본문 바로가기
IT 잡지식/DevOps

[CKA] KodeKloud - View Certificate Details

by 쯀리♥️ 2024. 7. 15.

 

 

안녕하세요, 쯀리입니다.

CKA KodeKloud도 5강에 이어 6강(Security)을 시작하게 되었습니다!

오늘은 Certificate Details 관련해서 확인해보는 시간을 가져보겠습니다. 

https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/

 

Certificates and Certificate Signing Requests

Kubernetes certificate and trust bundle APIs enable automation of X.509 credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 certificates from a Certificate Authority (CA). There is als

kubernetes.io

 

 

 


 

개요

해당 장에서는 클러스터와 애플리케이션에서 사용되는 SSL/TLS 인증서를 확인하고 검사하는 방법에 대해 배우겠습니다.

SSL/TLS 인증서는 보안 통신을 위해 사용되며, Kubernetes 클러스터에서는 다양한 구성 요소에서 이러한 인증서를 사용합니다. 예를 들어, API 서버, Kubelet, 사용자 애플리케이션 등이 인증서를 사용할 수 있습니다.

Kubernetes에서 사용되는 인증서의 세부 정보를 확인하고 관리하는 방법을 배워보겠습니다. 

 


Quiz.

1. Identify the certificate file used for the kube-api server.

controlplane ~ ➜  k get pods -A | grep apiserver
kube-system    kube-apiserver-controlplane            1/1     Running   0          3m45s

controlplane ~ ➜  k describe pod  kube-apiserver-controlplane -n kube-system | grep tls
      --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
      --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

해당 server의 tls certificate file은 /etc/kubernetes/pki/apiserver.crt  해당 경로에 있습니다

2. Identify the Certificate file used to authenticate kube-apiserver as a client to ETCD Server.

controlplane ~ ➜  k describe pod  kube-apiserver-controlplane -n kube-system | grep etcd
      --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
      --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
      --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
      --etcd-servers=https://127.0.0.1:2379

etcd 서버의 보안키는 etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt 해당 경로에 있습니다.

3. Identify the key used to authenticate kubeapi-server to the kubelet server.

controlplane ~ ➜  k describe pod  kube-apiserver-controlplane -n kube-system | grep kubelet
      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
      --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname

kubelet server로 접근하기 위한 key file의 경로는 /etc/kubernetes/pki/apiserver-kubelet-client.key 해당 경로에 있습니다. 

4. Identify the ETCD Server Certificate used to host ETCD server.

controlplane /etc/kubernetes/manifests ➜  cat etcd.yaml  | grep cert
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --client-cert-auth=true
    - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
    - --peer-client-cert-auth=true
      name: etcd-certs
    name: etcd-certs
 
클라이언트가 etcd 서버에 접속할 때 사용하는 인증서는 저번강에서 공부했던대로 /etc/kubernetes/manifest/ etcd.yaml 이 파일을 살펴보면 certficate file은 /etc/kubernetes/pki/etcd/server.crt  이경로에 있습니다. 

 

5. Identify the ETCD Server CA Root Certificate used to serve ETCD Server. ETCD can have its own CA. So this may be a different CA certificate than the one used by kube-api server.

controlplane /etc/kubernetes/manifests ➜  cat etcd.yaml  | grep ca
    - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
  priorityClassName: system-node-critical

문제에서도 나오지만, ETCD Server의 개인 CA 파일은 etcd.yaml파일을 살펴보면 알 수 있습니다.

--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt 해당 경로에서 확인 할 수 있습니다. 

6. What is the Common Name (CN) configured on the Kube API Server Certificate?

OpenSSL Syntax: openssl x509 -in file-path.crt -text -noout

controlplane ~ ➜  k describe pod  kube-apiserver-controlplane -n kube-system | grep crt
      --client-ca-file=/etc/kubernetes/pki/ca.crt
      --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
      --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
      --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
      --tls-cert-file=/etc/kubernetes/pki/apiserver.crt

controlplane ~ ➜  cd /etc/kubernetes/pki

controlplane /etc/kubernetes/pki ➜  openssl x509 -in apiserver.crt -text -noout | grep CN
        Issuer: CN = kubernetes
        Subject: CN = kube-apiserver

KubeAPI Server의 tls-cert-file의 경로로 이동후 해당 파일로 CN을 확인해보겠습니다.

Subject CN= kube-apiserver이 해당 KubeAPI Server Certificate 의 Common Name입니다. 

 

7. What is the name of the CA who issued the Kube API Server Certificate?
위에서 확인한대로 issuer는 kubernetes입니다. 

8. Which of the below alternate names is not configured on the Kube API Server Certificate?

controlplane /etc/kubernetes/pki ➜  openssl x509 -in apiserver.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5400908562584000752 (0x4af3e1b8f12f58f0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: Jul 14 16:27:34 2024 GMT
            Not After : Jul 14 16:32:34 2025 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
            .
            .
            .
            X509v3 Subject Alternative Name: 
                DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.27.140.9

DNS 는 controlplane, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local로 이루어져있습니다.

답은 kube-master

 

9. What is the Common Name (CN) configured on the ETCD Server certificate?

controlplane /etc/kubernetes/manifests ➜  cat etcd.yaml | grep crt
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
    - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt

controlplane /etc/kubernetes/manifests ➜  cd /etc/kubernetes/pki/etcd

controlplane kubernetes/pki/etcd ➜  ls
ca.crt  ca.key  healthcheck-client.crt  healthcheck-client.key  peer.crt  peer.key  server.crt  server.key

controlplane kubernetes/pki/etcd ➜  openssl x509 -in server.crt -text | grep CN
        Issuer: CN = etcd-ca
        Subject: CN = controlplane

ETCD의 certificate는 /etc/kubernetes/pki/etcd/server.crt 으로 etcd의 CN은 controlplane입니다. 

