Skip to content

Instantly share code, notes, and snippets.

@gilangvperdana

gilangvperdana/README.md

Last active February 4, 2023 12:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gilangvperdana/2c4877c8efb729534e7f7c55e6e1e2d3 to your computer and use it in GitHub Desktop.
Save gilangvperdana/2c4877c8efb729534e7f7c55e6e1e2d3 to your computer and use it in GitHub Desktop.
Download ZIP
Expose KubeAPI with Nginx
Raw
README.md

Goals

Can expose KubeAPI with NGINX Reverse Proxy on Kubespray cluster edition.

Make sure our FQDN has recorded on SAN KubeAPI Certificate

  • to make sure we can dump SAN information on openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
  • If SAN not yet on recorded cert, on Kubespray we can declare it in nano inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml in supplementary_addresses_in_ssl_keys section.

Create Nginx Block

  • Assume KubeAPI domain is k8s.adaptivenetworklab.org will be resolve in 172.20.1.79
server {
    listen 6443;
    ssl on;
    server_name k8s.adaptivenetworklab.org;

    ssl_certificate /etc/letsencrypt/live/k8s.adaptivenetworklab.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/k8s.adaptivenetworklab.org/privkey.pem;

    location / {
        proxy_pass https://172.20.1.79:6443;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header host k8s.adaptivenetworklab.org;
        proxy_ssl_certificate /etc/letsencrypt/live/k8s.adaptivenetworklab.org/client-crt.pem;
        proxy_ssl_certificate_key /etc/letsencrypt/live/k8s.adaptivenetworklab.org/client-key.pem;
    }
}

Info

  • proxy_ssl_certificate we can get in /etc/kubernetes/pki/apiserver-kubelet-client.crt
  • proxy_ssl_certificate_key we can get in /etc/kubernetes/pki/apiserver-kubelet-client.key
  • ssl_certificate we can get in /etc/kubernetes/pki/apiserver.crt
  • ssl_certificate_key we can get in /etc/kubernetes/pki/apiserver.key

Cons

  • If we use L7 like this, prox_ssl_certificate use client certificate, so RBAC with certificate will be not working with this technique.
  • Recommendation expose with L4 on Nginx (upstream Technique) 
      server {
    listen       6443;
    proxy_pass  172.20.1.79:6443;
  }
}

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment