How to create a "CertificateSigningRequest" with apiVersion "certificates.k8s.io/v1" for a webhook How to create a "CertificateSigningRequest" with apiVersion "certificates.k8s.io/v1" for a webhook kubernetes kubernetes

How to create a "CertificateSigningRequest" with apiVersion "certificates.k8s.io/v1" for a webhook


kubernetes kubernetes-apiserver

I haven't managed to create a CertificateSigningRequest as I wished, HOWEVER I bypassed the issue by create my own CA as following:

First, I edited my certificate configurations file so it will include a commonName and currect extendedKeyUsage :

cat > csr.conf <<EOF[req]req_extensions = v3_reqdistinguished_name = req_distinguished_nameprompt = no[req_distinguished_name]CN = s-controller.ns-controller.svc[ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuth, serverAuthsubjectAltName = @alt_names[alt_names]DNS.1 = s-controller.ns-controllerDNS.2 = s-controller.ns-controller.svcEOF

Generate CA certificate (notice the -days 365)

openssl genrsa -out ca.key 2048openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=admission_ca"

Generate tls key and certificdate

openssl genrsa -out server.key 2048openssl req -new -key server.key -out server.csr -config csr.confopenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extensions v3_req -extfile csr.conf

Create a kubernetes tls secret for the webhook

kubectl create secret tls webhook-tls --cert=server.crt --key=server.key

Set the CA_BUNDLE

export CA_BUNDLE=$(cat ca.crt | base64 | tr -d '\n')

Remove all generated files

rm ca.crt rm ca.key rm server.keyrm server.csrrm server.crt

In my webhhok, I have a volume volumeMount:

volume:

volumes:- name: tls-vol    secret:      secretName: webhook-tls

volumeMount:

volumeMounts:- name: tls-vol  mountPath: /etc/webhook/certs  readOnly: true

And the comantainer args

args:- -tlsCertFile=/etc/webhook/certs/tls.crt- -tlsKeyFile=/etc/webhook/certs/tls.key

kubernetes kubernetes-apiserver

How to create a CertificateSigningRequest with apiVersioncertificates.k8s.io/v1 for a webhook?

I have successfully created certificates.k8s.io/v1 with the following issuers and openssl csr config. It was tested with this webhook example.

Please check out the configs below:

#csr.conf [req]req_extensions = v3_reqdistinguished_name = req_distinguished_name[req_distinguished_name][ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuthsubjectAltName = @alt_names[alt_names]DNS.1 = ${service}DNS.2 = ${service}.${namespace}DNS.3 = ${service}.${namespace}.svc

and:

#csr-for-webhook.yaml apiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata:  name: ${csrName}spec:  groups:  - system:authenticated  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')  usages:  - digital signature  - key encipherment  - client auth  signerName: kubernetes.io/kube-apiserver-client

kubernetes kubernetes-apiserver

In your old CertificateSigningRequest yaml you were using server auth as one of the key usages but, in latest one you changed it to client auth . the cert needed by webhook need to be signed with server auth key and signerName should be kubernetes.io/kubelet-serving . So update your files as follows to avoid the issue :

csr.conf

 cat > csr.conf <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] CN = s-controller.ns-controller.svc [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = s-controller.ns-controller DNS.2 = s-controller.ns-controller.svc EOF

Generate csr with subject.organization as "system:nodes"

openssl genrsa -out server.key 2048openssl req -new -key server.key -subj "/CN=system:node:s-contoller.ns-controller.svc /OU="system:nodes" /O=system:nodes" -out $server.csr -config csr.conf

csr-for-webhook.yaml

cat <<EOF | kubectl create -f -apiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata:name: csr-controllerspec:    groups:    - system:authenticated    request: $(cat server.csr | base64 | tr -d '\n')    signerName: kubernetes.io/kubelet-serving    usages:    - digital signature    - key encipherment    - server authEOF

source : https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/

PS: I have tested it with Kubernetes version 1.21.3

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last