Scribd Logo
Upload

Welcome to Scribd!

  • Kubernetes Certs Checker

    Uploaded by

    vamshi
    4 views6 pages

    Original Title

    kubernetes-certs-checker

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views6 pages

    Kubernetes Certs Checker

    Uploaded by

    vamshi

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Kubernetes Certificate Health Checker

    Use this spreadsheet to gather information to perform health check of Certificates used in a Kubernetes cluster. A sample set of data is given in the Data sheet.
    Follow the same procedure.

    Use the command openssl x509 -in <certificate path> -text to view data about a certificate

    Version v0.1
    Author mmumshad@gmail.com
    Link Kubernetes Certification Course
    Component Type
    Certificate Authority Server

    Server

    kube-apiserver

    Client (Kubelet)

    Client (Etcd)

    Client (Etcd)

    Server
    kubelet
    Client

    Certificate Authority (ETCD) Server

    etcd-server Server
    Checks to perform:
    1. Make sure the correct CN and ALT names, Organization are present. Specifically for the kube-api server and the nodes(kube
    2. Ensure the certificates are not expired.
    3. Ensure the certificates are issued by the right CA.
    4. Ensure the correct certificate path is provided in the options on the service configuration files
    Certificate Path CN Name
    /etc/kubernetes/pki/ca.crt kubernetes
    /etc/kubernetes/pki/ca.key

    /etc/kubernetes/pki/apiserver.crt kube-apiserver

    /etc/kubernetes/pki/apiserver.key
    /etc/kubernetes/pki/ca.crt kubernetes
    /etc/kubernetes/pki/apiserver-kubelet-client.crt kube-apiserver-kubelet-client
    /etc/kubernetes/pki/apiserver-kubelet-client.key
    /etc/kubernetes/pki/apiserver-etcd-client.crt kube-apiserver-etcd-client
    /etc/kubernetes/pki/apiserver-etcd-client.key

    /etc/kubernetes/pki/etcd/ca.crt kubernetes
    /var/lib/kubelet/pki/kubelet.crt node01@1557660157
    /var/lib/kubelet/pki/kubelet.key
    /var/lib/kubelet/pki/kubelet-client-2019-05-12-11-22-38.pem system:node:node01

    /etc/kubernetes/pki/etcd/ca.crt kubernetes

    /etc/kubernetes/pki/etcd/ca.key

    /etc/kubernetes/pki/etcd/server.crt
    controlplane
    /etc/kubernetes/pki/etcd/server.key

    Organization are present. Specifically for the kube-api server and the nodes(kubelets).

    ht CA.
    ed in the options on the service configuration files
    ALT Names Organization Issuer Expiration
    kubernetes May 9 11:21:40 2029 GMT

    DNS:master
    DNS:kubernetes
    DNS:kubernetes.default
    DNS:kubernetes.default.svc kubernetes Feb 11 05:39:20 2020 GMT
    DNS:kubernetes.default.svc.cluster.local
    IP Address:10.96.0.1
    IP Address:172.17.0.27

    Feb 8 05:39:19 2029 GMT


    kubernetes
    system:masters Feb 11 05:39:20 2020 GMT

    system:masters kubernetes Feb 11 05:39:22 2020 GMT

    kubernetes Feb 8 05:39:21 2029 GMT

    system:nodes kubernetes May 11 11:18:00 2020 GMT

    kubernetes May 9 11:21:42 2029 GMT

    Nov 15 18:50:56 2021 GMT


    Nov 15 18:50:56 2021 GMT
    File Type Purpose
    Certificate
    Key

    Certificate Server Certificate

    Key Server Key


    Server CA Certificate
    Certificate
    Client Cert: Kube API Server to Kubelet
    Key Client Key: Kube API Server to Kubelet
    Certificate Client Cert: Kube API Server to ETCD
    Key Client Key: Kube API Server to ETCD

    Certificate Client CA File: Kube API Server to ETCD


    Certificate
    Key
    Certificate
    Key

    Certificate Etcd Server CA Certificate

    Key Etcd Server CA Key

    Certificate Etcd Server Certificate


    Key Etcd Server Key
    Description
    CA server root certificates for Kubernetes API Server
    CA server root certificate key for Kubernetes API Server

    Certificate to serve Kube-api server

    Key to serve Kube-api server


    CA Certificate to validate clients connecting to Kube-API Server
    Client Certificate for Kube-API Server to connect to Kubelet
    Client Key for Kube-API Server to connect to Kubelet
    Client Certificate for Kube-API Server to connect to ETCD Server
    Client Key for Kube-API Server to connect to ETCD Server
    CA File to validate Kube-API server to ETCD Server Connectivity.
    The ETCD setup can have a separate CA

    CA Server root certificates for ETCD Server.


    (This could be the same as kube-api server or a separate one of its own.)
    CA Server root certificate key for ETCD Server.
    (This could be the same as kube-api server or a separate one of its own.)
    Certificates for ETCD Server
    ETCD Server Certificate Key

    You might also like