Skip to main content

Questão 23 - Informações de Certificados Kubelet

Question 23 | Kubelet client/server cert info

Use context: kubectl config use-context k8s-c2-AC

Node cluster2-node1 has been added to the cluster using kubeadm and TLS bootstrapping.

Find the "Issuer" and "Extended Key Usage" values of the cluster2-node1:

kubelet client certificate, the one used for outgoing connections to the kube-apiserver. kubelet server certificate, the one used for incoming connections from the kube-apiserver.

Write the information into file /opt/course/23/certificate-info.txt.

Compare the "Issuer" and "Extended Key Usage" fields of both certificates and make sense of these.

TODO: FINALIZAR

Issuer é o emissor so certificado e Extended Key Usage é qualquer outra coisa que eu não sei ainda


kubectl config use-context k8s-c2-AC

# Para encontrar as configurações do kubelet podemos procurar onde estão as configurações
ssh cluster2-node1

root@cluster2-node1:~# ps aux | grep kubelet  
root         231  1.1  1.1 2984432 93892 ?       Ssl  Apr11  23:36 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///run/containerd/containerd.sock --node-ip=172.18.0.7 --node-labels= --pod-infra-container-image=registry.k8s.io/pause:3.9 --provider-id=kind://docker/kind-cluster-ia/kind-cluster-ia-worker --runtime-cgroups=/system.slice/containerd.service

# As configurações do kubelet estão em --config=/var/lib/kubelet.config. Se não for declarado um valor, então é o valor padrão que pode se encontrado na documentação escrevendo kubelet

root@cluster2-node1:~# cat /var/lib/kubelet/config.yaml
# Não foi encontrado nada, mas o valor padrão na documentação é --cert-dir /var/lib/kubelet/pki

cd /var/lib/kubelet/pki/

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep Issuer
        Issuer: CN = kubernetes

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep "Extended Key Usage" -A1
            X509v3 Extended Key Usage:
                TLS Web Client Authentication

# Next we check the kubelet server certificate:

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.crt | grep Issuer
          Issuer: CN = cluster2-node1-ca@1588186506

root@cluster2-node1:~# openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.crt | grep "Extended Key Usage" -A1
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

We see that the server certificate was generated on the worker node itself and the client certificate was issued by the Kubernetes api. The "Extended Key Usage" also shows if it's for client or server authentication.

More about this: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping