- kube-apiserver 의 설정 파일의 내용을 보고 싶다면
cat /etc/kubernetes/manifests/kube-apiserver.yaml
-
예시
apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.32.46.6:6443 creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=10.32.46.6 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key - --etcd-servers=https://127.0.0.1:2379 - --insecure-port=0 - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key - --requestheader-allowed-names=front-proxy-client - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --secure-port=6443 - --service-account-issuer=https://kubernetes.default.svc.cluster.local - --service-account-key-file=/etc/kubernetes/pki/sa.pub - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key - --service-cluster-ip-range=10.96.0.0/12 - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key image: k8s.gcr.io/kube-apiserver:v1.20.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 10.32.46.6 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 name: kube-apiserver readinessProbe: failureThreshold: 3 httpGet: host: 10.32.46.6 path: /readyz port: 6443 scheme: HTTPS periodSeconds: 1 timeoutSeconds: 15 resources: requests: cpu: 250m startupProbe: failureThreshold: 24 httpGet: host: 10.32.46.6 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 volumeMounts: - mountPath: /etc/ssl/certs name: ca-certs readOnly: true - mountPath: /etc/ca-certificates name: etc-ca-certificates readOnly: true - mountPath: /etc/kubernetes/pki name: k8s-certs readOnly: true - mountPath: /usr/local/share/ca-certificates name: usr-local-share-ca-certificates readOnly: true - mountPath: /usr/share/ca-certificates name: usr-share-ca-certificates readOnly: true hostNetwork: true priorityClassName: system-node-critical volumes: - hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: ca-certs - hostPath: path: /etc/ca-certificates type: DirectoryOrCreate name: etc-ca-certificates - hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate name: k8s-certs - hostPath: path: /usr/local/share/ca-certificates type: DirectoryOrCreate name: usr-local-share-ca-certificates - hostPath: path: /usr/share/ca-certificates type: DirectoryOrCreate name: usr-share-ca-certificates status: {}- kube-api 서버에 사용된 인증서 파일 식별 : `/etc/kubernetes/pki/apiserver.crt``- kube-apiserver를 ETCD 서버에 대한 클라이언트로 인증하는 데 사용되는 인증서 파일 식별 : `--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt``
-
kubelet-client 설정을 보고 싶다면 /etc/kubernetes/manifests/kube-apiserver.yaml 파일에서 kubelet-client-key 옵션을 찾으십시오.
apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.32.97.9:6443 creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=10.32.97.9 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key - --etcd-servers=https://127.0.0.1:2379 - --insecure-port=0 - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key - --requestheader-allowed-names=front-proxy-client - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --secure-port=6443 - --service-account-issuer=https://kubernetes.default.svc.cluster.local - --service-account-key-file=/etc/kubernetes/pki/sa.pub - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key - --service-cluster-ip-range=10.96.0.0/12 - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key image: k8s.gcr.io/kube-apiserver:v1.20.