This is the second part of the multi-part series on Building a Kubernetes Cluster from Scratch. You can find the link to part 1 here.
In this part of this series, we will learn to create and provide TLS certificates for all the components that make up the cluster.
Local System (4 GB RAM, CPU capable of virtualization)
Cloud (1 GB RAM, Linux Operating System) x 2
Let's generate the Certificate Authority (CA) for the master node. The master node is the primary server, and the worker nodes will verify the provided certificate with the master node.
Setting Up Environment Variables
To avoid having to enter long values every time we enter a command (which we will do a lot of), values will be added into environment variables, which we can then call upon to add values in the desired places.
Check if the environment variables were set up correctly.
Generating a CA Certificate
Now, we generate a CA Certificate – the main certificate responsible for signing all the certificates we generate later. If the certificate has not been signed with the CA key, the provided certificate of the components will be invalid.
The CA.key file is used to sign the certificates. Avoid sharing this key.
Generating Client and Server Certificates
We will now generate certificates for all the components of our Kubernetes Cluster.
Admin Client Certificate
This certificate and key pair will be used by an admin to authenticate with the cluster.
Output for the certificate generation commands below has been omitted to avoid redundancy. This is because the generated files are of the same type (certificate and key pair) and only differ in name.
The admin user has been placed in the system: Masters Group, which can now perform administrative actions on the cluster.
Kube Controller Manager Certificate
The commands below will be used to generate kube-controller-manager client certificate and private key.
Kube Proxy Certificate
The commands below will be used to generate kube-proxy client certificate and private key.
The Scheduler Client Certificate
Using the commands below, we can generate kube-scheduler client certificate and private key.
Kubernetes API Server Certificate
As openssl cannot take alternate names as command line parameters, we'll create a .conf file to provide params.
ETCD Server Certificate
We'll now generate a certificate and key for ETCD Server. The certificate must contain the IP addresses of all servers that are a part of the ETCD cluster.
We'll use the commands below to generate the certificate key pair.
Kubelet Client Certificate
This certificate is used by the API server to authenticate with the kubelets when it requires information from them.
Use the commands below to generate the kubelet client certificate and key pair.
Service Account Key Pair
Kubernetes Controller Manager uses the Service Account Key pair to generate and sign service account tokens.
Generate the certificate and key using the commands below.
Copying the Certificates
Use the scp command below to transfer the generated CA from the master to the worker node. We'll manually move them later on to a different directory.
In this article, we learned to create the CA and the kubelet client certificates, which are important for the proper functioning of a cluster.
In this next part, we will learn to setup the recently generated certificates and their components in the kubernetes cluster nodes.
Thank you for reading. Please comment below if you have any queries or find any inaccuracies in the article!