Skip to content

Instantly share code, notes, and snippets.

@madhuri-rai07 madhuri-rai07/secure-kubernetes.rst Secret
Last active Aug 29, 2015

Embed
What would you like to do?
Learnings

Build a secure kubernetes api server

1. Add Security Group

$ nova secgroup-add-rule
k8sbay-wlun44ixfi2o-secgroup_kubernetes-ahsiqsc4vgqj tcp 6443 6443 0.0.0.0/0

Check port is opened or not. 1. Run from nova server

$ nc -l 6443
  1. Run from host machine
    $ echo "test" | nc k8s-master 6443

If the command 2 returns 0, it means port is open now.

Or also you can run below commands to check list of opened ports.
$ netstat -tulnp

If above commands doesn't list the port, try doing below commands.

$ nova remove-secgroup testbay-gnrrr2rkwfqi-kube_master-26dlxb5pvogj testbay-gnrrr2rkwfqi-secgroup_kubernetes-idmr5kesmwxs $ nova add-secgroup testbay-gnrrr2rkwfqi-kube_master-26dlxb5pvogj testbay-gnrrr2rkwfqi-secgroup_kubernetes-idmr5kesmwxs

Again check whether the port is open or not.

2. Generate CA certs and keys

$ openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus ...............................................................................++ ...............................................................................++ e is 65537 (0x10001)

$ openssl req -new -x509 -days 1000 -key ca.key -out ca.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []:

3. Generate Server certs and keys

$ openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr Generating a 2048 bit RSA private key ..................................+++ ....................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:k8s-master Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Set Common Name to access the api server. Not IP address.

$ openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-master Getting CA Private Key

3. Generate Client certs and keys

$ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr Generating a 2048 bit RSA private key ......................+++ ......+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:k8s-master Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

$ openssl x509 -req -days 1000 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-minion Getting CA Private Key

Set the diffent serial number with server.

4. Start the kube-api server

$ /usr/bin/kube-apiserver --logtostderr=true --v=0
--etcd_servers=http://127.0.0.1:4001 --allow_privileged=true --portal_net=10.254.0.0/16 --admission_control=NamespaceAutoProvision,LimitRanger,ResourceQuota --runtime_config=api/v1beta3 --tls_cert_file=/home/minion/keys/server.crt --tls_private_key_file=/home/minion/keys/server.key --client_ca_file=/home/minion/keys/ca.crt --bind_address=0.0.0.0

5. Verify Client Access

Copy client key and certificate to minion node and login to minion and modify /etc/hosts.

$ sudo vi /etc/hosts $ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

10.0.0.3 k8s-master

$ curl -v https://k8s-master:6443/version
--key ./client.key --cert ./client.crt --cacert ./ca.crt
$ kubectl version -s https://k8s-master:6443
--certificate-authority=ca.crt --client-certificate=client.crt --client-key=client.key

If you want to try with urllib3, check this code

from urllib3.connectionpool import HTTPSConnectionPool conn = HTTPSConnectionPool('k8s-master', ca_certs='/home/yuanying/magnum/magnum/keys/ca.crt', cert_reqs='REQUIRED', cert_file='/home/yuanying/magnum/magnum/keys/client.crt', key_file='/home/yuanying/magnum/magnum/keys/client.key', port=6443) resp = conn.request('GET', '/version') resp.data

Output: '{n "major": "0",n "minor": "15+",n "gitVersion": "v0.15.0-425-g21788d8e660603",n "gitCommit": "21788d8e6606038a0a465c97f5240b4e66970fbb",n "gitTreeState": "clean"n}'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.