Skip to content

Kubernetes certificate management with CFSSL

CloudFlare's SSL (CFSSL) is a command-line tool and an API server used for signing, verifying, and bundling SSL certificates. In the context of a Kubernetes enterprise deployment, CFSSL is utilized to generate and manage the Public Key Infrastructure (PKI) certificates required for secure communication between cluster components, such as the API Server, kubelet, and Etcd.

Tooling and Environment Setup

To manage certificates using CFSSL, three specific binaries are typically required: cfssl, cfssl-json, and cfssl-certinfo.^[400-devops-06-kubernetes-k8s-paas-02-k8s.md] In a standard architecture, these tools are installed on an operational host (e.g., hdss7-200), which acts as the Certificate Authority (CA) management node.

The installation process involves downloading the binaries and placing them into the system's executable path (e.g., /usr/bin/) and granting execution permissions^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Creating the Root Certificate Authority (CA)

The first step in establishing PKI for the cluster is to generate a self-signed root CA. This involves creating a configuration file, typically named ca-csr.json, which defines the certificate's details^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

  • Key Configuration: Defines the encryption algorithm (commonly RSA) and key size (e.g., 2048 bits)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
  • Certificate Details: Includes identifying information such as Country (C), State (ST), Locality (L), Organization (O), and Organizational Unit (OU)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
  • Expiration: The root CA is often set with a long expiry time (e.g., "175200h", or 20 years)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

The cfssl gencert -initca command is then used with this configuration to generate the root certificate (ca.pem) and the private key (ca-key.pem)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Configuring Usage Profiles

To manage different types of certificates (e.g., for servers, clients, or peer-to-peer communication), a configuration file like ca-config.json is created^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]. This file defines "profiles" that specify usage rules and expiry periods:

  • Server Profile: Used for TLS server authentication, utilizing extensions like signing, key encipherment, and server auth^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
  • Client Profile: Used for client authentication, utilizing signing, key encipherment, and client auth^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
  • Peer Profile: A dual-purpose profile often used for components like Etcd that require both server and client authentication capabilities (mTLS)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Generating Component Certificates

Etcd Peer Certificates

For the distributed key-value store (Etcd), a peer certificate is generated. The Certificate Signing Request (CSR) configuration (etcd-peer-csr.json) must list the IP addresses and hostnames of all Etcd cluster nodes in the hosts field^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]. The generation command uses the peer profile defined in the CA configuration^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

API Server Certificates

The Kubernetes API Server requires a certificate that validates its identity to the cluster. The apiserver-csr.json configuration includes specific hostnames required for internal cluster communication, such as kubernetes, kubernetes.default, and kubernetes.default.svc.cluster.local, as well as the cluster IP range and specific node IPs^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]. This is generated using the server profile^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Client Certificates

Different components require specific client certificates to authenticate with the API server or other services. For example, a generic client certificate (client-csr.json) is generated for nodes to authenticate as k8s-node^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]. Similarly, Kube-proxy requires its own client certificate (kube-proxy-client.pem) issued under the specific identity system:kube-proxy^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

  • [[Public Key Infrastructure]]
  • [[mTLS]]
  • [[Kubernetes security]]
  • [[Etcd]]

Sources

  • 400-devops-06-kubernetes-k8s-paas-02-k8s.md