Certificates(인증서)
인증서는 Kubernetes 클러스터 내 구성 요소(예: kube-apiserver, kubelet, etcd) 간의 TLS 통신을 암호화하고 인증하는 데 사용된다. 각 구성 요소는 인증서를 통해 서로의 신원을 확인하고, 안전하게 통신할 수 있다.
- 클라이언트 인증서:
- 클라이언트(예: kubectl)가 API 서버에 접근할 때 자신의 신원 증명
- kubectl은 --client-certificate와 --client-key 옵션을 사용해 인증서를 지정
- 서버 인증서:
- 서버(API 서버, kubelet, etcd)가 클라이언트에게 자신의 신원 증명
- 서버는 TLS 연결을 암호화하고, CA 인증서를 사용해 신뢰 보장
- CA(Certificate Authority) 인증서:
- 인증서를 발급하고, 클라이언트와 서버의 신뢰 보장
CertificateSigningRequest(CSR)
CSR은 TLS 인증서를 발급받기 위해 생성되는 요청(공개키, CN등 각종 정보)이다.
참고 문서 : https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
- Private key 만들기
$ openssl genrsa -out myuser.key 2048
$ openssl req -new -key myuser.key -out myuser.csr -subj "/CN=myuser"- CSR 만들기
controlplane ~ ➜ cat akshay.csr | base64 -w 0
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXovTDFRWnRWM24wTmE1bDlKTEVSQlRTTlRsd0E3enFQTlFScFRBRkQ2djBMCnRka1BtTTVPejl0cEs1VVRiWWI0WXVKQTJqWS9LQmlHM3BHZ2NFWURhNlFsT1I5dTEyeE1wTXgzNHNpSFlWbFAKMU5JNFBVenpTclRqdWxCMmxFZGZKYWd3WjVCaGRsSU8yRTI2cDBZdGV5d1N1KzZmVTlLcEJJNC91Qzd4bjZOSwovRkhyZ0hyTldMdThWc0lCdU1SK2FxVG9COW02dkpoZzU1bXlYT1NPWW5mSS8zeG9POFRraFRWWlhLUy9vZU53CmN1V1hjRXd5TWVGakwrL24xbHZWRWtISlNob045LzRQRG9RVHJsZmwxYkhmOXhXRXVRdnZhK0ppV3dWTHlmYUgKT0dseWtWQlVmdGlhenEyMStFNDA5SnZyN0JWSU9CR0tQWVpJMEJPRG53SURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR01oNjhSZ29XT0t3NGpuM2pFTXhtSUdwa3ZodkpPVWJudTkxcHhEVnJiTVBmTUpwdkVCCmFKbVVoMzdGaVJFaVRYUVdpMjdWdG8yRU9VOXJ1UzRSMXFTT1o4ZHVBY05VSTNYVU9tWkRXdHA1NlpiQi94RW4KS3lMYzlza2x2TE9wUDNhNWtEZlJNZUI3SFc1eDUza1krMUIvOHUzbEUrOWVvVmJJdW9PYVpyMmtPbnRUMWs4TApwakgwSDRtRkZZYTBhaFg0eE5ndU4yZENMR0hrd1ZQQ1J4eDdURmo1bFZ3RTg1VmpHTXJEUDlrYkltTkRYeE4xCjNSTDArM1I3WFZNeVFQb1N2eVl5bHR5emN4ZnF0Mm5saU9Xci91YjRoL2JGV09zUG93cTlNQXVFV1kzK1Iva0sKZ0ZGT0trTUI1aHVXbEh1aEJTL2d3YUJCNUh5dEo1WTE5YnM9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
controlplane ~ ➜ cat > akshay.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
request: <bas64 인코딩된 csr 붙여넣기>
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
controlplane ~ ➜ kubectl create -f akshay.yaml
certificatesigningrequest.certificates.k8s.io/akshay created
controlplane ~ ➜ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
akshay 19s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending
csr-4tkvt 12m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued- CSR Approve
controlplane ~ ➜ kubectl certificate approve akshay
certificatesigningrequest.certificates.k8s.io/akshay approved
controlplane ~ ➜ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
akshay 20m kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issued
csr-4tkvt 33m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued- CSR로부터 Ceritificate 조회하기
controlplane ~ ➜ kubectl get csr agent-smith -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
creationTimestamp: "2025-01-13T07:53:48Z"
name: agent-smith
resourceVersion: "3101"
uid: 5df8a2bc-57ee-490b-9ec1-cf8cc59ec11f
spec:
groups:
- system:masters
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1dEQ0NBVUFDQVFBd0V6RVJNQThHQTFVRUF3d0libVYzTFhWelpYSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE8wV0pXK0RYc0FKU0lyanBObzV2UklCcGxuemcrNnhjOStVVndrS2kwCkxmQzI3dCsxZUVuT041TXVxOTlOZXZtTUVPbnJEVU8vdGh5VnFQMncyWE5JRFJYall5RjQwRmJtRCs1eld5Q0sKeTNCaWhoQjkzTUo3T3FsM1VUdlo4VEVMcXlhRGtuUmwvanYvU3hnWGtvazBBQlVUcFdNeDRCcFNpS2IwVSt0RQpJRjVueEF0dE1Wa0RQUTdOYmVaUkc0M2IrUVdsVkdSL3o2RFdPZkpuYmZlek90YUF5ZEdMVFpGQy93VHB6NTJrCkVjQ1hBd3FDaGpCTGt6MkJIUFI0Sjg5RDZYYjhrMzlwdTZqcHluZ1Y2dVAwdEliT3pwcU52MFkwcWRFWnB3bXcKajJxRUwraFpFV2trRno4MGxOTnR5VDVMeE1xRU5EQ25JZ3dDNEdaaVJHYnJBZ01CQUFHZ0FEQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBUzlpUzZDMXV4VHVmNUJCWVNVN1FGUUhVemFsTnhBZFlzYU9SUlFOd0had0hxR2k0CmhPSzRhMnp5TnlpNDRPT2lqeWFENnRVVzhEU3hrcjhCTEs4S2czc3JSRXRKcWw1ckxaeTlMUlZyc0pnaEQ0Z1kKUDlOTCthRFJTeFJPVlNxQmFCMm5XZVlwTTVjSjVURjUzbGVzTlNOTUxRMisrUk1uakRRSjdqdVBFaWM4L2RoawpXcjJFVU02VWF3enlrcmRISW13VHYybWxNWTBSK0ROdFYxWWllKzBIOS9ZRWx0K0ZTR2poNUw1WVV2STFEcWl5CjRsM0UveTNxTDcxV2ZBY3VIM09zVnBVVW5RSVNNZFFzMHFXQ3NiRTU2Q0M1RGhQR1pJcFVibktVcEF3a2ErOEUKdndRMDdqRytocGtueG11RkFlWHhnVXdvZEFMYUo3anUvVERJY3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- server auth
username: agent-x
status: {}- CSR 거절하기
controlplane ~ ➜ kubectl certificate deny agent-smith
certificatesigningrequest.certificates.k8s.io/agent-smith denied
controlplane ~ ➜ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
agent-smith 3m43s kubernetes.io/kube-apiserver-client agent-x <none> Denied
# CSR 삭제
controlplane ~ ➜ kubectl delete csr agent-smith
certificatesigningrequest.certificates.k8s.io "agent-smith" deleted반응형
'Container > Kubernetes' 카테고리의 다른 글
| [K8S] api-resources (0) | 2025.01.23 |
|---|---|
| [K8S] Authorization (1) | 2025.01.20 |
| [K8S] TLS (0) | 2025.01.10 |
| [K8S] Encrypting Secret Data at Rest (0) | 2025.01.08 |
| [K8S] ConfigMap (0) | 2025.01.08 |