LAB02a: Explore Kubernetes Configuration Files

1. List Kubernetes directory

ls -l /etc/kubernetes

Inspect:

cat /etc/kubernetes/admin.conf
cat /etc/kubernetes/kubelet.conf

Verify Cluster Certificate Details

1. Check API server certificate SANs:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep -A2 "X509v3 Subject Alternative Name"

2. Check cluster CA fingerprint:

openssl x509 -in /etc/kubernetes/pki/ca.crt -fingerprint -sha256 -noout

This helps when you need tls-server-name.

Find Existing Users in Cluster

From kubeconfig

kubectl config get-users

Check CSR of nodes:

kubectl get csr
kubectl describe csr <csr-name>

You will see identities like:

Subject: O=system:nodes, CN=system:node:worker1

Create a New Kubernetes User with Certificate Authentication

1. Generate key + CSR:

openssl genrsa -out john.key 2048

openssl req -new -key john.key -out john.csr -subj "/CN=john/O=devteam"

2. Sign CSR with Kubernetes CA:

sudo openssl x509 -req -in john.csr \
  -CA /etc/kubernetes/pki/ca.crt \
  -CAkey /etc/kubernetes/pki/ca.key \
  -CAcreateserial -out john.crt -days 365

3. Create kubeconfig for user:

kubectl config set-credentials john \
  --client-certificate=john.crt \
  --client-key=john.key

kubectl config set-context dev \
  --cluster=kubernetes --user=john

Assign RBAC Permission to New User

kubectl create clusterrolebinding john-admin \
  --clusterrole=cluster-admin \
  --user=john

Add New Cluster / Modify Cluster

List clusters:

kubectl config get-clusters

Add a new cluster:

kubectl config set-cluster my-cluster \
  --server=https://1.2.3.4:6443 \
  --certificate-authority=/path/ca.crt

Validate Authentication Flow

Check who you are authenticated as:

kubectl auth whoami

Check allowed operations:

kubectl auth can-i create pods
kubectl auth can-i delete nodes

PreviousLAB02: Get Cluster Basic & Detailed Information NextBLOG02a: Understanding Kubernetes Contexts

Last updated 1 month ago

Good night

hashtag1. List Kubernetes directory

hashtagVerify Cluster Certificate Details

hashtag1. Check API server certificate SANs:

hashtag2. Check cluster CA fingerprint:

hashtagFind Existing Users in Cluster

hashtagFrom kubeconfig

hashtagCheck CSR of nodes:

hashtagCreate a New Kubernetes User with Certificate Authentication

hashtag1. Generate key + CSR:

hashtag2. Sign CSR with Kubernetes CA:

hashtag3. Create kubeconfig for user:

hashtagAssign RBAC Permission to New User

hashtagAdd New Cluster / Modify Cluster

hashtagList clusters:

hashtagAdd a new cluster:

hashtagValidate Authentication Flow

1. List Kubernetes directory

Verify Cluster Certificate Details

1. Check API server certificate SANs:

2. Check cluster CA fingerprint:

Find Existing Users in Cluster

From kubeconfig

Check CSR of nodes:

Create a New Kubernetes User with Certificate Authentication

1. Generate key + CSR:

2. Sign CSR with Kubernetes CA:

3. Create kubeconfig for user:

Assign RBAC Permission to New User

Add New Cluster / Modify Cluster

List clusters:

Add a new cluster:

Validate Authentication Flow