How to create a "CertificateSigningRequest" with apiVersion "certificates.k8s.io/v1" for a webhook
I haven't managed to create a CertificateSigningRequest
as I wished, HOWEVER I bypassed the issue by create my own CA as following:
First, I edited my certificate configurations file so it will include a commonName
and currect extendedKeyUsage
:
cat > csr.conf <<EOF[req]req_extensions = v3_reqdistinguished_name = req_distinguished_nameprompt = no[req_distinguished_name]CN = s-controller.ns-controller.svc[ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuth, serverAuthsubjectAltName = @alt_names[alt_names]DNS.1 = s-controller.ns-controllerDNS.2 = s-controller.ns-controller.svcEOF
Generate CA certificate (notice the -days 365
)
openssl genrsa -out ca.key 2048openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=admission_ca"
Generate tls key and certificdate
openssl genrsa -out server.key 2048openssl req -new -key server.key -out server.csr -config csr.confopenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extensions v3_req -extfile csr.conf
Create a kubernetes tls secret for the webhook
kubectl create secret tls webhook-tls --cert=server.crt --key=server.key
Set the CA_BUNDLE
export CA_BUNDLE=$(cat ca.crt | base64 | tr -d '\n')
Remove all generated files
rm ca.crt rm ca.key rm server.keyrm server.csrrm server.crt
In my webhhok, I have a volume
volumeMount
:
volume:
volumes:- name: tls-vol secret: secretName: webhook-tls
volumeMount:
volumeMounts:- name: tls-vol mountPath: /etc/webhook/certs readOnly: true
And the comantainer args
args:- -tlsCertFile=/etc/webhook/certs/tls.crt- -tlsKeyFile=/etc/webhook/certs/tls.key
How to create a
CertificateSigningRequest
with apiVersioncertificates.k8s.io/v1
for a webhook?
I have successfully created certificates.k8s.io/v1
with the following issuers and openssl csr config. It was tested with this webhook example.
Please check out the configs below:
#csr.conf [req]req_extensions = v3_reqdistinguished_name = req_distinguished_name[req_distinguished_name][ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuthsubjectAltName = @alt_names[alt_names]DNS.1 = ${service}DNS.2 = ${service}.${namespace}DNS.3 = ${service}.${namespace}.svc
and:
#csr-for-webhook.yaml apiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata: name: ${csrName}spec: groups: - system:authenticated request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n') usages: - digital signature - key encipherment - client auth signerName: kubernetes.io/kube-apiserver-client
In your old CertificateSigningRequest yaml you were using server auth as one of the key usages but, in latest one you changed it to client auth . the cert needed by webhook need to be signed with server auth key and signerName should be kubernetes.io/kubelet-serving . So update your files as follows to avoid the issue :
csr.conf
cat > csr.conf <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] CN = s-controller.ns-controller.svc [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = s-controller.ns-controller DNS.2 = s-controller.ns-controller.svc EOF
Generate csr with subject.organization as "system:nodes"
openssl genrsa -out server.key 2048openssl req -new -key server.key -subj "/CN=system:node:s-contoller.ns-controller.svc /OU="system:nodes" /O=system:nodes" -out $server.csr -config csr.conf
csr-for-webhook.yaml
cat <<EOF | kubectl create -f -apiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata:name: csr-controllerspec: groups: - system:authenticated request: $(cat server.csr | base64 | tr -d '\n') signerName: kubernetes.io/kubelet-serving usages: - digital signature - key encipherment - server authEOF
source : https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
PS: I have tested it with Kubernetes version 1.21.3