Skip to content

Instantly share code, notes, and snippets.

Forked from yuanying/
Created October 22, 2015 03:37
Show Gist options
  • Save Jimmy-Xu/6d98d89f9d094e8ae8ce to your computer and use it in GitHub Desktop.
Save Jimmy-Xu/6d98d89f9d094e8ae8ce to your computer and use it in GitHub Desktop.
Build a secure kubernetes api server

Build a secure kubernetes api server

Add Security Group

$ nova secgroup-add-rule \
       k8sbay-wlun44ixfi2o-secgroup_kubernetes-ahsiqsc4vgqj \
       tcp 6443 6443


$ openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

$ openssl req -new -x509 -days 1000 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:


$ openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:k8s-master
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Set Common Name to access the api server. Not IP address.

$ openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-master
Getting CA Private Key


$ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr
Generating a 2048 bit RSA private key
writing new private key to 'client.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:k8s-minion
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ openssl x509 -req -days 1000 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-minion
Getting CA Private Key

Set the diffent serial number with server.

Start the kube-api server

$ /usr/bin/kube-apiserver --logtostderr=true --v=0 \
  --etcd_servers= \
  --allow_privileged=true \
  --portal_net= \
  --admission_control=NamespaceAutoProvision,LimitRanger,ResourceQuota \
  --runtime_config=api/v1beta3 \
  --tls_cert_file=/home/minion/keys/server.crt \
  --tls_private_key_file=/home/minion/keys/server.key \
  --client_ca_file=/home/minion/keys/ca.crt \

Client Access

Copy client key and certificate to minion node and login to minion and modify /etc/hosts.

$ sudo vi /etc/hosts
$ cat /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6    k8s-master

Check client access.

$ curl -v https://k8s-master:6443/version\
    --key ./client.key \
    --cert ./client.crt \
    --cacert ./ca.crt

$ kubectl version -s https://k8s-master:6443 \
    --certificate-authority=ca.crt \
    --client-certificate=client.crt \
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment