CKS Exam Series #6 Users and CertificateSigningRequests

Kubernetes CKS Example Exam Question Series

Kim Wuestkamp

Published in

ITNEXT

4 min readJan 24, 2021

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

Be fast, avoid creating yaml manually from scratch
Use only kubernetes.io/docs for help.
Check our solution after you did yours. You probably have a better one!

A bit of context before the task

CA  = Certificate Authority
CRT = Certificate
CSR = Certificate Signing Request
KEY = Private Key

Users in K8s are managed via CRTs and the CN/CommonName field in them. The cluster CA needs to sign these CRTs.

The idea today is to do the signing process once manually and once using the K8s Api. This will explain what’s happening in the background.

Manual way

Automatic way

Todays Task: Create a CertificateSigningRequest

Create a KEY for user named 60099@internal.users
Create a CSR for the KEY
Manual way: manually sign the CSR with the K8s CA file to generate the CRT
Automated way: create a CSR-K8s-resource for the CSR file, let the K8s Api sign it, then download the CRT
Connect to the K8s Api using the CRT+KEY from the manual and automatic way.

Solution

The apiserver already has access to the cluster CA, so why not let it sign it?

alias k=kubectl

1. Create KEY

openssl genrsa -out 60099.key 2048

2. Create CSR

openssl req -new -key 60099.key -out 60099.csr# set Common Name = 60099@internal.users

3. Manual signing

find /etc/kubernetes/pki | grep caopenssl x509 -req -in 60099.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out 60099.crt -days 500

4. Signing via API

https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: 60099@internal.users # ADD
spec:
  groups:
  - system:authenticated
  request: {{BASE_64_ENCODED_CSR}} # ADD
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

Convert CSR file content to base64:

cat 60099.csr | base64 -w 0

Create the resource, check its status and approve:

k -f csr.yaml createk certificate approve 60099@internal.users

Now download the CRT:

k get csr 60099@internal.users -ojsonpath="{.status.certificate}" | base64 -d > 60099.crt

5. Use it to connect to K8s API

k config set-credentials 60099@internal.users --client-key=60099.key --client-certificate=60099.crtk config set-context 60099@internal.users --cluster=kubernetes --user=60099@internal.usersk config get-contextsk config use-context 60099@internal.users

We see the username returned from the api, just without any permissions atm

If you like you could give the user RBAC permissions to actually work with the cluster. This will follow in a next challenge.

Why using K8s CSR via Api?

Doing it the automatic way via Api removes the need for direct access to the CA of the cluster. The CA should be considered holy because with it it’s possible to create trusted certificates for the whole cluster.

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?