본문 바로가기
IT 잡지식/DevOps

[CKA] KodeKloud - Certificates API

by 쯀리♥️ 2024. 7. 18.

 

 

안녕하세요, 쯀리입니다.

오늘은 Certificates API에 관해 알아보겠습니다. 

https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/

 

Certificates and Certificate Signing Requests

Kubernetes certificate and trust bundle APIs enable automation of X.509 credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 certificates from a Certificate Authority (CA). There is als

kubernetes.io

 

 


 

Certificate API란?

Kubernetes의 Certificates API는 클러스터 내에서 TLS 인증서를 관리하고 자동화하는 데 사용됩니다. 이 API를 통해 클러스터 구성 요소 및 애플리케이션의 인증서 발급, 갱신, 승인 등의 작업을 수행할 수 있습니다.

해당 강의에서 배우고자 하는 과정은 

  • Certificates API 개요: Kubernetes의 인증서 관리 자동화
  • CertificateSigningRequest (CSR) 리소스: 인증서 요청, 승인, 발급 관리
  • CSR 생성 및 제출: CSR 생성 및 API 서버에 제출
  • CSR 승인 및 거부: 관리자가 CSR을 승인하거나 거부
  • 인증서 발급 및 사용: 발급된 인증서 사용

이렇게 될 것 같습니다.

문제를 통해 확인해보겠습니다. 


Quiz.

1. A new member akshay joined our team. He requires access to our cluster. The Certificate Signing Request is at the /root location.

controlplane ~ ➜  ls
akshay.csr  akshay.key
 

2. Create a CertificateSigningRequest object with the name akshay with the contents of the akshay.csr file

As of kubernetes 1.19, the API to use for CSR is certificates.k8s.io/v1.

Please note that an additional field called signerName should also be added when creating CSR. For client authentication to the API server we will use the built-in signer kubernetes.io/kube-apiserver-client.

### csr파일 base64로 변환
controlplane ~ ➜  cat akshay.csr  | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXhxZWUxSUhZOWx1T0ZHNUo1WFpwSk5nQkc1SnhWS1RIREhMeGFFTHNOak5uCmhOdWpha3ZDYTRpSEZTQmVQUzlTL2lKMTFBTENEU0YycFJ0WUx2eHRPanVIeWw3bHFFWFVRbCtFSmRYanVadmkKRFRXeUxOT0VaT2toaGJ5czZZYTZUTVgwWXJSTU1XRjV2UkJuenRCZit2VVdEaEU5Nlc3N3JUZEIrNERITnRXOQozL1p1c2ZWSm1pWThhTmp1UWMxUDR6ZmRCREJnMkJaVTRYZUVlYTVyMTVLdEhmSDBKd3ZnWXNKYmJhZWJBNlVPCkhUY1pRQlFOdUptRzNuem1vRkFYRHlmU29qUDZzanc3N3dBWWdrV09IZys0N2VxdEJxK0loMEZJelFBWVBHcHUKaTYzaXU4bGRMWkZtK2dmdzdyQ1RrWEtEVmlhdlcySUpqRnIzMStXMXdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBTEFnall6ZGh3S3lydzE1czBoa0ZRMmh6T3hPbUtOclJadGQzbnFQZGZCam1xbFRqaGNvCkdOZEtLaVFlaG9ZcU9qTVdIVjh2Qklud1Nqc2NqUmdkNlJIb2hvckRPcmpsUDk0WFdoQ3JhWXdBOTFONy9nL0IKT081dUFYekJ1c3NUZlhOdkxUclRMREFHd3hwckVReFhwR3NhOElWdnI2YlFNU0lncThqbkF1TkJORlBNVlBKKwo3N2xHbTJ2eTlLYitCZm9CbUNoZTE3VTNLRjR4dEp4M3pyV1lXUDgzUEtLZEpLNm9ZZGg1ZTFqeE5yQXhLZERWCjJERC9hMXZNblNIVThmR2F1V09zRW9aQnAyT0lwbkVNL3BwejJnNUZIWkxwT0draDBHNVByOE5hUktYd01ITlkKTXdGTE4rc1YrMmFKTlMySzVUU05MdTcxMW4xenNZOTlGQ3M9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