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 10.32.97.9 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 name: kube-apiserver readinessProbe: failureThreshold: 3 httpGet: host: 10.32.97.9 path: /readyz port: 6443 scheme: HTTPS periodSeconds: 1 timeoutSeconds: 15 resources: requests: cpu: 250m startupProbe: failureThreshold: 24 httpGet: host: 10.32.97.9 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 volumeMounts: - mountPath: /etc/ssl/certs name: ca-certs readOnly: true - mountPath: /etc/ca-certificates name: etc-ca-certificates readOnly: true - mountPath: /etc/kubernetes/pki name: k8s-certs readOnly: true - mountPath: /usr/local/share/ca-certificates name: usr-local-share-ca-certificates readOnly: true - mountPath: /usr/share/ca-certificates name: usr-share-ca-certificates readOnly: true hostNetwork: true priorityClassName: system-node-critical volumes: - hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: ca-certs - hostPath: path: /etc/ca-certificates type: DirectoryOrCreate name: etc-ca-certificates - hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate name: k8s-certs - hostPath: path: /usr/local/share/ca-certificates type: DirectoryOrCreate name: usr-local-share-ca-certificates - hostPath: path: /usr/share/ca-certificates type: DirectoryOrCreate name: usr-share-ca-certificates status: {}
- kubeapi-server를 kubelet 서버에 인증하는 데 사용되는 키 식별 :
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
-
etcd static pod 의 cert-file 설정을 볼려면
/etc/kubernetes/manifests/etcd.yamlapiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/etcd.advertise-client-urls: https://10.32.97.9:2379 creationTimestamp: null labels: component: etcd tier: control-plane name: etcd namespace: kube-system spec: containers: - command: - etcd - --advertise-client-urls=https://10.32.97.9:2379 - --cert-file=/etc/kubernetes/pki/etcd/server.crt - --client-cert-auth=true - --data-dir=/var/lib/etcd - --initial-advertise-peer-urls=https://10.32.97.9:2380 - --initial-cluster=controlplane=https://10.32.97.9:2380 - --key-file=/etc/kubernetes/pki/etcd/server.key - --listen-client-urls=https://127.0.0.1:2379,https://10.32.97.9:2379 - --listen-metrics-urls=http://127.0.0.1:2381 - --listen-peer-urls=https://10.32.97.9:2380 - --name=controlplane - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt - --peer-client-cert-auth=true - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --snapshot-count=10000 - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt image: k8s.gcr.io/etcd:3.4.13-0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 path: /health port: 2381 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 name: etcd resources: requests: cpu: 100m ephemeral-storage: 100Mi memory: 100Mi startupProbe: failureThreshold: 24 httpGet: host: 127.0.0.1 path: /health port: 2381 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 volumeMounts: - mountPath: /var/lib/etcd name: etcd-data - mountPath: /etc/kubernetes/pki/etcd name: etcd-certs hostNetwork: true priorityClassName: system-node-critical volumes: - hostPath: path: /etc/kubernetes/pki/etcd type: DirectoryOrCreate name: etcd-certs - hostPath: path: /var/lib/etcd type: DirectoryOrCreate name: etcd-data status: {}
- ETCD 서버를 호스팅하는 데 사용되는 ETCD 서버 인증서 식별 :
--cert-file=/etc/kubernetes/pki/etcd/server.crt - ETCD 서버를 제공하는 데 사용되는 ETCD 서버 CA 루트 인증서 식별 :
--peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
-
apiserver.crt 의 정보 확인
