1. A new member akshay joined our team. He requires access to our cluster. The Certificate Signing Request is at the /root location.
Inspect it
2. Create a CertificateSigningRequest object with the name akshay with the contents of the akshay.csr file
As of kubernetes 1.19, the API to use for CSR is certificates.k8s.io/v1.
Please note that an additional field called signerName should also be added when creating CSR. For client authentication to the API server we will use the built-in signer kubernetes.io/kube-apiserver-client.
controlplane ~ ➜ cat akshay.csr | base64 -w 0
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXdRdkRFcUZLODFqbDhSSWN4ZXVFMXdJalRUTlNyaTBGbC9LUkwzL0lUMm8wCm1WMU0xM25FK3pPVWVTbzNKdTJKOHFxRm1UZ3BJYnRKcEN2SzBmQVBZaFhhWVJoTTdVRVpTMnBRcEFocXVVRzYKVW81WFRsVE0xb0Njd01HNXNYNHBYczh3dEFIQ0Z2bE9uM090NjluVk53Tzl2SkY5REI0SkxyQ1E0UnpaS2w2bgo1VjZzUEZTL0dKbEU2bEl5ZDdkZ0x1QnRKZ0J6Ykh5YjEwUUJmOFpEZTFTVTlFYkR3a2hMV2dwL0lESCtiazBKCmdpSGkyc2hRS1Nrd1kyRnh0RlRwdGVwWnZCbFBxamkvVFFrWmZWWGdIS3EreG04WUl3bzFQQmxVUG9hVU5ydk0Kc0txK3IyZDdJaWRFelJBTEczbHBmUm9VeTJ0ejEwNk5QelhEd0lBV0t3SURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRmlPTnNzTjdydzRDejRpSW55cTRTY3UvN3h4SUFpWFN6QmtrYzIrTlFKME8xUGMwcUJIClBpSHRCOGV6NXdJMWdQcExlNWdPTjRMTkoxZ0U5N29XVEY1aTRGQnZBVy9qVXNEdHFNcHRqWjluYmRjNGVBUUIKMUFYSFpTck1iMkhDeHJoMm9YeHpWKzBETE5JbUdzVUUzeXg0Vlg4K3M0ZUVkMXBzOUNlQ01pSmJ1R0ZTSFZKeApIMGdxcHBSaFdFRnl6ZDlMcC9wdzZpTm9ESWtNdmdDdE5uWm44c05kNXIyMEJJZWswUXN3dHRFZ1UwelpiVzZ4Cm5IQURrbG1lUm9ua3U1QVJWUTEvZllYU1ZhY3o4dE1KTzk2TktyQ2ltVU9Eb3duZHBqZTNnZWFXUGk0ZEcyWUQKNUs1Z1c3MXkzUnJ2UjR3MDhmc2RxdXl4R2ozMUZadUZPK1E9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
--- # akshay-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXdRdkRFcUZLODFqbDhSSWN4ZXVFMXdJalRUTlNyaTBGbC9LUkwzL0lUMm8wCm1WMU0xM25FK3pPVWVTbzNKdTJKOHFxRm1UZ3BJYnRKcEN2SzBmQVBZaFhhWVJoTTdVRVpTMnBRcEFocXVVRzYKVW81WFRsVE0xb0Njd01HNXNYNHBYczh3dEFIQ0Z2bE9uM090NjluVk53Tzl2SkY5REI0SkxyQ1E0UnpaS2w2bgo1VjZzUEZTL0dKbEU2bEl5ZDdkZ0x1QnRKZ0J6Ykh5YjEwUUJmOFpEZTFTVTlFYkR3a2hMV2dwL0lESCtiazBKCmdpSGkyc2hRS1Nrd1kyRnh0RlRwdGVwWnZCbFBxamkvVFFrWmZWWGdIS3EreG04WUl3bzFQQmxVUG9hVU5ydk0Kc0txK3IyZDdJaWRFelJBTEczbHBmUm9VeTJ0ejEwNk5QelhEd0lBV0t3SURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRmlPTnNzTjdydzRDejRpSW55cTRTY3UvN3h4SUFpWFN6QmtrYzIrTlFKME8xUGMwcUJIClBpSHRCOGV6NXdJMWdQcExlNWdPTjRMTkoxZ0U5N29XVEY1aTRGQnZBVy9qVXNEdHFNcHRqWjluYmRjNGVBUUIKMUFYSFpTck1iMkhDeHJoMm9YeHpWKzBETE5JbUdzVUUzeXg0Vlg4K3M0ZUVkMXBzOUNlQ01pSmJ1R0ZTSFZKeApIMGdxcHBSaFdFRnl6ZDlMcC9wdzZpTm9ESWtNdmdDdE5uWm44c05kNXIyMEJJZWswUXN3dHRFZ1UwelpiVzZ4Cm5IQURrbG1lUm9ua3U1QVJWUTEvZllYU1ZhY3o4dE1KTzk2TktyQ2ltVU9Eb3duZHBqZTNnZWFXUGk0ZEcyWUQKNUs1Z1c3MXkzUnJ2UjR3MDhmc2RxdXl4R2ozMUZadUZPK1E9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
