Kubernetes and TLS: A Symphonic Integration

Today, I'll demonstrate the process of issuing and approving a certificate for a new user in a Kubernetes cluster.

STEP 1: Generate a private key using the following command

openssl genrsa -out myuser.key 2048

STEP 2: Generate a CSR (certificate signing request)

openssl req -new -key myuser.key -out myuser.csr -subj "/CN=myuser"

Now, if you run the ls command, you’ll see 2 new files as (in my case i have replaced myuser with adam):

1. myuser.key

2. myuser.csr

The files will appear something like:

The new user's part is complete for now; the Kubernetes administrators will handle the next steps.

Now, taking on the role of a Kubernetes administrator, we will follow the steps accordingly.

STEP 3: Creating a Certificate signing request yaml file

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth

One thing you have to make sure is that you have to replace request part with the actual csr that was generated in the very second step.

Take that csr, decode it and then remove the line breaks and the replace it with the request part in the above .yaml file, the command that can be used is (in my case its adam, so ill just go ahead do it using adam):

cat adam.csr | base64 | tr -d "\n" > csr2.txt

I have decoded it, removed the line breaks and then redirected it to a different file. I’ll use this new file for reference now. Copy the text from this new redirected file and replace it with the content of request in the above csr .yml file.

It’ll be something like:

Your yaml file will look something this:

STEP 4: Apply this csr yaml file to create Certificate signing request using the following command:

kubectl apply -f csr.yml

After applying this file you’ll see that the Certificate signing request has been created, you’ll get result something like:

Now, you can see your csr using get, also you can describe you csr and get the information. However, your csr will be in pending state because it is yet to be approved. If you describel you’ll see something like:

STEP 5: Finally, approve or deny the certificate signing request:

This is the last step and we’re almost there. In our case we will accept this request, we will accept the request using the command as follows:

kubectl certificate approve adam

If you want to deny the request, you can use the following command:

kubectl certificate deny <request-name>

Finally, the certificate for the new user has been approved. You can describe and see that it has been approved, you’ll get the result something like:

We’re all done!

This is how you can issue and approve a certificate for a new user in a Kubernetes cluster using just simple 5 steps.