Scribd
Upload
152 views6 pages

Kubernetes Certificate Health Checker

This document provides information to check the health of certificates used in a Kubernetes cluster. It lists the component, type, certificate path and other details of certificates for the Kubernetes control plane including the CA, kube-apiserver, kubelet and etcd. It describes checks to perform on the certificates such as validating the CN, expiration, issuer and ensuring the certificates are configured correctly.

Uploaded by

sksundar.net396
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
152 views6 pages

Kubernetes Certificate Health Checker

This document provides information to check the health of certificates used in a Kubernetes cluster. It lists the component, type, certificate path and other details of certificates for the Kubernetes control plane including the CA, kube-apiserver, kubelet and etcd. It describes checks to perform on the certificates such as validating the CN, expiration, issuer and ensuring the certificates are configured correctly.

Uploaded by

sksundar.net396
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Kubernetes Certificate Health Checker

Use this spreadsheet to gather information to perform health check of Certificates used in a Kubernetes cluster. A sample set
data is given in the Data sheet. Follow the same procedure.

Use the command openssl x509 -in <certificate path> -text to view data about a certificate

Version
Author
Kubernetes Certification Cou
bernetes cluster. A sample set of

ata about a certificate

v0.1
[email protected]
Kubernetes Certification Course
Component Type Certificate Path
Certificate Authority Server /etc/kubernetes/pki/ca.crt
Certificate Authority Server /etc/kubernetes/pki/ca.key

kube-apiserver Server /etc/kubernetes/pki/apiserver.crt


kube-apiserver Server /etc/kubernetes/pki/apiserver.key
kube-apiserver Server /etc/kubernetes/pki/ca.crt
kube-apiserver Client (Kubelet) /etc/kubernetes/pki/apiserver-kubelet-client.crt
kube-apiserver Client (Kubelet) /etc/kubernetes/pki/apiserver-kubelet-client.key
kube-apiserver Client (Etcd) /etc/kubernetes/pki/apiserver-etcd-client.crt
kube-apiserver Client (Etcd) /etc/kubernetes/pki/apiserver-etcd-client.key
kube-apiserver Client (Etcd) /etc/kubernetes/pki/etcd/ca.crt
kubelet Server /var/lib/kubelet/pki/kubelet.crt
kubelet Server /var/lib/kubelet/pki/kubelet.key
kubelet Client /var/lib/kubelet/pki/kubelet-client-2019-05-12-11-2
kubelet Client
Certificate Authority (ETCD) Server /etc/kubernetes/pki/etcd/ca.crt
Certificate Authority (ETCD) Server /etc/kubernetes/pki/etcd/ca.key
etcd-server
etcd-server

Checks to perform:
1. Make sure the correct CN and ALT names, Organization are present. Specifically for the kube-api server and the nodes(kube
2. Ensure the certificates are not expired.
3. Ensure the certificates are issued by the right CA.
4. Ensure the correct certificate path is provided in the options on the service configuration files
CN Name ALT Names Organization Issuer
kubernetes kubernetes

DNS:master
DNS:kubernetes
DNS:kubernetes.default
DNS:kubernetes.default.svc
DNS:kubernetes.default.svc.cluster.local
IP Address:10.96.0.1
kube-apiserver IP Address:172.17.0.27 kubernetes

kubernetes kubernetes
kube-apiserver-kubelet-client system:masters kubernetes

kube-apiserver-etcd-client system:masters kubernetes

kubernetes kubernetes
node01@1557660157

system:node:node01 system:nodes kubernetes

kubernetes kubernetes

e kube-api server and the nodes(kubelets).

tion files
Expiration File Type Purpose Description
May 9 11:21:40 2029 GMT Certificate CA server root certificates for Kubernetes
Key CA server root certificate key for Kuberne

Feb 11 05:39:20 2020 GMT Certificate Server Certificate Certificate to serve Kube-api server
Key Server Key Key to serve Kube-api server
Feb 8 05:39:19 2029 GMT Certificate Server CA Certificate CA Certificate to validate clients connectin
Feb 11 05:39:20 2020 GMT Certificate Client Cert: Kube API Server to Kubelet Client Certificate for Kube-API Server to co
Key Client Key: Kube API Server to Kubelet Client Key for Kube-API Server to connect
Feb 11 05:39:22 2020 GMT Certificate Client Cert: Kube API Server to ETCD Client Certificate for Kube-API Server to co
Key Client Key: Kube API Server to ETCD Client Key for Kube-API Server to connect
Feb 8 05:39:21 2029 GMT Certificate Client CA File: Kube API Server to ETCD CA File to validate Kube-API server to ETCD
Certificate
Key
May 11 11:18:00 2020 GMT Certificate
Key
May 9 11:21:42 2029 GMT Certificate CA Server root certificates for ETCD Serve
Key CA Server root certificate key for ETCD Ser
Certificate
Key
root certificates for Kubernetes API Server
root certificate key for Kubernetes API Server

to serve Kube-api server


ve Kube-api server
ate to validate clients connecting to Kube-API Server
tificate for Kube-API Server to connect to ETCD Server
for Kube-API Server to connect to ETCD Server
tificate for Kube-API Server to connect to ETCD Server
for Kube-API Server to connect to ETCD Server
validate Kube-API server to ETCD Server Connectivity. The ETCD setup can have a separate CA

root certificates for ETCD Server. (This could be the same as kube-api server or a separate one of its own.)
root certificate key for ETCD Server. (This could be the same as kube-api server or a separate one of its own.)

You might also like