Gathering etcd Information and Taking a Snapshot in Kubernetes
In a Kubernetes cluster, etcd is a critical component that stores the cluster’s configuration and state. Managing and securing etcd is essential for ensuring the reliability of your Kubernetes cluster. In this guide, we’ll walk through how to gather key information about etcd, including the server private key location, certificate expiration date, and whether client certificate authentication is enabled. Additionally, we’ll take a snapshot of the etcd database for backup purposes.
Step 1: Checking etcd Configuration
To begin, we’ll need to connect to the control plane node of your Kubernetes cluster where etcd is running. In our case, it’s running on cluster2-controlplane1. We can start by checking the nodes in the cluster:
|
1 2 3 |
kubectl get nodes |
After confirming the control plane node, SSH into it:
|
1 2 3 |
ssh cluster2-controlplane1 |
Next, let’s inspect the etcd configuration by locating its manifest file. etcd runs as a static Pod, so its manifest is located in the /etc/kubernetes/manifests/ directory:
|
1 2 3 |
vim /etc/kubernetes/manifests/etcd.yaml |
Inside the etcd.yaml file, you will find several important parameters, including:
- Server Private Key Location: The path to the server’s private key is defined by the
--key-fileparameter. - Client Certificate Authentication: Check whether client certificate authentication is enabled using the
--client-cert-auth=trueparameter.
Step 2: Finding the Server Certificate Expiration Date
To find the expiration date of the server certificate used by etcd, use the openssl command to inspect the certificate:
|
1 2 3 4 5 |
openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt | grep Validity -A2 |
The output will show the “Not Before” and “Not After” dates, indicating when the certificate is valid and when it expires.
Step 3: Saving the Information
Once you’ve gathered the necessary information, save it to a file for future reference. The information might look something like this:
|
1 2 3 4 5 6 7 8 |
# /opt/course/p1/etcd-info.txt Server private key location: /etc/kubernetes/pki/etcd/server.key Server certificate expiration date: Sep 13 13:01:31 2022 GMT Is client certificate authentication enabled: yes |
Step 4: Taking an etcd Snapshot
Backing up etcd is a critical task that ensures you can recover your cluster configuration in case of data loss. To take a snapshot of the etcd database, use the following command:
|
1 2 3 4 5 6 7 8 |
ETCDCTL_API=3 etcdctl snapshot save /etc/etcd-snapshot.db \ --cacert /etc/kubernetes/pki/etcd/ca.crt \ --cert /etc/kubernetes/pki/etcd/server.crt \ --key /etc/kubernetes/pki/etcd/server.key |
This command saves a snapshot of the etcd database to the specified location. The parameters --cacert, --cert, and --key are necessary to authenticate with the etcd server securely.
Step 5: Checking the Snapshot Status
After taking the snapshot, you can check its status using the following command:
|
1 2 3 |
ETCDCTL_API=3 etcdctl snapshot status /etc/etcd-snapshot.db |
The output will provide details about the snapshot, such as its hash, revision, total keys, and total size. This information can be used to verify the integrity of the backup.
Conclusion
Managing etcd in a Kubernetes cluster is essential for maintaining the health and stability of your cluster. By gathering key information about etcd and regularly taking snapshots, you can ensure that your cluster’s configuration and state are secure and recoverable in the event of a failure.