Check Configuration The Hard Way 1 cat /etc/systemd/system/kube-apiserver.service 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [Service] ExecStart=/usr/local/bin/kube-apiserver \\ --advertise-address=172.17.0.32 \\ --allow-privileged=true \\ --apiserver-count=3 \\ --authorization-mode=Node,RBAC \\ --bind-address=0.0.0.0 \\ --client-ca-file=/var/lib/kubernetes/ca.pem \\ --enable-swagger-ui=true \\ --etcd-cafile=/var/lib/kubernetes/ca.pem \\ --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \\ --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \\ --event-ttl=1h \\ --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\ --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\ --kubelet-https=true \\ --service-node-port-range=30000-32767 \\ --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \\ --tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem --v=2 kubeadm 1 cat /etc/kubernetes/manifests/kube-apiserver.yaml 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 .

Generate Tools OpenSSL In this lecture, we will use OpenSSL. Easy-RSA OpenSSL CFSSL Generate Process Check CRT 1 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout Generate Keys 1 openssl genrsa -out ca.key 2048 Certificate Signing Request 1 openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr Sign Certificates 1 openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt CA(Certificate Authority) Creation CA Generate Keys 1 openssl genrsa -out ca.key 2048 CA Certificate Signing Request(CSR) 1 openssl req -new -key ca.

Server Certificates Server Certificates To serve security connection with client. Root Certificates Root Certificates To sign servers certificates. It’s called CA(Certificate Authority) Client Certificates Client Certificates The server request to client verifying themselves. Name Convention Certificate(Public Key) Private Key Purpose Encrypt(Lock) Decrypt Extension Type *.crt *.key *.pem *-key.pem Examples server.crt server.key server.pem server-key.pem client.crt client.key client.pem client-key.pem Kubernetes Certificates Table Service Public Key Private Key KUBE-API SERVER apiserver.crt apiserver.key ETCD SERVER etcdserver.

Symmetric Encryption Plain Text Transport Data 1 2 User: John Password: Pass123 Plain Text This is very weak for security. There’s no encryption. It’s easy to hijack the data. Encryption Transport Data 1 2 User: John Password: Pass123 Key 1 XKSDJ39K34KJSDF0934JHSDFSDF3DKSDG Encrypted Data 1 2 XCVB: DKSJD LKJSDFK: XZKJSDFL Symmetric Encryption This is encrypted, but it’s still weak for security. It’s still easy to hijack data including the key. So they can decrypt the data with key.

Accounts Accounts All accounts is managed by kube-apiserver. Service Type For Intended To Application End Users Humans Application Kubernetes Admins Humans Global(Names must be unique across all namespaces of a cluster) Kubernetes Developers Humans Global(Names must be unique across all namespaces of a cluster) Kubernetes Service Accounts Processes Run in PODs Namespace(Names must be unique in a namespace) Admins and Developers Create a user 1 kubectl create user user1 User list

Secure Hosts Password based authentication disabled SSH Key based authentication Secure Kubernetes - kube-apiserver Authentication - Who Can Access? Files – Username and Passwords Files – Username and Tokens Certificates External Authentication providers - LDAP Service Accounts Authorization - What Can They Do? RBAC Authorization ABAC Authorization Node Authorization Webhook Mode TLS Certificates TLS TLS stand for Transport Layer Security. It’s a technology based on SSL(Secure Sockets Layer) that is developed by Netscape Communications.