one or if you wanted to use existing signer then custom ca creation not required because already you are existing right it's a custom c then after that you will be signed with the ca signing with the ca to whom this is certificate which is uproar certificate then next you will upload once the signing is complete you will upload the signed certificate to the api object level so that it will reside then download it and then use it where you will use you will use as a secret in the pod right so overall purpose is what's the purpose i am doing right this is what's the purpose say here when i say use it and so why i should use this csr right so use cases example use cases only there may be many say i wanted to create a cube config user which is a ven cut here venkat is a user he will talk to cube api server right right as uh we have seen right keep config user now second is i wanted to create one hello world xyz service as admission controller web hook in that case qbp server will call this a guy correct it's a reverse direction in that case also i need a certificate right that certificate how you will create by using a csr now xyz service from abc organization say dual communication i want also you can do that so it's like you are authorizing your own certificates with the equivalent right now the demo time all right so now i'm in a two node kubernetes cluster so i have a service called hello world svc which is running in my cluster and i and it's specific mod hello world it's a very simple part so my objective is to this hello world svc i wanted to create one certificate i wanted to host this hello world svc as a secure server i wanted to expose as a https communication so that apa server will call by using an admission controller right so here this is kubernetes cluster so first generate a certificate key pair using a cfssl utility so and go to the documentation manager tls certificate right so here this is the what the certificate signing request i need to create by using cfssn so i copy the same json here right here well basically what exactly it is my service is hello world svc right and i wanted to expose this hello world svc as alternate domain names maybe people can call this name and this one this one anything and my cname is this one and whatever this algorithm and the size and etcetera and this is the my cluster ip and this is my part ip that's what the cluster ip and the pod so this will basically what i do i am in a csr directory right which is this one so what i will do is mkdir i will create one test directory and cd go inside the test directory perfect now uh first step is to create the this particular certificate signing request which is as per the documentation but i just modified the values right now so i just enter here right now it's created under the test directive so let's go to the test directory so there are two files are created server.csr server.key here server is my hello world server right now once the certificate signing request is basically certificates are created right which is a these two files are created right csr and pim file right csr and file now second is create a certificate signing request so this is the actual process where this is a certificate signing request here mysbc.namespace is given as the name so what i did is i created a similar file by copy paste here hello world svc.default this is my name i given and request what is i'm passing here this server certificate base64 encoded i am passing here signer is the most important who is the signer learn with gvr dot io which is this guy is completely a new kubernete is not aware of so why learn with gvr let's consider this hello world application is developed by learn with gvr company and and this hello world must serve the certificate which is this is the external signer and this external signal has to also recognized by the kubernetes as well that's the whole objective and what is the purpose of usage is this one which is everything is i copied from here right perfect so now i'll creating a csr which is a just copy paste in the interest of time so i can modify as well right now i just did that right perfect and it's created now how to check that keep ctl get csr hello world csr is created and six second back signer is who is the signer learn with gvr.io and still now kubernetes is not aware and the certificate status is pending by the way who is created is a venkat is created i am i am the creator right now cubectl describe csr right so this is the my when i describe the csr signer is it definitely is external sign or not a kubernetes default signer right so some organization and these are the alternate domain names and ip address which is no now that's another step is once i created approve the certificate if you wanted to approve the certificate then it's very simple comment cube ctl certificate approve and the csr name right so here keeps retail certificate approve and what is my csr name this is the csr name right when i when i do that approve and qctl get csr see the status is pending to approve but still the signer is a new guy kubernetes is not aware of this signer right perfect now just clear so now apple then next step is create a custom ca why we need to create a custom ca because here the signer is a designer i'm i have to create this signer so in order to create a new signer there is a syntax is given first you need to create a one file which is called a json file right uh this is this one so just copy that and my example signer is given right but what i did is right i created i just created learn with gbr is a signer some name okay just for the demo now let's look at here [Music] right as soon as i create it created the three different files earlier these two server dot csr now one two three c a c a c a dot so these three files are created specific to the ca which is this guy now next step is go to the slide sign with the ca now my ca is created now i have to sign how to sign that here is a command is given which is i will copy i have copied and just modified the values right so i will copy these values and by the way there is a sign configuration i have to create why the sign configuration is whenever you are signing what is the usage what is the expiry and it concerns its profile name you can create a multiple profile so this is a simple configuration sign config which is given in the documentation as per that i have created this sign configuration right so nothing new here then i need to pass it to the this test directory now i will have a command here right so i will just copy by the way let me explain keep serial get csr this is the so let's copy that yeah so right so this is a signed certificate so cube ctl get csr this is the uh certificate and cfssl sign with the ca.p.m ca.key pam and sign configuration so three values i am passing signing right which is this ca i'm passing and so it's assigned right now cube ctl get csr now let's see right so this is the one and ah right now the next is once you create the uh once you sign you need to upload the sign certificate to the api object why you need to upload use sign but you need to let the kubernetes system know that there is a new signer is created right further the command is given by the uh is uploading is this is a command the given and what i did is i just simply modified the certificate right so this is the one right i will explain what exactly this command will does right so now here right yeah so here i need to just change the something my csr is this one but