Openssl Kubernetes

A high-level overview of TLS/SSL and the OpenSSL tool, creating private keys and CSRs, and an introduction to the Internet PKI.

kubectl get secrets NAME TYPE DATA AGE backend-tls kubernetes.io/tls 2 3m18s frontend-tls kubernetes.io/tls 2 3m18s Deploy a simple application with HTTPS In this section, we will deploy a simple application exposing an HTTPS endpoint on port 8443. Openssl installed locally; often pre-installed by the OS install; Please note: While I tried using both MicroK8s and Minikube local clusters, I ended up writing this article using an Amazon Elastic Kubernetes Service (EKS) cluster because I could not reliably get Telepresence (covered in the next section) to work with either of them.

This article is part two of three covering encryption concepts and the Internet public key infrastructure (PKI). The first article in this series introduced symmetric and public key (asymmetric) encryption in cryptography. If you're not familiar with the basic concept of public-key encryption, you should read part one before you go ahead with this one.

Openssl

In this part, I show you the basics of Transport Layer Security and Secure Socket Layer (TLS/SSL), how the Internet PKI works, and OpenSSL, the Swiss Army knife for TLS/SSL tasks. I cover how to use OpenSSL to create key-pairs and to generate a certificate signing request (CSR) to send to your certificate authority (CA) for signing. After that, I discuss some weaknesses of the Internet PKI you should be aware of.

[ You might also enjoy: Security advice for sysadmins: Own IT, Secure IT, Protect IT ]

Preface

Assume that you're a sysadmin like me and one of your tasks is to manage a webserver. Because your users care about authenticity, integrity, and privacy, you'd like to secure your web application with some kind of encryption.* You don't know in advance who's using your site, so symmetric encryption is off the table because of its key distribution problem. I use public-key encryption in the following sections instead.

Linux Security

Openssl kubernetes tutorial

TLS/SSL

The acronyms for Transport Layer Security and Secure Socket Layer are TLS and SSL. They are used interchangeably most of the time, and that's OK. While the old SSL protocol versions are deprecated, you'll usually find TLSv1.2 and TLSv1.3 on the web these days. TLS is used in HTTPS connections between some clients and some web servers. The following image shows a simple example of an HTTPS handshake.

  • Users in Kubernetes
    • RBAC Authorization
  • Configure Access to Kubernetes Cluster

Controlling Access to the Kubernetes API

Users access the API using kubectl, client libraries, or by making REST requests. Both human users and Kubernetes serevice accounts can be authorized for API access. When a request reaches the API, it goes through several stages, illustrated in the following diagram:

For more information, see Controlling Access to the Kubernetes API.

Users in Kubernetes

All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users.

Normal users are assumed to be managed by an outside, independent service. An admin distributing private keys, a user store like Keystone or Google Accounts, even a file with a list of usernames and passwords. In this regard, Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.

In contrast, service accounts are users managed by the Kubernetes API. They are bound to specific namespaces, and created automatically by the API server or mannually through API calls. Service accounts are tied to a set of credential stored as Secret, which are mounted into pods allowing in-cluster processed to talk to the Kubernetes API.

API requests are tied to either a normal user or a service account, or are treated as anonymous requests. This means every process inside or outside the cluster, from a human user typing kubectl on a workstation, to kubelets on nodes, to members of the control plane, must authenticate when making requests to the API server, or be treated as an anonymous user.

For more information, see Authenticating in Kubernetes

Authentication strategies

Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to authenticate API requests through authentication plugins. As HTTP request are made to the API server, plugins attempt to associate the following attributes with the request:

  • Username: a string which identifies the end user. Common values might be kube-admin or [email protected].
  • UID: a string which identifies the end user and attempts to be more consistent and unique than username.
  • Groups: a set of strings which associate users with a set of commonly grouped users.
  • Extra fields: a map of strings to list of strings which holds additional information authorizers may find useful.

X509 Client Certs

Client certificate authentication is enabled by passing the –client-ca-file=SOMEFILE option to API server. The referenced file must contain one or more certificates authorities to use to validate client certificates presented to the API server. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request. As of Kubernetes 1.4, client certificates can also indicate a user’s group memberships using the certificate’s organization fields. To include multiple group memberships for a user, include multiple organization fields in the certificate.

For example, using the openssl command line tool to generate a certificate signing request:

This would create a CSR for the username “jbeda”, belonging to two groups, “app1” and “app2”.

See Managing Certificates for how to generate a client cert.

Determine Whether a Request is Allowed or Denied

Kubernetes authorizes API requests using the API server. It evaluates all of the request attributes against all policies and allows or denies the request. All parts of an API request must be allowed by some policy in order to proceed. This means that permissions are denied by default.

For more information, see Authorization Overview

RBAC Authorization

Role and ClusterRole

In the RABC API, a role contains rules that represent a set of permissions. Perminssions are purely additive (there are no “deny” rules). A role can be defined within a namespace with a Role, or cluster-wide with a ClusterRole.

A Role can only be used to grant access to resources within a single namespace.

A ClusterRole can be used to grant the same permissions as a Role, but because they are cluster-scoped, they can also be used to grant access to:

  • cluster-scoped resources (like nodes)
  • no-resource endpoints (like “/healthz”)
  • namespaced resources (like pods) across all namespaces (need to kubectl get pods –all-namespaces, for example)
Openssl kubernetes download

RoleBinding and ClusterRoleBinding

A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. Permissions can be granted within a namespace with a RoleBinding, or cluster-wide with a ClusterRoleBinding.

roleRef is how you will actually create the binding. The kind will be either Role or ClusterRole, and the name will reference the name of the specific Role or ClusterRole yo want.

A RoleBinding may reference a Role in the same namespace.

A RoleBinding may also reference a ClusterRole to grant the permissions to namespaced resources defined in the ClusterRole within the RoleBinding’s namespace. This allows administrators to define a set of common roles for the entire cluster, then reuse them with multiple namespaces.

Finally, a ClusterRoleBinding may be used to grant permissions at the cluster level and in all namespaces.

For more information, see Using RBAC Authorization.

Openssl Kubernetes Python

Configure Access to Kubernetes Cluster

1. Create a Normal User with X.509 Client Certificate

2. Create a KUBECONFIG file.

  1. Update <APISERVER-HOST> and <APISERVER-PORT> with you Kubernetes API server (i.e. master) host and port.
  2. Update <CLUSTER-NAME> with your Kubernetes cluster name.
  3. Update <USER> with “kube-ops”
  4. Update <CA-DATA> with the based64 encoded Kubernetes CA certificate.
  5. Update <CLIENT-CRT-DATA> with the based64 encoded client certificate kube-ops.crt.
  6. Update <CLIENT-KEY-DATA> with the based64 encoded cleint key kube-ops.key.

You can generate <CA-DATA>, <CLIENT-CRT-DATA> and <CLIENT-KEY-DATA with the following command:

Openssl Kubernetes Tutorial

3. Grant the cluster-adminClusterRole to a user named “kube-ops”

Openssl Kubernetes Dashboard

4. Test the config and RBAC rule.

Openssl S_client Kubernetes

References