IT/CKA

[CKA독학]Certificate API + kubeconfig

반응형

key생성

openssl genrsa -out test.key 2048

csr생성

openssl req -new -key test.key -subj "/CN=test" -out test.csr

csr 암호화

cat test.csr

cat test.csr | base64

CSR(CertificateSigningRequest) yaml예제

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: test-csr
spec:
  signerName: kubernetes.io/kube-apiserver-client
  groups:
  - system:authenticated
  request:
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXpTWVBkbVpSL3FxN0tQL3gya2NjNHNnRlNrR0hmU1VqVEJoMDVtWmZEcEo0CkV0dVZna05DMEFvTGUwVUR4a2J6c3Q4bk85MC9CbDJlVmVjUkFLYThnNXVaRi9LVDZ2Z0U1ZGR5WEdpZ29ENjYKeTAxRmhTeFA5bW11QndrenBFNk9wY3ZZUzFqRTgwU1dSbk5TRmRsWkRPa1lyUVVidGJ5ekY4TVF0YndCVThCSQo5aGpuR2Rjd0MwNnhobXFLR2pkc0VnQU1QeTl4T2JkL29XZUVacHVoRy9xcTk4U1VDYkVmRmFkcHI0M2EyYTNCCkFMVmtEYnJnMFcrWG9pMXkyNzBabytrZGo3b3V0eGdvUEVlVUI4K3Azbkk2UkQ1bGYwMGtMQU5FRGRmWlB0Y0cKekFnK0R5QkhERTRaT0RJcG9OR3V4VzNUaHNkREJRV05CVHhXMUVvVXl3SURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBQnJkZFh4RVl2VGYvZU4wQ3hIT3V1c3pIeVNhVmxHOGxBRVJQSzlPRWVuUXlPTHJuWFVsCkFDcmdxL3UvdjJyeG9XSGdqN25ZV1JjNHc3RS9HTFpBdGJpM3N5L2JlbytrQzVLM3dXVzNtWDlCeFJQVEJiZzMKeFVZSzlhdU9LbXAwZm1YTXIwZFJZNFowRUpJTlQwSjNIa3R6NjJ3ODdMeFg4dEpCQzljVzZVWFRKQWN4c3poTwozMlNaU0VuSGpHMXVodVFKUmdjdk1DR2pNYUFQKzVlSmR2MWdnZ0owanVvZ0lLeGNxZ21Ib3FLem8zOVNzbFBkCkVRNVZ6Yk9VUnlscjF6NExnSHBBNEI5b3YrVnVMWVV2ZHRiS21PaUh6dThPNGNoWHlac1lFN1dDVFBXbmhnVCsKMHNuWVFuYmR0QkhEU1MyNnY2QkZsZm5TYVczTStmclc5clU9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  usages:
  - digital signature
  - key encipherment
  - server auth

csr 복호화

echo "LS0..Q0=" | base64 --decode

certificate 승인

kubectl certificate approve test-csr

csr 그룹확인

# 참고로 describe로는 확인할 수가 없음
kubectl get csr test-csr -o yaml

 # groups:
 # - system:masters
 # - system:authenticated

certificate 거절

kubectl certificate deny test-csr

kubeconfig

  • config yaml예제
apiVersion: v1
kind: Config
current-context: my-kube-admin@my-kube-playground

clusters: 
- name: my-kube-playground
  cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://my-kube-playground:6443

contexts:
- name: my-kube-admin@my-kube-playground
  context:
    cluster: my-kube-playground
    user: my-kube-admin
    namespace: 

users:
- name: my-kube-admin
  user: 
    client-certificate: /etc/kubernetes/pki/users/admin.crt
    client-key: /etc/kubernetes/pki/users/admin.key
  • config 명령어 예제
kubectl config view
kubectl config view --kubeconfig=my-custom-config
kubectl config use-context prod-user@production
kubectl config --kubeconfig= use-context  
kubectl config --kubeconfig=/root/my-kube-config use-context research
반응형
저작자표시 비영리

'IT > CKA' 카테고리의 다른 글

[CKA독학] Image security / security context / Network Policy  (0) 2021.06.28
[CKA독학] Role and Rolebinding  (0) 2021.06.23
[CKA독학]Pod의 Multi container/Init container  (0) 2021.06.16
[CKA독학]필수 시험 초기 설정 + 잡기술  (0) 2021.06.11
[CKA독학]configmap/secret 사용법  (0) 2021.06.11

    티스토리툴바