starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst
Juanita-Balaraj 63cd4f5fdc CephFS RWX Support in Host-based Ceph 
Incorporated patchset 1 review comments
Updated patchset 5 review comments
Updated patchset 6 review comments
Fixed merge conflicts
Updated patchset 8 review comments

Change-Id: Icd7b08ab69273f6073b960a13cf59905532f851a
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
2021-05-03 16:39:45 -04:00

95 lines
3.5 KiB
ReStructuredText
Raw Blame History

.. imj1570020645091
.. _kubernetes-root-ca-certificate:
==============================
Kubernetes Root CA Certificate
==============================
By default, the K8S Root |CA| Certificate and Key are auto-generated and
result in the use of certificates signed by an unknown |CA| for Kubernetes;
for example, for the Kubernetes API server.
It is recommended that you update the Kubernetes Root |CA| and with a custom
Root |CA| certificate and key, generated by yourself, and trusted by external
servers connecting to the |prod|'s Kubernetes API endpoint.
.. xbooklink
See :ref:`Locally Creating Certificates
<creating-certificates-locally-using-openssl>` for how to create a
private Root |CA| certificate and key.
.. caution::
The default duration for the generated Kubernetes Root CA certificate is 10
years. Replacing the Root |CA| certificate is a complex process, so the custom
certificate expiry should be set for a long period, if possible. Wind River
recommends setting the Root |CA| certificate with an expiry of at least 5-10
years.
The administrator can also provide values to add to the Kubernetes API
server certificate **Subject Alternative Name** list using the
apiserver\_cert\_sans override parameter.
Use the bootstrap override values <k8s\_root\_ca\_cert> and
<k8s\_root\_ca\_key>, as part of the installation procedure to specify the
certificate and key for the Kubernetes root |CA|.
**<k8s\_root\_ca\_cert>**
Specifies the certificate for the Kubernetes root |CA|. The
<k8s\_root\_ca\_cert> value is the absolute path of the certificate
file. The certificate must be in |PEM| format and the value must be
provided as part of a pair with <k8s\_root\_ca\_key>. The playbook will
not proceed if only one value is provided.
**<k8s\_root\_ca\_key>**
Specifies the key for the Kubernetes root |CA|. The <k8s\_root\_ca\_key>
value is the absolute path of the certificate file. The certificate
must be in |PEM| format and the value must be provided as part of a pair
with <k8s\_root\_ca\_cert>. The playbook will not proceed if only one
value is provided.
.. caution::
The default duration for the generated Kubernetes Root |CA|
certificate is 10 years. Replacing the Root |CA| certificate is an
involved process so the custom certificate expiry should be as long
as possible. We recommend ensuring Root |CA| certificate has an
expiry of at least 5-10 years.
The administrator can also provide values to add to the Kubernetes
API server certificate Subject Alternative Name list using the
<apiserver\_cert\_sans> override parameter.
**apiserver\_cert\_sans**
Specifies a list of Subject Alternative Name entries that will be added
to the Kubernetes API server certificate. Each entry in the list must
be an IP address or domain name. For example:
.. code-block:: none
apiserver_cert_sans:
- hostname.domain
- 198.51.100.75
|prod| automatically updates this parameter to include IP records
for the |OAM| floating IP and both |OAM| unit IP addresses. Any DNS names
associated with the |OAM| floating IP address should be added.
.. _kubernetes-root-ca-certificate-section-g1j-45b-jmb:
.. rubric:: |postreq|
Make the K8S Root |CA| certificate available to any remote server wanting to
connect remotely to the |prod|'s Kubernetes API, e.g. through kubectl or helm.
This Kubernetes Root CA certificate should be configured as a trusted |CA| on
the remote server.
See the step :ref:`2.b
<security-install-kubectl-and-helm-clients-directly-on-a-host>` in
*Install Kubectl and Helm Clients Directly on a Host*.
View Git Blame Copy Permalink