search

virtual-kubelet / virtual-kubelet

Virtual Kubelet is an open source Kubernetes kubelet implementation.
https://virtual-kubelet.io
Apache License 2.0
4.2k stars 625 forks source link

docs: how to use kubeconfig to configure VK to Kubernetes secure communications #864

Open sureshsankaran opened 4 years ago

sureshsankaran commented 4 years ago

Could you please share/point to any document on the recommendation to setup secure communication between api server and vk (and vk to api server as well) ? I am planning on using vk for this scenario: cloud vendors managed k8s cluster with raspberry pi based vk. So all the details to keep this channel between endpoints secure are appreciated.

Thanks

pires commented 3 years ago

Hello @sureshsankaran! You can establish and secure your VK-apiserver communications with a kubeconfig that ensures the API certificate is valid and that VK uses a client certificate the apiserver recognizes too.

Here's an example that works for me when running one VK provider called systemk

apiVersion: v1
clusters:
- cluster:
    server: https://192.168.64.17:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    user: systemk
  name: systemk
current-context: systemk
kind: Config
preferences: {}
users:
- name: systemk
  user:
    client-certificate: systemk.crt
    client-key: systemk.key
cheimu commented 2 years ago

Hi, you can try to use k8s csr to achieve it. You can try to use csr to issue a certificate at kubelet level , then apiserver can communicate with virtual kubelet like communicating with kubelet. It worked for me.

  1. generate private key and content using 
    
cat <<EOF >> ./csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP = <node_ip_where_virtual_kubelet_will_be_deployed>
EOF

openssl genrsa -out vklet-key.pem 2048

openssl req -new -key vklet-key.pem -out vklet.csr -subj '/CN=system:node:;/C=US/O=system:nodes' -config ./csr.conf 

2. create csr, approve csr, and extract certificate

say csr's name is vklet

kubectl apply -f csr.yaml

kubectl certificate approve vklet

kubectl get csr vklet -o jsonpath='{.status.certificate}'| base64 -d > vklet-cert.pem

3. prepare cluster ca and set environment variable which is used when initialize virtual kubelet

export APISERVER_CERT_LOCATION=vklet-cert.pem export APISERVER_KEY_LOCATION=vklet-key.pem export APISERVER_CA_CERT_LOCATION=ca.pem