uh csr name is somehow changed so once again yeah this name it's not hello world csr which is a this is the name right hello world so get the csr and it's a certificate and cubectl replace hyphen raw and what exactly this path is api server path where all the certificate signing requests will be located which is a hello world with this name it's a status so i'm uploading back right so now when i enter here right it's done so how to verify that and by the way cube cdl replace and hyphen iphone ra will tell you about the what to do what exactly does so if you wanted to check that then cube ctl replace and then look for the help and hyphen iphone raw ra you are right to put to the server so you are injecting into the server right whatever the signed certificate that's what the uploading into the api object and where you are uploading here in the previous tab right you are uploading into the this is the api path which is a certificate signing request path right now now cube ctl gets csr what the status is here approved and issued that means first step approve and second issue so go to the slide here right upload it and it's a proven issue now next step is to just simply download the certificate how to download the certificate is simple this is a csrt give ctl get csr and what is my csr name this is the csr right and here is a command is given so iphone or jsonpath status dot certificate right so if you look at here this is the this is the my certificate but the certificate is not a base64 encode so i need to just base 64 hyphen d this is a base64 decoder certificate how i wanted to download my locally as a server.crt right so now i'm downloading right downloading in the sense this is the last step i'm doing that right right here right so sorry so now control c right now after that that server.crt perfect now when i do the server.crt go here server.crt is created this is the certificate which is completely signed and issued which this certificate can be used by my server this is a red is a completely fully authorized certificate right so now this is the one now the next step is create secret and use in a pod right so now in the next step is go to the documentation here so why you need to creating a secret because your parts maybe need this certificate so what i will do is just just to creating a certificate so once i have this certificate i can use it anywhere right so here so keep ctl create certificate not a server which is hello [Music] uh world server crt just give some nice name right now it's secret is created cube ctl get see great right hello world server crt this is the certificate which is created five seconds back right this certificate i can use it in my application so that my application serve as a http tls ready for the tls communication with the api server right and this is a one example and there is a second example as well where i wanted to create basically one user as the venkat cube config user right so this is the second example say keeps on keep config get uh keep ctl config right uh get context only one context is there i wanted to create a wink at user called anchor so then you will be creating again you will be creating one key pair and raising a csr but here raising a csr with what who is assigner api server client right so let's do that quickly these are the commands so so i'm creating right so now i'll just do sorry right so now clear and then do that right it's done vanka dot key file are created right here right winker.css.key now the next step is right now raise a certificate signing request so here certificate signing request what you are doing is just look at the carefully [Music] wcsr you created passing of anchor dot csr which is created just now and who is the signer cube api server client because here the purpose is you wanted to connect right cube ctl gets yes sir now wcsr gets created but who is the signer here is a different signer it's a pending how to approve that keep ctl right uh right so here is uh the command right so basically certificate approve anchor give ctl just keep ctl certificate approve not a banker which is certificate name is wcsr right so who is approving kubernetes admin i am the approving right so if you look at the cube ctl get csr what happened wcsr is approved and issued there is no signing additional step here why because i am using existing signer for this one now i can download the certificate and use it in my cubeconfig file how to do that it's a simple command right uh see see this is again the way we did that right so just go here right cube ctl get csr it's not a ven cut csr name so it's a wcsr right and if you do that this is a certificate where i can download right so here bankert venkat user crt perfect now what i can do is bank user crt and venkat key these two files i can use as a cube config user which is cube ctl config view iphone iphone raw here is a user kubernetes admin right i can create another user called a venkat and use it as a kubernetes user so that it will authorize of course it won't authorize you need to add on top of that or back permissions and etc quickly what i will do is i will create a role and role binding for the the user which i am going to create so i just created right so here there are so cube ctl get roll there is a one roll is create a developer and keep ctl get a roll binding right and what is the role binding role binding when cut so and for this i just created this role binding so the next step is quickly i will just create a keep config so basically here i have a two files right uh venkat is crt which is assigned by the kubernetes api server and one is a key so by using these two files i am going to create a config user so which is just to save the time i will just try to create this command one by one this one and this uh keep config right the user is created now the text is set context right uh and this is a key pointer right now cube ctl get uh keeps sorry keep cto config right uh get contexts now you see there is a vent cut and as well as a there is a given its admin so you can just use the skip country use context as a when cut right now as a banker now what the venkat is allowed to do he can list and delete update parts so keep ctl get parts right keep ctl config uh current context who i am connected i am a banker so this is the way you can achieve you can restrict you can uh make use of users um the certificates right and here if you look at here cubes cube ctl config view hyphen iphone raw right so if you look at here uh yeah users kubernetes admin this admin and if it is a banker specific client certificate and client data this client certificate and client data is generated by using my csr process that's it for this session and thank you for listening sorry for the long video and let me know what you guys think about this particular kubernetes certificate and csrca process thank you bye bye

Info

Channel: Learn with GVR

Views: 5,209

Rating: undefined out of 5

Keywords: kubernetes, #learnwithgvr, containers, kubelet, cerificates, csr, CertificateSigningRequest, cfssl, signers, usage, certificates.k8s.io/v1, ca.crt, kubernetes root ca, kub, ssl, tls, tls handshake, certificates, ssl certificates, kubernetes security, k8s, k8s security, etcdca, front-proxyca, rootca, intermediateca, ca signing, certificate signing, kubeletcsr, howcsr, ca types, custom ca with kubernetes, kubernetes custom ca, imagepolicywebhook

Id: OHmgb7h-2-g

Channel Id: undefined

Length: 58min 15sec (3495 seconds)

Published: Sat Mar 19 2022