kubectl certificate commands explained with examples

Kubernetes authentication strategies uses following…

  • Client certificates
  • Bearer tokens
  • An authenticating proxy
  • HTTP basic auth to authenticate API requests through authentication plugins.
  • LDAP
  • SAML
  • Kerberos, alternate x509 schemes

You can enable multiple authentication methods at once. You should usually use at least two methods:

  • service account tokens for service accounts
  • at least one other method for user authentication.

What is X509 Client Certs?

X509 Client Certs is one of the authentication method based on “Client certificates”. Client certificate authentication is enabled by passing the –client-ca-file=SOMEFILE option to API server.

The referenced file must contain one or more “certificate authorities” to use to validate client certificates presented to the API server. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request.

Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust.

To create a TLS certificate for a Kubernetes service accessed through DNS or for other users, following steps must be performed.

Step 1 – Generate a private key using openssl or CFSSL
Step 2 – Create a Certificate Signing Request(csr) using openssl or CFSSL
Step 3 – Create a Certificate Signing Request object to send to the Kubernetes API using “kind: CertificateSigningRequest”
Step 4 – Approving filename.csr and generating auth key filename.crt
Step 5 – Set kubeconfig file using private key and filename.crt.

You can use “kubectl certificate” commands in Step 4.

kubectl certificate

Using this command, you can Modify certificate resources. such as

  • Approve a certificate signing request
  • Deny a certificate signing request

Approve a certificate signing request

kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requestor with the attributes requested in the CSR.

$ kubectl certificate approve -f user.csr

Deny a certificate signing request

kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requestor

$ kubectl certificate deny -f user.csr

Rajesh Kumar
Total Page Visits: 77 - Today Page Visits: 1