안녕하세요, 쯀리입니다.
CKA KodeKloud도 5강에 이어 6강(Security)을 시작하게 되었습니다!
오늘은 Certificate Details 관련해서 확인해보는 시간을 가져보겠습니다.
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
개요
해당 장에서는 클러스터와 애플리케이션에서 사용되는 SSL/TLS 인증서를 확인하고 검사하는 방법에 대해 배우겠습니다.
SSL/TLS 인증서는 보안 통신을 위해 사용되며, Kubernetes 클러스터에서는 다양한 구성 요소에서 이러한 인증서를 사용합니다. 예를 들어, API 서버, Kubelet, 사용자 애플리케이션 등이 인증서를 사용할 수 있습니다.
Kubernetes에서 사용되는 인증서의 세부 정보를 확인하고 관리하는 방법을 배워보겠습니다.
Quiz.
1. Identify the certificate file used for the kube-api server.
controlplane ~ ➜ k get pods -A | grep apiserver
kube-system kube-apiserver-controlplane 1/1 Running 0 3m45s
controlplane ~ ➜ k describe pod kube-apiserver-controlplane -n kube-system | grep tls
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
해당 server의 tls certificate file은 /etc/kubernetes/pki/apiserver.crt 해당 경로에 있습니다
2. Identify the Certificate file used to authenticate kube-apiserver as a client to ETCD Server.
controlplane ~ ➜ k describe pod kube-apiserver-controlplane -n kube-system | grep etcd
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
--etcd-servers=https://127.0.0.1:2379
etcd 서버의 보안키는 etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt 해당 경로에 있습니다.
3. Identify the key used to authenticate kubeapi-server to the kubelet server.
controlplane ~ ➜ k describe pod kube-apiserver-controlplane -n kube-system | grep kubelet
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
kubelet server로 접근하기 위한 key file의 경로는 /etc/kubernetes/pki/apiserver-kubelet-client.key 해당 경로에 있습니다.
4. Identify the ETCD Server Certificate used to host ETCD server.
controlplane /etc/kubernetes/manifests ➜ cat etcd.yaml | grep cert
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --client-cert-auth=true
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-client-cert-auth=true
name: etcd-certs
name: etcd-certs
5. Identify the ETCD Server CA Root Certificate used to serve ETCD Server. ETCD can have its own CA. So this may be a different CA certificate than the one used by kube-api server.
controlplane /etc/kubernetes/manifests ➜ cat etcd.yaml | grep ca
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
priorityClassName: system-node-critical
문제에서도 나오지만, ETCD Server의 개인 CA 파일은 etcd.yaml파일을 살펴보면 알 수 있습니다.
--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt 해당 경로에서 확인 할 수 있습니다.
6. What is the Common Name (CN) configured on the Kube API Server Certificate?
OpenSSL Syntax: openssl x509 -in file-path.crt -text -noout
controlplane ~ ➜ k describe pod kube-apiserver-controlplane -n kube-system | grep crt
--client-ca-file=/etc/kubernetes/pki/ca.crt
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
controlplane ~ ➜ cd /etc/kubernetes/pki
controlplane /etc/kubernetes/pki ➜ openssl x509 -in apiserver.crt -text -noout | grep CN
Issuer: CN = kubernetes
Subject: CN = kube-apiserver
KubeAPI Server의 tls-cert-file의 경로로 이동후 해당 파일로 CN을 확인해보겠습니다.
Subject CN= kube-apiserver이 해당 KubeAPI Server Certificate 의 Common Name입니다.
7. What is the name of the CA who issued the Kube API Server Certificate?
위에서 확인한대로 issuer는 kubernetes입니다.
8. Which of the below alternate names is not configured on the Kube API Server Certificate?
controlplane /etc/kubernetes/pki ➜ openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5400908562584000752 (0x4af3e1b8f12f58f0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jul 14 16:27:34 2024 GMT
Not After : Jul 14 16:32:34 2025 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
.
.
.
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.27.140.9
DNS 는 controlplane, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local로 이루어져있습니다.
답은 kube-master
9. What is the Common Name (CN) configured on the ETCD Server certificate?
controlplane /etc/kubernetes/manifests ➜ cat etcd.yaml | grep crt
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
controlplane /etc/kubernetes/manifests ➜ cd /etc/kubernetes/pki/etcd
controlplane kubernetes/pki/etcd ➜ ls
ca.crt ca.key healthcheck-client.crt healthcheck-client.key peer.crt peer.key server.crt server.key
controlplane kubernetes/pki/etcd ➜ openssl x509 -in server.crt -text | grep CN
Issuer: CN = etcd-ca
Subject: CN = controlplane
ETCD의 certificate는 /etc/kubernetes/pki/etcd/server.crt 으로 etcd의 CN은 controlplane입니다.
10. How long, from the issued date, is the Kube-API Server Certificate valid for?
File: /etc/kubernetes/pki/apiserver.crt
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5400908562584000752 (0x4af3e1b8f12f58f0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jul 14 16:27:34 2024 GMT
Not After : Jul 14 16:32:34 2025 GMT
...
...
해당 key의 유효기간은 2024년 1월 14일 부터 2025년 1월 14일로 1년으로 설정되어 있습니다.