###
k apply -f akshay-csr.yaml
3. What is the Condition of the newly created Certificate Signing Request object?
controlplane ~ ➜ k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
akshay 2m8s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending
csr-jqm2m 11m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued
answer : Pending
4. Approve the CSR Request
controlplane ~ ➜ kubectl certificate approve akshay
certificatesigningrequest.certificates.k8s.io/akshay approved
Certificates and Certificate Signing Requests
Kubernetes certificate and trust bundle APIs enable automation of X.509 credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 certificates from a Certificate Authority (CA). There is als
kubernetes.io
5. How many CSR requests are available on the cluster?
Including approved and pending
controlplane ~ ➜ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
akshay 4m31s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issued
csr-jqm2m 13m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued
answer : 2
6. During a routine check you realized that there is a new CSR request in place. What is the name of this request?
controlplane ~ ➜ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
agent-smith 18s kubernetes.io/kube-apiserver-client agent-x <none> Pending
akshay 5m20s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issued
csr-jqm2m 14m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issuedanswer : agent-smith
7. Hmmm.. You are not aware of a request coming in. What groups is this CSR requesting access to?
Check the details about the request. Preferebly in YAML.
controlplane ~ ➜ kubectl get csr agent-smith -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
creationTimestamp: "2024-07-19T12:37:46Z"
name: agent-smith
resourceVersion: "1543"
uid: 71ce3d85-a798-4bca-86e2-e5b3e3aeff58
spec:
groups:
- system:masters
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1dEQ0NBVUFDQVFBd0V6RVJNQThHQTFVRUF3d0libVYzTFhWelpYSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE8wV0pXK0RYc0FKU0lyanBObzV2UklCcGxuemcrNnhjOStVVndrS2kwCkxmQzI3dCsxZUVuT041TXVxOTlOZXZtTUVPbnJEVU8vdGh5VnFQMncyWE5JRFJYall5RjQwRmJtRCs1eld5Q0sKeTNCaWhoQjkzTUo3T3FsM1VUdlo4VEVMcXlhRGtuUmwvanYvU3hnWGtvazBBQlVUcFdNeDRCcFNpS2IwVSt0RQpJRjVueEF0dE1Wa0RQUTdOYmVaUkc0M2IrUVdsVkdSL3o2RFdPZkpuYmZlek90YUF5ZEdMVFpGQy93VHB6NTJrCkVjQ1hBd3FDaGpCTGt6MkJIUFI0Sjg5RDZYYjhrMzlwdTZqcHluZ1Y2dVAwdEliT3pwcU52MFkwcWRFWnB3bXcKajJxRUwraFpFV2trRno4MGxOTnR5VDVMeE1xRU5EQ25JZ3dDNEdaaVJHYnJBZ01CQUFHZ0FEQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBUzlpUzZDMXV4VHVmNUJCWVNVN1FGUUhVemFsTnhBZFlzYU9SUlFOd0had0hxR2k0CmhPSzRhMnp5TnlpNDRPT2lqeWFENnRVVzhEU3hrcjhCTEs4S2czc3JSRXRKcWw1ckxaeTlMUlZyc0pnaEQ0Z1kKUDlOTCthRFJTeFJPVlNxQmFCMm5XZVlwTTVjSjVURjUzbGVzTlNOTUxRMisrUk1uakRRSjdqdVBFaWM4L2RoawpXcjJFVU02VWF3enlrcmRISW13VHYybWxNWTBSK0ROdFYxWWllKzBIOS9ZRWx0K0ZTR2poNUw1WVV2STFEcWl5CjRsM0UveTNxTDcxV2ZBY3VIM09zVnBVVW5RSVNNZFFzMHFXQ3NiRTU2Q0M1RGhQR1pJcFVibktVcEF3a2ErOEUKdndRMDdqRytocGtueG11RkFlWHhnVXdvZEFMYUo3anUvVERJY3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- server auth
username: agent-x
status: {}
answer : system:masters
8. That doesn't look very right. Reject that request.
controlplane ~ ➜ kubectl certificate deny agent-smith
certificatesigningrequest.certificates.k8s.io/agent-smith denied
9. Let's get rid of it. Delete the new CSR object
controlplane ~ ➜ kubectl delete csr agent-smith
certificatesigningrequest.certificates.k8s.io "agent-smith" deleted'IT 기술 > k8s' 카테고리의 다른 글
| [cka] Role Based Access Controls (0) | 2024.07.19 |
|---|---|
| [cka] KubeConfig (0) | 2024.07.19 |
| [cka] View Certificate Details (0) | 2024.07.16 |
| [cka] Backup and Restore Methods 2 (1) | 2024.07.12 |
| [cka] Backup and Restore Methods (0) | 2024.07.12 |
댓글