starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst
Keane Lim 3c5fa979a4 Security guide update 
Re-organized topic hierarchy

Tiny edit to restart review workflow.

Squashed with Resolved index.rst conflict commit

Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5
Signed-off-by: Keane Lim <keane.lim@windriver.com>
Signed-off-by: MCamp859 <maryx.camp@intel.com>
2021-03-12 15:10:40 -05:00

2.9 KiB
Raw Blame History

Kubernetes Root CA Certificate

By default, the K8S Root Certificate and Key are auto-generated and result in the use of certificates signed by an unknown for Kubernetes; for example, for the Kubernetes API server.

It is recommended that you update the Kubernetes Root and with a custom Root certificate and key, generated by yourself, and trusted by external servers connecting to the 's Kubernetes API endpoint.

See Locally Creating Certificates <creating-certificates-locally-using-openssl> for how to create a private Root certificate and key.

Use the bootstrap override values <k8s_root_ca_cert> and <k8s_root_ca_key>, as part of the installation procedure to specify the certificate and key for the Kubernetes root .

<k8s_root_ca_cert>

Specifies the certificate for the Kubernetes root . The <k8s_root_ca_cert> value is the absolute path of the certificate file. The certificate must be in format and the value must be provided as part of a pair with <k8s_root_ca_key>. The playbook will not proceed if only one value is provided.

<k8s_root_ca_key>

Specifies the key for the Kubernetes root . The <k8s_root_ca_key> value is the absolute path of the certificate file. The certificate must be in format and the value must be provided as part of a pair with <k8s_root_ca_cert>. The playbook will not proceed if only one value is provided.

Caution

The default duration for the generated Kubernetes Root certificate is 10 years. Replacing the Root certificate is an involved process so the custom certificate expiry should be as long as possible. We recommend ensuring Root certificate has an expiry of at least 5-10 years.

The administrator can also provide values to add to the Kubernetes API server certificate Subject Alternative Name list using the <apiserver_cert_sans> override parameter.

apiserver_cert_sans

Specifies a list of Subject Alternative Name entries that will be added to the Kubernetes API server certificate. Each entry in the list must be an IP address or domain name. For example:

apiserver_cert_sans:
  - hostname.domain
  - 198.51.100.75

automatically updates this parameter to include IP records for the floating IP and both unit IP addresses. Any DNS names associated with the floating IP address should be added.

Make the K8S Root certificate available to any remote server wanting to connect remotely to the 's Kubernetes API, e.g. through kubectl or helm.

See the step 2.b <security-install-kubectl-and-helm-clients-directly-on-a-host> in Install Kubectl and Helm Clients Directly on a Host.