안녕하세요, 쯀리입니다.
오늘은 Certificates API에 관해 알아보겠습니다.
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
Certificate API란?
Kubernetes의 Certificates API는 클러스터 내에서 TLS 인증서를 관리하고 자동화하는 데 사용됩니다. 이 API를 통해 클러스터 구성 요소 및 애플리케이션의 인증서 발급, 갱신, 승인 등의 작업을 수행할 수 있습니다.
해당 강의에서 배우고자 하는 과정은
- Certificates API 개요: Kubernetes의 인증서 관리 자동화
- CertificateSigningRequest (CSR) 리소스: 인증서 요청, 승인, 발급 관리
- CSR 생성 및 제출: CSR 생성 및 API 서버에 제출
- CSR 승인 및 거부: 관리자가 CSR을 승인하거나 거부
- 인증서 발급 및 사용: 발급된 인증서 사용
이렇게 될 것 같습니다.
문제를 통해 확인해보겠습니다.
Quiz.
1. A new member akshay joined our team. He requires access to our cluster. The Certificate Signing Request is at the /root location.
controlplane ~ ➜ ls
akshay.csr akshay.key
2. Create a CertificateSigningRequest object with the name akshay with the contents of the akshay.csr file
As of kubernetes 1.19, the API to use for CSR is certificates.k8s.io/v1.
Please note that an additional field called signerName should also be added when creating CSR. For client authentication to the API server we will use the built-in signer kubernetes.io/kube-apiserver-client.
### csr파일 base64로 변환
controlplane ~ ➜ cat akshay.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXhxZWUxSUhZOWx1T0ZHNUo1WFpwSk5nQkc1SnhWS1RIREhMeGFFTHNOak5uCmhOdWpha3ZDYTRpSEZTQmVQUzlTL2lKMTFBTENEU0YycFJ0WUx2eHRPanVIeWw3bHFFWFVRbCtFSmRYanVadmkKRFRXeUxOT0VaT2toaGJ5czZZYTZUTVgwWXJSTU1XRjV2UkJuenRCZit2VVdEaEU5Nlc3N3JUZEIrNERITnRXOQozL1p1c2ZWSm1pWThhTmp1UWMxUDR6ZmRCREJnMkJaVTRYZUVlYTVyMTVLdEhmSDBKd3ZnWXNKYmJhZWJBNlVPCkhUY1pRQlFOdUptRzNuem1vRkFYRHlmU29qUDZzanc3N3dBWWdrV09IZys0N2VxdEJxK0loMEZJelFBWVBHcHUKaTYzaXU4bGRMWkZtK2dmdzdyQ1RrWEtEVmlhdlcySUpqRnIzMStXMXdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBTEFnall6ZGh3S3lydzE1czBoa0ZRMmh6T3hPbUtOclJadGQzbnFQZGZCam1xbFRqaGNvCkdOZEtLaVFlaG9ZcU9qTVdIVjh2Qklud1Nqc2NqUmdkNlJIb2hvckRPcmpsUDk0WFdoQ3JhWXdBOTFONy9nL0IKT081dUFYekJ1c3NUZlhOdkxUclRMREFHd3hwckVReFhwR3NhOElWdnI2YlFNU0lncThqbkF1TkJORlBNVlBKKwo3N2xHbTJ2eTlLYitCZm9CbUNoZTE3VTNLRjR4dEp4M3pyV1lXUDgzUEtLZEpLNm9ZZGg1ZTFqeE5yQXhLZERWCjJERC9hMXZNblNIVThmR2F1V09zRW9aQnAyT0lwbkVNL3BwejJnNUZIWkxwT0draDBHNVByOE5hUktYd01ITlkKTXdGTE4rc1YrMmFKTlMySzVUU05MdTcxMW4xenNZOTlGQ3M9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
### 인증서 서명 요청 만들기
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: <유저명>
spec:
request: <base64로 변환한 csr파일>
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
controlplane ~ ➜ cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXhxZWUxSUhZOWx1T0ZHNUo1WFpwSk5nQkc1SnhWS1RIREhMeGFFTHNOak5uCmhOdWpha3ZDYTRpSEZTQmVQUzlTL2lKMTFBTENEU0YycFJ0WUx2eHRPanVIeWw3bHFFWFVRbCtFSmRYanVadmkKRFRXeUxOT0VaT2toaGJ5czZZYTZUTVgwWXJSTU1XRjV2UkJuenRCZit2VVdEaEU5Nlc3N3JUZEIrNERITnRXOQozL1p1c2ZWSm1pWThhTmp1UWMxUDR6ZmRCREJnMkJaVTRYZUVlYTVyMTVLdEhmSDBKd3ZnWXNKYmJhZWJBNlVPCkhUY1pRQlFOdUptRzNuem1vRkFYRHlmU29qUDZzanc3N3dBWWdrV09IZys0N2VxdEJxK0loMEZJelFBWVBHcHUKaTYzaXU4bGRMWkZtK2dmdzdyQ1RrWEtEVmlhdlcySUpqRnIzMStXMXdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBTEFnall6ZGh3S3lydzE1czBoa0ZRMmh6T3hPbUtOclJadGQzbnFQZGZCam1xbFRqaGNvCkdOZEtLaVFlaG9ZcU9qTVdIVjh2Qklud1Nqc2NqUmdkNlJIb2hvckRPcmpsUDk0WFdoQ3JhWXdBOTFONy9nL0IKT081dUFYekJ1c3NUZlhOdkxUclRMREFHd3hwckVReFhwR3NhOElWdnI2YlFNU0lncThqbkF1TkJORlBNVlBKKwo3N2xHbTJ2eTlLYitCZm9CbUNoZTE3VTNLRjR4dEp4M3pyV1lXUDgzUEtLZEpLNm9ZZGg1ZTFqeE5yQXhLZERWCjJERC9hMXZNblNIVThmR2F1V09zRW9aQnAyT0lwbkVNL3BwejJnNUZIWkxwT0draDBHNVByOE5hUktYd01ITlkKTXdGTE4rc1YrMmFKTlMySzVUU05MdTcxMW4xenNZOTlGQ3M9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
