Use context: kubectl config use-context k8s-c2-AC

Node cluster2-node1 has been added to the cluster using kubeadm and TLS bootstrapping.

Find the “Issuer” and “Extended Key Usage” values of the cluster2-node1:

1. kubelet client certificate, the one used for outgoing connections to the kube-apiserver.
2. kubelet server certificate, the one used for incoming connections from the kube-apiserver.

Write the information into file /opt/course/23/certificate-info.txt.

Compare the “Issuer” and “Extended Key Usage” fields of both certificates and make sense of these.

Understanding and Verifying Kubernetes Kubelet Certificates

Kubernetes uses certificates to secure communication between its components, including the kubelet, which is the agent running on each node. The kubelet has both client and server certificates to authenticate and secure its interactions. In this guide, we’ll explore how to locate these certificates, verify their issuers, and understand their purposes.

Step 1: Locating the Kubelet Certificate Directory

The kubelet certificates are typically stored in a default directory, but it’s important to confirm this on your system. The default directory for kubelet certificates is usually /var/lib/kubelet/pki/. However, the location can vary based on configuration.

To check if a different certificate directory is being used, you can inspect the kubelet configuration with the following steps:

First, check the systemd configuration for the kubelet:

You can also verify the running process:

This should confirm whether the default directory or a custom one is in use.

Step 2: Verifying the Kubelet Client Certificate

The kubelet client certificate is used for authenticating the kubelet to the Kubernetes API server. To inspect this certificate, run the following command:

This command will display the certificate’s issuer. For example:

The issuer should typically be the Kubernetes API server, indicating that this certificate was issued by the cluster’s Certificate Authority (CA).

Next, verify the “Extended Key Usage” field to ensure it’s being used correctly for client authentication:

Expected output:

This shows that the certificate is intended for client authentication.

Step 3: Verifying the Kubelet Server Certificate

The kubelet server certificate is used to authenticate communication to the kubelet itself. To inspect this certificate, use the following command:

This will show the issuer of the server certificate. For example:

In many setups, the server certificate is self-signed by the node’s local CA. This indicates that the certificate was generated on the node itself.

Check the “Extended Key Usage” to confirm that the certificate is meant for server authentication:

Expected output:

This shows that the certificate is intended for server authentication.

Understanding the Kubelet Certificates

The kubelet client and server certificates are crucial for secure communication in a Kubernetes cluster. The client certificate is typically issued by the Kubernetes API server’s CA and is used by the kubelet to authenticate itself to the API server. The server certificate is often self-signed on the node and is used to secure communication between the kubelet and other components that need to connect to it.

For more details on kubelet TLS bootstrapping and certificate management, you can refer to the official Kubernetes documentation: Kubelet TLS Bootstrapping.

Conclusion

Properly managing and verifying kubelet certificates is essential for maintaining a secure and reliable Kubernetes cluster. By understanding the role of these certificates and how to inspect them, you can ensure that your cluster’s communication remains secure and trusted.