Kubernetes has become a leading platform for orchestrating containers in development, staging, and production environments. With its increased adoption, understanding its configuration files is essential. Two key components in the Kubernetes ecosystem are Kubeconfig files and certificate files. These are primarily used for authentication with the Kubernetes API Server.
In this post, we will delve deep into what these files are, why they are necessary, and how to use them effectively.
What is a Kubeconfig File?
A Kubeconfig file is a YAML format file that stores configurations for accessing multiple clusters. It’s the file that kubectl uses to determine the cluster it communicates with and the credentials it needs to do so. By default, it’s located in the ~/.kube/config directory on your system.
Each Kubeconfig file can contain multiple ‘context’ entries. A ‘context’ combines a user (as defined in the Kubeconfig) with a cluster, allowing kubectl to target different Kubernetes clusters based on the context.
The basic structure of a Kubeconfig file consists of the following:
- Clusters: Defines the details of the clusters. This includes the name of the cluster and the server URL.
- Users: Defines the user details used for authentication, such as client certificates, bearer tokens, or username and password.
- Contexts: A combination of clusters and users, referred to by a unique name.
What are Cert Files?
Cert files, also known as TLS certificates, are used for authenticating a client (or a user) to the Kubernetes API server. They are one of the types of credentials that can be embedded into the Kubeconfig file.
Kubernetes API server supports multiple authentication methods, but the client certificate authentication is widely used because of its robustness and support for automation. In this method, a client certificate (public key) and a private key are generated for a user. The certificate is then signed by the Kubernetes cluster’s Certificate Authority (CA).
To validate the client’s identity, the API server verifies if the client’s certificate was signed by the trusted CA. This process is commonly known as Certificate-based authentication.
Using Kubeconfig and Cert Files for Authentication
Now that we understand what these files are, let’s explore how we can use them.
Generate a Certificate and Key
Firstly, you need to generate a private key and a certificate signing request (CSR) for the user. You can use openssl to achieve this:
openssl req -new -newkey rsa:4096 -nodes -keyout myuser.key -out myuser.csr -subj "/CN=myuser/O=myorganization"In the above command, CN is the user’s name and O is the user’s group.
Sign the Certificate using the Kubernetes CA
Next, you need to get the CSR signed by the Kubernetes CA. Kubernetes provides a ‘CertificateSigningRequest’ resource to automate this process:
kubectl create csr myuser --cert myuser.csr --key myuser.key kubectl certificate approve myuserOnce approved, you can download the certificate:
kubectl get csr myuser -o jsonpath='{.status.certificate}' | base64 --decode > myuser.crtEmbed the Credentials in the Kubeconfig
The last step is to embed these credentials into the Kubeconfig file. Here’s how to add a user:
kubectl config set-credentials myuser --client-certificate=myuser.crt --client-key=myuser.keyAnd then set the context:
kubectl config set-context mycontext --cluster=mycluster --user=myuserRemember to replace ‘mycontext’, ‘mycluster’, and ‘myuser’ with your own values. Once done, you can switch between contexts using the following command:
kubectl config use-context mycontextIn conclusion, Kubeconfig files and cert files are crucial components when working with Kubernetes, specifically for communication and authentication with the Kubernetes API server. Understanding how to generate, sign, and embed certificates into Kubeconfig will equip you with a significant part of Kubernetes security and authentication. This also plays a pivotal role in automating deployments and maintaining high security in your Kubernetes environment.
Hardik Darji 