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -textroot@controlplane:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 8056460412838649799 (0x6fce4c0f7e3e9fc7) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = kubernetes Validity Not Before: Apr 11 13:36:32 2022 GMT Not After : Apr 11 13:36:32 2023 GMT Subject: CN = kube-apiserver Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bc:e7:91:d3:16:d1:6b:41:1a:44:4e:07:ad:cf: 7b:ab:ae:e1:d4:86:d7:2c:e3:5a:5b:fd:3f:06:dd: 91:a3:31:53:28:3f:f9:55:8a:2e:0c:b3:06:0f:18: 80:17:71:58:ea:b7:d4:33:92:0d:13:fe:79:b5:c4: 16:c6:15:b9:68:ed:f7:06:eb:47:b9:71:76:70:92: 15:ce:97:d4:f3:13:da:19:0a:4c:f5:b8:2b:9f:c9: 73:5d:8b:88:70:8e:3d:3b:84:ca:93:d7:30:f9:8a: 20:cf:24:03:aa:84:1c:43:ce:ce:5a:79:89:e0:ad: 8f:ea:ff:0b:0b:55:c9:c1:81:65:61:e6:e6:81:39: 0c:5a:63:d1:05:8a:58:56:a3:12:d8:18:0d:57:eb: 96:3d:02:94:04:27:34:df:fb:93:08:77:de:de:de: ee:a7:e1:6c:ef:0a:58:e1:32:36:31:eb:05:1d:69: fe:67:34:80:28:07:10:73:bc:ac:8d:ad:33:80:40: be:e6:4e:f7:d7:2d:69:b0:d1:a2:d1:50:b9:88:2b: 6f:19:ba:30:26:7c:26:0e:8e:54:91:fa:05:f0:6a: 28:db:37:d3:69:80:de:b5:9d:f2:cc:a4:ae:fa:59: 4e:56:12:48:f0:99:44:1c:16:df:8c:bc:e5:34:f9: d2:57 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Authority Key Identifier: keyid:DF:FB:DC:3C:B6:69:56:6A:AC:D2:95:52:5A:DF:D8:9C:C4:12:C0:69 X509v3 Subject Alternative Name: DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:10.32.97.9 Signature Algorithm: sha256WithRSAEncryption 57:6e:db:e3:23:ab:a4:c3:25:d5:4d:76:a1:2f:3a:2b:e4:8f: 38:8b:06:37:93:1b:43:c6:a1:7c:df:05:0a:aa:9d:81:65:23: 0f:77:ad:26:c6:7a:6f:a9:6d:c0:e3:42:2d:06:23:16:0d:6d: f3:10:31:2e:c7:5b:10:0e:08:ce:12:58:2d:f8:13:5e:c3:f5: 3a:80:a0:df:7b:50:c3:02:5f:06:46:a1:f0:70:d6:db:d8:cc: 34:fa:91:73:c5:2d:73:7f:fa:e2:a0:0c:0f:c8:16:c3:9c:6f: d5:ca:3b:c1:95:cb:7e:fd:73:09:17:75:6a:33:b7:6a:72:91: 30:82:4b:b7:72:d3:18:0f:60:e0:73:5c:a8:c9:30:09:61:a1: ce:cc:e6:87:0c:e3:02:d4:e7:19:05:a2:38:29:65:df:58:1c: 3b:15:78:c6:03:c6:04:11:cc:15:7f:34:96:b5:0c:85:e9:f0: 43:35:bc:61:f7:54:0f:3c:d1:45:d3:53:6e:ac:67:1d:08:b5: 1c:92:86:6c:33:0c:74:36:05:83:b8:73:31:6a:e1:ff:25:1d: 6d:f2:6b:eb:b2:b1:92:97:b3:8c:a8:c6:f4:8c:17:51:d0:6c: f7:3a:4a:e1:37:f9:26:96:79:57:c8:a5:cf:f8:39:80:95:76: ad:18:d3:36 -----BEGIN CERTIFICATE----- MIIDfjCCAmagAwIBAgIIb85MD34+n8cwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE AxMKa3ViZXJuZXRlczAeFw0yMjA0MTExMzM2MzJaFw0yMzA0MTExMzM2MzJaMBkx FzAVBgNVBAMTDmt1YmUtYXBpc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAvOeR0xbRa0EaRE4Hrc97q67h1IbXLONaW/0/Bt2RozFTKD/5VYou DLMGDxiAF3FY6rfUM5INE/55tcQWxhW5aO33ButHuXF2cJIVzpfU8xPaGQpM9bgr n8lzXYuIcI49O4TKk9cw+YogzyQDqoQcQ87OWnmJ4K2P6v8LC1XJwYFlYebmgTkM WmPRBYpYVqMS2BgNV+uWPQKUBCc03/uTCHfe3t7up+Fs7wpY4TI2MesFHWn+ZzSA KAcQc7ysja0zgEC+5k731y1psNGi0VC5iCtvGbowJnwmDo5UkfoF8Goo2zfTaYDe tZ3yzKSu+llOVhJI8JlEHBbfjLzlNPnSVwIDAQABo4HNMIHKMA4GA1UdDwEB/wQE AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBTf+9w8tmlWaqzS lVJa39icxBLAaTCBgQYDVR0RBHoweIIMY29udHJvbHBsYW5lggprdWJlcm5ldGVz ghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCJGt1 YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcECmAAAYcECiBhCTAN BgkqhkiG9w0BAQsFAAOCAQEAV27b4yOrpMMl1U12oS86K+SPOIsGN5MbQ8ahfN8F CqqdgWUjD3etJsZ6b6ltwONCLQYjFg1t8xAxLsdbEA4IzhJYLfgTXsP1OoCg33tQ wwJfBkah8HDW29jMNPqRc8Utc3/64qAMD8gWw5xv1co7wZXLfv1zCRd1ajO3anKR MIJLt3LTGA9g4HNcqMkwCWGhzszmhwzjAtTnGQWiOCll31gcOxV4xgPGBBHMFX80 lrUMhenwQzW8YfdUDzzRRdNTbqxnHQi1HJKGbDMMdDYFg7hzMWrh/yUdbfJr67Kx kpezjKjG9IwXUdBs9zpK4Tf5JpZ5V8ilz/g5gJV2rRjTNg== -----END CERTIFICATE-----
블로그 이전 중 (https://www.notion.so/My-blog-0d569b9028434fb6a99a3e66b6e807b1)