{"id":14129,"date":"2020-05-31T19:42:01","date_gmt":"2020-05-31T19:42:01","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=14129"},"modified":"2021-11-05T11:11:52","modified_gmt":"2021-11-05T11:11:52","slug":"kubectl-certificate-commands-explained-with-examples","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/kubectl-certificate-commands-explained-with-examples\/","title":{"rendered":"Kubernetes authentication strategies: Client certificates tutorials with example"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Kubernetes authentication strategies uses following\u2026<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Client certificates<\/li><li>Bearer tokens<\/li><li>An authenticating proxy<\/li><li>HTTP basic auth to authenticate API requests through authentication plugins.<\/li><li>LDAP<\/li><li>SAML<\/li><li>Kerberos, alternate x509 schemes<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">You can enable multiple authentication methods at once. You should usually use at least two methods:<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>service account tokens for service accounts<\/li><li>at least one other method for user authentication.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What is X509 Client Certs?<\/h3>\n\n\n\n<p>X509 Client Certs is one of the authentication method based on &#8220;Client certificates&#8221;. Client certificate authentication is enabled by passing the &#8211;client-ca-file=SOMEFILE option to API server.<\/p>\n\n\n\n<p>The referenced file must contain one or more &#8220;certificate authorities&#8221; to use to validate client certificates presented to the API server. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request.<\/p>\n\n\n\n<p>Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">To create a TLS certificate for a Kubernetes service accessed through DNS or for other users, following steps must be performed.<\/h3>\n\n\n\n<p>Step 1 &#8211; Generate a private key using openssl or CFSSL<br>Step 2 &#8211; Create a Certificate Signing Request(csr) using openssl or CFSSL<br>Step 3 &#8211; Create a Certificate Signing Request object to send to the Kubernetes API using &#8220;kind: CertificateSigningRequest&#8221;<br>Step 4 &#8211; Approving filename.csr and generating auth key filename.crt<br>Step 5 &#8211; Set kubeconfig file using private key and filename.crt.<\/p>\n\n\n\n<p><strong>You can use &#8220;kubectl certificate&#8221; commands in Step 4.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">kubectl certificate<\/h3>\n\n\n\n<p>Using this command, you can Modify certificate resources. such as<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Approve a certificate signing request<\/li><li>Deny a certificate signing request<\/li><\/ul>\n\n\n\n<p><strong>Approve a certificate signing request<\/strong><\/p>\n\n\n\n<p>kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requestor with the attributes requested in the CSR.<\/p>\n\n\n\n<p>$ kubectl certificate approve -f user.csr<\/p>\n\n\n\n<p><strong>Deny a certificate signing request<\/strong><\/p>\n\n\n\n<p>kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requestor<\/p>\n\n\n\n<p>$ kubectl certificate deny -f user.csr<\/p>\n\n\n<div class=\"epyt-gallery\" data-currpage=\"1\" id=\"epyt_gallery_19902\"><iframe loading=\"lazy\"  id=\"_ytid_22823\"  width=\"760\" height=\"427\"  data-origwidth=\"760\" data-origheight=\"427\" src=\"https:\/\/www.youtube.com\/embed\/?enablejsapi=1&#038;autoplay=0&#038;cc_load_policy=0&#038;cc_lang_pref=&#038;iv_load_policy=1&#038;loop=0&#038;rel=1&#038;fs=1&#038;playsinline=0&#038;autohide=2&#038;theme=dark&#038;color=red&#038;controls=1&#038;disablekb=0&#038;\" class=\"__youtube_prefs__  no-lazyload\" title=\"YouTube player\"  data-epytgalleryid=\"epyt_gallery_19902\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe><div class=\"epyt-gallery-list\"><div>Sorry, there was a YouTube error.<\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Kubernetes authentication strategies uses following\u2026 Client certificates Bearer tokens An authenticating proxy HTTP basic auth to authenticate API requests through authentication plugins. LDAP SAML Kerberos, alternate x509 schemes You can&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14129","post","type-post","status-publish","format-standard","hentry","category-sql"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/14129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=14129"}],"version-history":[{"count":4,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/14129\/revisions"}],"predecessor-version":[{"id":24816,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/14129\/revisions\/24816"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=14129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=14129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=14129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}