Skip to main content

Question 23 - Kubelet Certificate Info

Question 23 | Kubelet client/server cert info

Use context: kubectl config use-context k8s-c2-AC

Node cluster2-node1 has been added to the cluster using kubeadm and TLS bootstrapping.

Find the "Issuer" and "Extended Key Usage" values of the cluster2-node1:

  • kubelet client certificate, the one used for outgoing connections to the kube-apiserver.
  • kubelet server certificate, the one used for incoming connections from the kube-apiserver.

Write the information into file /opt/course/23/certificate-info.txt.

Compare the "Issuer" and "Extended Key Usage" fields of both certificates and make sense of these.

Issuer is the certificate issuer and Extended Key Usage is for additional purposes beyond basic certificate validation


kubectl config use-context k8s-c2-AC

# To find kubelet settings we can look for where the configurations are
ssh cluster2-node1

root@cluster2-node1:~# ps aux | grep kubelet
root         231  1.1  1.1 2984432 93892 ?       Ssl  Apr11  23:36 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///run/containerd/containerd.sock --node-ip=172.18.0.7 --node-labels= --pod-infra-container-image=registry.k8s.io/pause:3.9 --provider-id=kind://docker/kind-cluster-ia/kind-cluster-ia-worker --runtime-cgroups=/system.slice/containerd.service

# The kubelet settings are in --config=/var/lib/kubelet.config. If no value is declared, then it's the default value that can be found in the documentation by typing kubelet

root@cluster2-node1:~# cat /var/lib/kubelet/config.yaml
# Nothing was found, but the default value in the documentation is --cert-dir /var/lib/kubelet/pki

cd /var/lib/kubelet/pki/

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep Issuer
        Issuer: CN = kubernetes

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep "Extended Key Usage" -A1
            X509v3 Extended Key Usage:
                TLS Web Client Authentication

# Next we check the kubelet server certificate:

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.crt | grep Issuer
          Issuer: CN = cluster2-node1-ca@1588186506

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.crt | grep "Extended Key Usage" -A1
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

We see that the server certificate was generated on the worker node itself and the client certificate was issued by the Kubernetes api. The "Extended Key Usage" also shows if it's for client or server authentication.

More about this: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping