Created
September 1, 2020 12:16
-
-
Save oke-py/539bd25104cd8e6419b004a9ca0bb5fa to your computer and use it in GitHub Desktop.
git diff upstream/release-1.17 fb6364d <file>
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/content/en/docs/setup/best-practices/certificates.md b/content/en/docs/setup/best-practices/certificates.md | |
index 6169b3f87..9e27b4094 100644 | |
--- a/content/en/docs/setup/best-practices/certificates.md | |
+++ b/content/en/docs/setup/best-practices/certificates.md | |
@@ -2,20 +2,20 @@ | |
title: PKI certificates and requirements | |
reviewers: | |
- sig-cluster-lifecycle | |
-content_template: templates/concept | |
+content_type: concept | |
weight: 40 | |
--- | |
-{{% capture overview %}} | |
+<!-- overview --> | |
Kubernetes requires PKI certificates for authentication over TLS. | |
If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/), the certificates that your cluster requires are automatically generated. | |
You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server. | |
This page explains the certificates that your cluster requires. | |
-{{% /capture %}} | |
-{{% capture body %}} | |
+ | |
+<!-- body --> | |
## How certificates are used by your cluster | |
@@ -28,10 +28,10 @@ Kubernetes requires PKI for the following operations: | |
* Client certificate for the API server to talk to etcd | |
* Client certificate/kubeconfig for the controller manager to talk to the API server | |
* Client certificate/kubeconfig for the scheduler to talk to the API server. | |
-* Client and server certificates for the [front-proxy][proxy] | |
+* Client and server certificates for the [front-proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/) | |
{{< note >}} | |
-`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/). | |
+`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/). | |
{{< /note >}} | |
etcd also implements mutual TLS to authenticate clients and peers. | |
@@ -54,7 +54,7 @@ Required CAs: | |
|------------------------|---------------------------|----------------------------------| | |
| ca.crt,key | kubernetes-ca | Kubernetes general CA | | |
| etcd/ca.crt,key | etcd-ca | For all etcd-related functions | | |
-| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | For the [front-end proxy][proxy] | | |
+| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | For the [front-end proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/) | | |
On top of the above CAs, it is also necessary to get a public/private key pair for service account management, `sa.key` and `sa.pub`. | |
@@ -74,10 +74,11 @@ Required certificates: | |
| kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | | | |
| front-proxy-client | kubernetes-front-proxy-ca | | client | | | |
-[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm][kubeadm] the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`, | |
+[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/) | |
+the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`, | |
`kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`) | |
-where `kind` maps to one or more of the [x509 key usage][usage] types: | |
+where `kind` maps to one or more of the [x509 key usage](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage) types: | |
| kind | Key usage | | |
|--------|---------------------------------------------------------------------------------| | |
@@ -99,7 +100,8 @@ For kubeadm users only: | |
### Certificate paths | |
-Certificates should be placed in a recommended path (as used by [kubeadm][kubeadm]). Paths should be specified using the given argument regardless of location. | |
+Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/)). | |
+Paths should be specified using the given argument regardless of location. | |
| Default CN | recommended key path | recommended cert path | command | key argument | cert argument | | |
|------------------------------|------------------------------|-----------------------------|----------------|------------------------------|-------------------------------------------| | |
@@ -160,8 +162,4 @@ These files are used as follows: | |
| controller-manager.conf | kube-controller-manager | Must be added to manifest in `manifests/kube-controller-manager.yaml` | | |
| scheduler.conf | kube-scheduler | Must be added to manifest in `manifests/kube-scheduler.yaml` | | |
-[usage]: https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage | |
-[kubeadm]: /docs/reference/setup-tools/kubeadm/kubeadm/ | |
-[proxy]: /docs/tasks/access-kubernetes-api/configure-aggregation-layer/ | |
-{{% /capture %}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment