Very partial answer for this moment
1. CA for etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy
Since I have access to the cluster certificates ( at
/etc/kubernetes/pki) and since I wanted to further automate the
process I was wondering which certificate and key are used by
Kubernetes in the signing process.
There is a great Kubernetes The Hard Way tutotial that give you great opportunity to check,test and try by your own how to manually create kubernetes cluster using manually create all the certificates for core resources.
Provisioning a CA and Generating TLS Certificates
you will provision a PKI Infrastructure using CloudFlare's PKI
toolkit, cfssl, then use it to bootstrap a Certificate Authority, and
generate TLS certificates for the following components: etcd,
kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and
kube-proxy.
Generating Kubernetes Configuration Files for Authentication
you will generate Kubernetes configuration files, also known as
kubeconfigs, which enable Kubernetes clients to locate and
authenticate to the Kubernetes API Servers.
2. New user creation
you can use Kubernetes: How do I access the CA to sign a new user certificate? as a reference. Copy pasting for history in case original post would be removed
you can use the build in CA in your cluster to create client
certificates. Background information on how to use the CA:
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
Assuming you have a user.json
{
"CN": "mfrank",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [{
"O": "mfrank",
"email": "some@email"
}]
}
You can then generate a CSR for this. In this example I use cfssl to
generate the CSR:
cfssl genkey user.json | cfssljson -bare client
You can now use kubectl to submit a CSR for your cluster:
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: mfrank
spec:
groups:
- system:authenticated
- mfrank
request: $(cat client.csr | base64 | tr -d '
')
usages:
- digital signature
- key encipherment
- client auth
EOF
The request field is base64 encoded version of your csr file.
To view your CSR: kubectl get csr
To approve it:
kubectl certificate approve mfrank
Decode it:
kubectl get csr mfrank -o jsonpath='{.status.certificate}' | base64 -d > client.pem
You can now use the client-key.pem and client.pem to build a
kubeconfig.
You can then create RBAC rolebindings on your cluster assigning to
either –user=mfrank or –group=mfrank (assuming you used “O”: “mfrank”)