Pregunta 23 - Información de Certificados Kubelet

Question 23 | Kubelet client/server cert info

Use context: kubectl config use-context k8s-c2-AC

Node cluster2-node1 has been added to the cluster using kubeadm and TLS bootstrapping.

Find the "Issuer" and "Extended Key Usage" values of the cluster2-node1:

kubelet client certificate, the one used for outgoing connections to the kube-apiserver. kubelet server certificate, the one used for incoming connections from the kube-apiserver.

Write the information into file /opt/course/23/certificate-info.txt.

Compare the "Issuer" and "Extended Key Usage" fields of both certificates and make sense of these.

TODO: FINALIZAR

Issuer es el emisor del certificado y Extended Key Usage es cualquier otra cosa que aún no sé

kubectl config use-context k8s-c2-AC

# Para encontrar las configuraciones del kubelet podemos buscar donde están las configuraciones
ssh cluster2-node1

root@cluster2-node1:~# ps aux | grep kubelet
root         231  1.1  1.1 2984432 93892 ?       Ssl  Apr11  23:36 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///run/containerd/containerd.sock --node-ip=172.18.0.7 --node-labels= --pod-infra-container-image=registry.k8s.io/pause:3.9 --provider-id=kind://docker/kind-cluster-ia/kind-cluster-ia-worker --runtime-cgroups=/system.slice/containerd.service

# Las configuraciones del kubelet están en --config=/var/lib/kubelet.config. Si no fuera declarado un valor, entonces es el valor por defecto que puede ser encontrado en la documentación escribiendo kubelet

root@cluster2-node1:~# cat /var/lib/kubelet/config.yaml
# No fue encontrado nada, pero el valor por defecto en la documentación es --cert-dir /var/lib/kubelet/pki

cd /var/lib/kubelet/pki/

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep Issuer
        Issuer: CN = kubernetes

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep "Extended Key Usage" -A1
            X509v3 Extended Key Usage:
                TLS Web Client Authentication

# Next we check the kubelet server certificate:

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.crt | grep Issuer
          Issuer: CN = cluster2-node1-ca@1588186506

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.crt | grep "Extended Key Usage" -A1
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

We see that the server certificate was generated on the worker node itself and the client certificate was issued by the Kubernetes api. The "Extended Key Usage" also shows if it's for client or server authentication.

More about this: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping

Question 23 | Kubelet client/server cert info​

TODO: FINALIZAR

Question 23 | Kubelet client/server cert info