certificatesigningrequest.certificates.k8s.io/akshay created
3. What is the Condition of the newly created Certificate Signing Request object?
controlplane ~ ➜ k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
akshay 2m13s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Pending
csr-qlzwr 18m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued
pending상태입니다.
4. Approve the CSR Request
controlplane ~ ➜ kubectl certificate approve akshay
certificatesigningrequest.certificates.k8s.io/akshay approved
controlplane ~ ➜ k get csr | grep akshay
akshay 4m22s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Approved,Issued
5. (문제를 복사를 못했습니다.) 해당 클러스터 내부에 있는 csr의 갯수를 구하세요
controlplane ~ ➜ k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
akshay 6m7s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Approved,Issued
csr-qlzwr 22m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued
6. During a routine check you realized that there is a new CSR request in place. What is the name of this request?
controlplane ~ ➜ k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
agent-smith 78s kubernetes.io/kube-apiserver-client agent-x <none> Pending
akshay 7m33s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Approved,Issued
csr-qlzwr 24m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued
agent-smith 입니다.
7. Hmmm.. You are not aware of a request coming in. What groups is this CSR requesting access to?
Check the details about the request. Preferebly in YAML.
controlplane ~ ➜ kubectl get csr/agent-smith -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
creationTimestamp: "2024-07-18T08:16:28Z"
name: agent-smith
resourceVersion: "2224"
uid: 70934b9c-d30b-4564-8b9c-2da4d62ed9ff
spec:
groups:
- system:masters
- system:authenticated
....
접근 그룹은 system:masters와 system:authenticated이군요
8. That doesn't look very right. Reject that request.
controlplane ~ ➜ kubectl certificate deny agent-smith
certificatesigningrequest.certificates.k8s.io/agent-smith denied
controlplane ~ ➜ k get csr | grep agent-smith
agent-smith 8m39s kubernetes.io/kube-apiserver-client agent-x <none> Denied
9. Let's get rid of it. Delete the new CSR object
controlplane ~ ➜ k delete csr agent-smith
certificatesigningrequest.certificates.k8s.io "agent-smith" deleted
오늘은 클러스터 내에서 TLS 인증서를 관리하고 API를 통해 클러스터 구성 요소 및 애플리케이션의 인증서 발급, 갱신, 승인 등의 작업을 수행해 보았습니다.
다음시간에는 KubeConfig에 대해 알아보겠습니다.
참조
※ Udemy Labs - Certified Kubernetes Administrator with Practice Tests
'IT 잡지식 > DevOps' 카테고리의 다른 글
[CKA] KodeKloud -Role Based Access Controls (0) | 2024.07.19 |
---|---|
[CKA] KodeKloud - KubeConfig (0) | 2024.07.18 |
[CKA] KodeKloud - View Certificate Details (5) | 2024.07.15 |
[CKA] KodeKloud - Backup and Restore Methods 1,2 (0) | 2024.07.13 |
[CKA] KodeKloud - Cluster Upgrade Process (0) | 2024.07.12 |