Certificate Specifications
Certificates must be generated individually for each of the common names listed in
the table below. All master nodes (IP address and hostname) listed in the table must
be added in the SAN of the certificates for a multi-node environment.
| Common Name | Type | O (in Subject) | SAN (refer notes below) | Parent CA | Cert and Location |
|---|---|---|---|---|---|
| kube-etcd | server | - | <master_hostnames>, <master_Host_IPs>, <kube_api_address>, localhost, 127.0.0.1,<service_ip> | etcd-ca | etcd/server.crt,etcd/server.key |
| kube-etcd-peer | server | - | <master_hostnames>, <master_Host_IPs>, <kube_api_address>,localhost, 127.0.0.1,<service_ip> | etcd-ca | etcd/peer.crt,etcd/peer.key |
| kube-etcd-healthcheck-client | client | - | - | etcd-ca | etcd/healthcheck-client.crt,etcd/healthcheck-client.key |
| kube-apiserver-etcd-client | client | system:masters | - | etcd-ca | pki/apiserver-etcd-client.key,pki/apiserver-etcd-client.crt |
| kube-apiserver | server | - | <master_hostnames>, <master_Host_IPs>, <kube_api_address>,localhost,127.0.0.1,<service_ip>,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local | kubernetes-ca | pki/apiserver.key,pki/apiserver.crt |
| kube-apiserver-kubelet-client | client | system:masters | - | kubernetes-ca | pki/apiserver-kubelet-client.key,pki/apiserver-kubelet-client.crt |
| front-proxy-client | client | - | - | kubernetes-front-proxy-ca | client.key,pki/front-proxy-client.crt |
| kubernetes-admin | client | system:masters | - | kubernetes-ca | admin.crt,admin.key |
| system:kube-controller-manager | client | - | - | kubernetes-ca | controller-manager.crt,controller-manager.key |
| system:kube-scheduler | client | - | - | kubernetes-ca | scheduler.crt,scheduler.ke |
| system:node:<hostname> | client | system:nodes | - | kubernetes-ca | kubelet.crt,kubelet.key |
SAN values are as
follows:
<master_hostnames> Hostname of the master.
<master_Host_IPs> IPs of the master.
<service_ip> The service IP can be obtained by executing
the kubectl get svc from any node.
<kube_api_address> Load balancer for kube apiserver (if configured).
system:node:<hostname>The kubelet.crt should be
generated for all the servers (master and worker) separately. For example, if the
setup consists of three nodes, the certificates must be generated for all three
nodes. The value of the <hostname> should be entered from the output of
the hostname command.
Note:
- Enter only the
hostnamecommand output in SAN; do not enter thehostname -fcommand output. - A general rule for the SAN of the certificate is to add the IP address in the IP Address field and the hostnames in the DNS field.
- An example of a wrong entry is shown below:
