Which certificate and key does Kubernetes use to sign CertificateSigningRequests?

Question

I was trying to automate the process of signing Kubernetes certificates for new users.
The official documentation (here) suggests using Kubectl. In particular they suggest using the command :

kubectl certificate approve csr_name

and obtain a base64 encoded certificate via :

kubectl get csr/csr_name -o yaml

and looking at the status.certificate field. Since I have access to the cluster certificates ( at /etc/kubernetes/pki) and since I wanted to further automate the process I was wondering which certificate and key are used by Kubernetes in the signing process. I've tried with apiserver, ca and kubeadmin (.crt and .key) and openssl as follows :

openssl x509 -req my.csr -days 365 -CA /etc/kubernetes/*.crt -CAkey /etc/kubernetes/*.key -CAcreateserial -out my.crt

where *.crt and *.key are the various files mentioned above. But the results are always different from that of the kubectl command. Any idea what I am missing?

Thanks in advance!

Answer 1

Very partial answer for this moment

1. CA for etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy

Since I have access to the cluster certificates ( at /etc/kubernetes/pki) and since I wanted to further automate the process I was wondering which certificate and key are used by Kubernetes in the signing process.

There is a great Kubernetes The Hard Way tutotial that give you great opportunity to check,test and try by your own how to manually create kubernetes cluster using manually create all the certificates for core resources.

Provisioning a CA and Generating TLS Certificates

you will provision a PKI Infrastructure using CloudFlare's PKI toolkit, cfssl, then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.

Generating Kubernetes Configuration Files for Authentication

you will generate Kubernetes configuration files, also known as kubeconfigs, which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers.

2. New user creation you can use Kubernetes: How do I access the CA to sign a new user certificate? as a reference. Copy pasting for history in case original post would be removed

you can use the build in CA in your cluster to create client certificates. Background information on how to use the CA: https://kubernetes.io/docs/concepts/cluster-administration/certificates/

Assuming you have a user.json

{
    "CN": "mfrank",
    "key": {
        "algo": "rsa",
        "size": 4096
    },
    "names": [{
        "O": "mfrank",
        "email": "some@email"
    }]
}

You can then generate a CSR for this. In this example I use cfssl to generate the CSR:

cfssl genkey user.json  | cfssljson -bare client

You can now use kubectl to submit a CSR for your cluster:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: mfrank
spec:
  groups:
  - system:authenticated
  - mfrank
  request: $(cat client.csr | base64 | tr -d '
')
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

The request field is base64 encoded version of your csr file.

To view your CSR: kubectl get csr

To approve it:

kubectl certificate approve mfrank

Decode it:

kubectl get csr mfrank -o jsonpath='{.status.certificate}' | base64 -d > client.pem

You can now use the client-key.pem and client.pem to build a kubeconfig.

You can then create RBAC rolebindings on your cluster assigning to either –user=mfrank or –group=mfrank (assuming you used “O”: “mfrank”)