2

I'm trying to follow this tutorial.

  1. What would be the advantage of generating the certs yourself instead of depending on kubeadm?
  2. if you create the certs yourself, does the auto-rotation happens after setting up the cluster from kubeadm?

Thanks!

Eduardo Baitello
  • 10,469
  • 7
  • 46
  • 74
JuniorPenguin
  • 163
  • 10

2 Answers2

3

  1. No major advantage. kubeadm does the same: generate self-signed certs. The only mini advantage is that you could add some custom values in the CSR, such as a City, Organization, etc.

  2. Not really.

    • There's a kubelet certificate rotation flag --rotate-certificates that needs to be enabled.

    • There's also the certificate rotation from the masters and kubeadm can help with that with these commands:

      mkdir /etc/kubernetes/pkibak
mv /etc/kubernetes/pki/* /etc/kubernetes/pkibak
rm /etc/kubernetes/pki/*
kubeadm init phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=x.x.x.x,x.x.x.x
systemctl restart docker

If you'd like to regenerate the admin.conf file, you can also use kubeadm:

$ kubeadm init phase kubeconfig admin \
  --cert-dir /etc/kubernetes/pki \
  --kubeconfig-dir /tmp/.
Rico
  • 58,485
  • 12
  • 111
  • 141
  • Thanks for your help Rico - always can depend on you sir! Your second part of the answer - regenerating certs for Masters - "kubeadm alpha .. --apiserver-cert-extra-sans=x.x.x.x" This would add extra valid IP and/or domain name? – JuniorPenguin Oct 31 '18 at 17:01
  • You're welcome! you can add both an IP and domain name. – Rico Oct 31 '18 at 17:12
  • Sorry another question - if you use kubeadm alpha phase certs all -- does it also take care of the kubelet certificate as well? – JuniorPenguin Oct 31 '18 at 17:20
  • Not really. Take a look at the output of `kubeadm alpha phase certs -h` – Rico Oct 31 '18 at 17:23
  • 1
    I used the command to generate the new certs and it worked -- but now none of the kubectl commands work because it is saying it does not trust the new cert -- not sure what further changes I need to make. – JuniorPenguin Nov 01 '18 at 16:39
  • Hmm, did it generate a new `/etc/kubernetes/admin.conf`? if yes then you can copy that one to `~/.kube/config`. If not you'll have to populate your `client-certfificate-data` and `client-key-data` again in your `~/.kube/config` – Rico Nov 01 '18 at 16:43
  • It did not generate a new admin.conf -- I was trying to look for how to populate client-certificate-data and client-key-data without any luck. I also tried looking in the pki files under /etc/kubernetes but none of had the certificate data. Any pointers on how to get that info? Thank you! – JuniorPenguin Nov 02 '18 at 16:27
  • 1
    Added it to the answer `kubeadm alpha phase kubeconfig admin --cert-dir /etc/kubernetes/pki --kubeconfig-dir /tmp/.` – Rico Nov 02 '18 at 16:35
  • Thank you! Really appreciate the info! – JuniorPenguin Nov 02 '18 at 16:37
3

I am creating all the certs by myself, the reason behind that is

  1. The kubernetes cluster we use might not be updated every year, so we need certificates with longer expiry. Our applications doesn't support random docker restart and we are not accepting the kubeadm phase command to regenerate the certificates and restart the docker. Hence we created all the certificates with 5 years of expiry and provided it to kubeadm and it is working fine. Now, we don't have to worry about our certificate expiry every year.

  2. No kubeadm doesn't provide the auto rotate facility of certificates, this is the reason we needed longer expiry of certificates in the first place.

Hope this helps.

Prafull Ladha
  • 12,341
  • 2
  • 37
  • 58