 

10.  How long, from the issued date, is the Kube-API Server Certificate valid for?

File: /etc/kubernetes/pki/apiserver.crt

controlplane ~ ➜  openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5400908562584000752 (0x4af3e1b8f12f58f0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: Jul 14 16:27:34 2024 GMT
            Not After : Jul 14 16:32:34 2025 GMT
            ...
            ...

 해당 key의 유효기간은 2024년 1월 14일 부터 2025년 1월 14일로 1년으로 설정되어 있습니다. 

11. How long, from the issued date, is the Root CA Certificate valid for?

File: /etc/kubernetes/pki/ca.crt

controlplane ~ ➜  openssl x509 -in /etc/kubernetes/pki/ca.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 915407588373316766 (0xcb42e5a01b0449e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: Jul 14 16:27:34 2024 GMT
            Not After : Jul 12 16:32:34 2034 GMT

10년으로 설정되어있습니다. 

 

12. Kubectl suddenly stops responding to your commands. Check it out! Someone recently modified the /etc/kubernetes/manifests/etcd.yaml file

You are asked to investigate and fix the issue. Once you fix the issue wait for sometime for kubectl to respond. Check the logs of the ETCD container.

controlplane ~ ✖ k get pods -A
The connection to the server controlplane:6443 was refused - did you specify the right host or port?

controlplane ~ ✖ cd /etc/kubernetes/manifests/

controlplane /etc/kubernetes/manifests ➜  cat etcd.yaml  | grep crt
    - --cert-file=/etc/kubernetes/pki/etcd/server-certificate.crt
    - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
    - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt

controlplane /etc/kubernetes/manifests ➜  cd /etc/kubernetes/pki/etcd

controlplane kubernetes/pki/etcd ➜  ls
ca.crt  ca.key  healthcheck-client.crt  healthcheck-client.key  peer.crt  peer.key  server.crt  server.key

cert-file=/etc/kubernetes/pki/etcd/server-certificate.crt

해당파일이 없는 경로입니다. 

server-certificate.crt를 server.crt로 변경해주겠습니다.

controlplane /etc/kubernetes/manifests ➜  cat etcd.yaml  | grep crt
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
    - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    
controlplane kubernetes/pki/etcd ➜  k get pods -A  |grep api
kube-system    kube-apiserver-controlplane            1/1     Running   7 (4m2s ago)   14m

 

13. The kube-api server stopped again! Check it out. Inspect the kube-api server logs and identify the root cause and fix the issue

Run crictl ps -a command to identify the kube-api server container. Run crictl logs container-id command to view the logs.

controlplane ~ ➜  crictl ps -a | grep kube-apiserver
f3f7c6ae272a1       c42f13656d0b2       21 seconds ago      Exited              kube-apiserver            1                   ffc2981443ef3       kube-apiserver-controlplane

controlplane ~ ✖ crictl logs --tail=2 f3f7c6ae272a1
W0714 17:51:24.480506       1 logging.go:59] [core] [Channel #1 SubChannel #3] grpc: addrConn.createTransport failed to connect to {Addr: "127.0.0.1:2379", ServerName: "127.0.0.1:2379", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
F0714 17:51:26.646981       1 instance.go:292] Error creating leases: error creating storage factory: context deadline exceeded

controlplane /etc/kubernetes/manifests ➜  cat kube-apiserver.yaml | grep crt
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --etcd-cafile=/etc/kubernetes/pki/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt

해당 명령어를 사용해보니 tls certificate가 확인되지 않아 에러 발생했다는 것을 확인 할 수 있습니다

경로에 있는 crt 파일을 확인해보겠습니다.

controlplane /etc/kubernetes/manifests ➜  ls /etc/kubernetes/pki | grep ca.crt
ca.crt
front-proxy-ca.crt

controlplane /etc/kubernetes/manifests ➜  ls /etc/kubernetes/pki/etcd | grep ca.crt
ca.crt

/etc/kubernetes/pki의 ca.crt와 /etc/kubernetes/pki/etcd의 ca.crt파일이 있는데,비교 해보겠습니다. 

controlplane /etc/kubernetes/manifests ➜  openssl x509 -in /etc/kubernetes/pki/ca.crt -text | grep CN
        Issuer: CN = kubernetes
        Subject: CN = kubernetes

controlplane /etc/kubernetes/manifests ➜  openssl x509 -in /etc/kubernetes/pki/etcd/ca.crt -text | grep CN
        Issuer: CN = etcd-ca
        Subject: CN = etcd-ca

 

    - --etcd-cafile=/etc/kubernetes/pki/ca.crt 해당부분이 잘못된 경로로 되어있습니다. 

/etc/kubernetes/pki/etcd/ca.crt 로 변경해주세요 

controlplane kubernetes/pki/etcd ➜  vi /etc/kubernetes/manifests/kube-apiserver.yaml

controlplane kubernetes/pki/etcd ➜  crictl ps -a | grep kube-apiserver

controlplane kubernetes/pki/etcd ✖ crictl ps -a | grep kube-apiserver
1ac909b613f8f       c42f13656d0b2       2 seconds ago       Running             kube-apiserver            0                   eba0bea56135f       kube-apiserver-controlplane

 

정상적으로 실행되는 것을 확인 할 수 있습니다. 


오늘도 중요한 인증정보에 관해 배워보았는데요

중요한 부분이니 꼭 기억해두는 것이 좋겠습니다. 

다음시간에는 Certificate API관련해서 알아보겠습니다.  

 


참조

 Udemy Labs - Certified Kubernetes Administrator with Practice Tests