11. How long, from the issued date, is the Root CA Certificate valid for?
File: /etc/kubernetes/pki/ca.crt
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/ca.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 915407588373316766 (0xcb42e5a01b0449e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jul 14 16:27:34 2024 GMT
Not After : Jul 12 16:32:34 2034 GMT
10년으로 설정되어있습니다.
12. Kubectl suddenly stops responding to your commands. Check it out! Someone recently modified the /etc/kubernetes/manifests/etcd.yaml file
You are asked to investigate and fix the issue. Once you fix the issue wait for sometime for kubectl to respond. Check the logs of the ETCD container.
controlplane ~ ✖ k get pods -A
The connection to the server controlplane:6443 was refused - did you specify the right host or port?
controlplane ~ ✖ cd /etc/kubernetes/manifests/
controlplane /etc/kubernetes/manifests ➜ cat etcd.yaml | grep crt
- --cert-file=/etc/kubernetes/pki/etcd/server-certificate.crt
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
controlplane /etc/kubernetes/manifests ➜ cd /etc/kubernetes/pki/etcd
controlplane kubernetes/pki/etcd ➜ ls
ca.crt ca.key healthcheck-client.crt healthcheck-client.key peer.crt peer.key server.crt server.key
cert-file=/etc/kubernetes/pki/etcd/server-certificate.crt
해당파일이 없는 경로입니다.
server-certificate.crt를 server.crt로 변경해주겠습니다.
controlplane /etc/kubernetes/manifests ➜ cat etcd.yaml | grep crt
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
controlplane kubernetes/pki/etcd ➜ k get pods -A |grep api
kube-system kube-apiserver-controlplane 1/1 Running 7 (4m2s ago) 14m
13. The kube-api server stopped again! Check it out. Inspect the kube-api server logs and identify the root cause and fix the issue
Run crictl ps -a command to identify the kube-api server container. Run crictl logs container-id command to view the logs.
controlplane ~ ➜ crictl ps -a | grep kube-apiserver
f3f7c6ae272a1 c42f13656d0b2 21 seconds ago Exited kube-apiserver 1 ffc2981443ef3 kube-apiserver-controlplane
controlplane ~ ✖ crictl logs --tail=2 f3f7c6ae272a1
W0714 17:51:24.480506 1 logging.go:59] [core] [Channel #1 SubChannel #3] grpc: addrConn.createTransport failed to connect to {Addr: "127.0.0.1:2379", ServerName: "127.0.0.1:2379", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
F0714 17:51:26.646981 1 instance.go:292] Error creating leases: error creating storage factory: context deadline exceeded
controlplane /etc/kubernetes/manifests ➜ cat kube-apiserver.yaml | grep crt
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --etcd-cafile=/etc/kubernetes/pki/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
해당 명령어를 사용해보니 tls certificate가 확인되지 않아 에러 발생했다는 것을 확인 할 수 있습니다
경로에 있는 crt 파일을 확인해보겠습니다.
controlplane /etc/kubernetes/manifests ➜ ls /etc/kubernetes/pki | grep ca.crt
ca.crt
front-proxy-ca.crt
controlplane /etc/kubernetes/manifests ➜ ls /etc/kubernetes/pki/etcd | grep ca.crt
ca.crt
/etc/kubernetes/pki의 ca.crt와 /etc/kubernetes/pki/etcd의 ca.crt파일이 있는데,비교 해보겠습니다.
controlplane /etc/kubernetes/manifests ➜ openssl x509 -in /etc/kubernetes/pki/ca.crt -text | grep CN
Issuer: CN = kubernetes
Subject: CN = kubernetes
controlplane /etc/kubernetes/manifests ➜ openssl x509 -in /etc/kubernetes/pki/etcd/ca.crt -text | grep CN
Issuer: CN = etcd-ca
Subject: CN = etcd-ca
- --etcd-cafile=/etc/kubernetes/pki/ca.crt 해당부분이 잘못된 경로로 되어있습니다.
/etc/kubernetes/pki/etcd/ca.crt 로 변경해주세요
controlplane kubernetes/pki/etcd ➜ vi /etc/kubernetes/manifests/kube-apiserver.yaml
controlplane kubernetes/pki/etcd ➜ crictl ps -a | grep kube-apiserver
controlplane kubernetes/pki/etcd ✖ crictl ps -a | grep kube-apiserver
1ac909b613f8f c42f13656d0b2 2 seconds ago Running kube-apiserver 0 eba0bea56135f kube-apiserver-controlplane
정상적으로 실행되는 것을 확인 할 수 있습니다.
오늘도 중요한 인증정보에 관해 배워보았는데요
중요한 부분이니 꼭 기억해두는 것이 좋겠습니다.
다음시간에는 Certificate API관련해서 알아보겠습니다.
참조
※ Udemy Labs - Certified Kubernetes Administrator with Practice Tests
'IT 잡지식 > DevOps' 카테고리의 다른 글
[CKA] KodeKloud - KubeConfig (0) | 2024.07.18 |
---|---|
[CKA] KodeKloud - Certificates API (0) | 2024.07.18 |
[CKA] KodeKloud - Backup and Restore Methods 1,2 (0) | 2024.07.13 |
[CKA] KodeKloud - Cluster Upgrade Process (0) | 2024.07.12 |
[CKA] KodeKloud - OS Upgrade (0) | 2024.07.11 |