### 인증서 서명 요청 만들기
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: <유저명>
spec:
  request: <base64로 변환한 csr파일>
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF

controlplane ~ ➜  cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXhxZWUxSUhZOWx1T0ZHNUo1WFpwSk5nQkc1SnhWS1RIREhMeGFFTHNOak5uCmhOdWpha3ZDYTRpSEZTQmVQUzlTL2lKMTFBTENEU0YycFJ0WUx2eHRPanVIeWw3bHFFWFVRbCtFSmRYanVadmkKRFRXeUxOT0VaT2toaGJ5czZZYTZUTVgwWXJSTU1XRjV2UkJuenRCZit2VVdEaEU5Nlc3N3JUZEIrNERITnRXOQozL1p1c2ZWSm1pWThhTmp1UWMxUDR6ZmRCREJnMkJaVTRYZUVlYTVyMTVLdEhmSDBKd3ZnWXNKYmJhZWJBNlVPCkhUY1pRQlFOdUptRzNuem1vRkFYRHlmU29qUDZzanc3N3dBWWdrV09IZys0N2VxdEJxK0loMEZJelFBWVBHcHUKaTYzaXU4bGRMWkZtK2dmdzdyQ1RrWEtEVmlhdlcySUpqRnIzMStXMXdRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBTEFnall6ZGh3S3lydzE1czBoa0ZRMmh6T3hPbUtOclJadGQzbnFQZGZCam1xbFRqaGNvCkdOZEtLaVFlaG9ZcU9qTVdIVjh2Qklud1Nqc2NqUmdkNlJIb2hvckRPcmpsUDk0WFdoQ3JhWXdBOTFONy9nL0IKT081dUFYekJ1c3NUZlhOdkxUclRMREFHd3hwckVReFhwR3NhOElWdnI2YlFNU0lncThqbkF1TkJORlBNVlBKKwo3N2xHbTJ2eTlLYitCZm9CbUNoZTE3VTNLRjR4dEp4M3pyV1lXUDgzUEtLZEpLNm9ZZGg1ZTFqeE5yQXhLZERWCjJERC9hMXZNblNIVThmR2F1V09zRW9aQnAyT0lwbkVNL3BwejJnNUZIWkxwT0draDBHNVByOE5hUktYd01ITlkKTXdGTE4rc1YrMmFKTlMySzVUU05MdTcxMW4xenNZOTlGQ3M9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF

certificatesigningrequest.certificates.k8s.io/akshay created

 

3.  What is the Condition of the newly created Certificate Signing Request object?

controlplane ~ ➜  k get csr
NAME        AGE     SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
akshay      2m13s   kubernetes.io/kube-apiserver-client           kubernetes-admin           24h                 Pending
csr-qlzwr   18m     kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

pending상태입니다.

4. Approve the CSR Request

controlplane ~ ➜  kubectl certificate approve akshay
certificatesigningrequest.certificates.k8s.io/akshay approved

controlplane ~ ➜  k get csr | grep akshay
akshay      4m22s   kubernetes.io/kube-apiserver-client           kubernetes-admin           24h                 Approved,Issued

 

5. (문제를 복사를 못했습니다.) 해당 클러스터 내부에 있는 csr의 갯수를 구하세요

controlplane ~ ➜  k get csr
NAME        AGE    SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
akshay      6m7s   kubernetes.io/kube-apiserver-client           kubernetes-admin           24h                 Approved,Issued
csr-qlzwr   22m    kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

 

6. During a routine check you realized that there is a new CSR request in place. What is the name of this request?

controlplane ~ ➜  k get csr
NAME          AGE     SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
agent-smith   78s     kubernetes.io/kube-apiserver-client           agent-x                    <none>              Pending
akshay        7m33s   kubernetes.io/kube-apiserver-client           kubernetes-admin           24h                 Approved,Issued
csr-qlzwr     24m     kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

agent-smith 입니다.

7. Hmmm.. You are not aware of a request coming in. What groups is this CSR requesting access to?

Check the details about the request. Preferebly in YAML.

controlplane ~ ➜  kubectl get csr/agent-smith -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2024-07-18T08:16:28Z"
  name: agent-smith
  resourceVersion: "2224"
  uid: 70934b9c-d30b-4564-8b9c-2da4d62ed9ff
spec:
  groups:
  - system:masters
  - system:authenticated
  ....

접근 그룹은 system:masters와 system:authenticated이군요

8. That doesn't look very right. Reject that request.

controlplane ~ ➜  kubectl certificate deny agent-smith
certificatesigningrequest.certificates.k8s.io/agent-smith denied

controlplane ~ ➜  k get csr | grep agent-smith
agent-smith   8m39s   kubernetes.io/kube-apiserver-client           agent-x                    <none>              Denied

 

9. Let's get rid of it. Delete the new CSR object

controlplane ~ ➜  k delete csr agent-smith
certificatesigningrequest.certificates.k8s.io "agent-smith" deleted

오늘은 클러스터 내에서 TLS 인증서를 관리하고 API를 통해 클러스터 구성 요소 및 애플리케이션의 인증서 발급, 갱신, 승인 등의 작업을 수행해 보았습니다. 

다음시간에는 KubeConfig에 대해 알아보겠습니다. 

 

 

 


참조

 Udemy Labs - Certified Kubernetes Administrator with Practice Tests