Why did you exec into kube-apiserver-kind-control-plane container only for generating the user certificate? Is it the kind of admin container which generates certs? I am using aks cluster, Which pod I need to use for generating certs?
Hi Harish, That's a good question, so we have to basically generate two things private key and CSR. These two things can be generated using openssl command independently. Once we have those files, look at 11:13. You can create CertificateSigningRequest k8s object, using the files that we generated and then admin can approve thst request and we would get .crt. Let me know if you have any other questions.
Hello sir I have created cluster with one master and one worker node ,master node added with public azure load balancer. But when we run curl load balancer ip:6443 from master node to access kube-api server . I get error like curl( 60 )SSL certificate problem: unable to get local issuer certificate. Also when we try from browser it not access. please tell me something about this.
Hi Nitin, If I understood correctly you are trying to access the api server endpoint using curl and browser, why are you doing that? Thats not how we access k8s clusters, right? Since api server is secured you won't be able to access the api server endpoint. You will have to generate the kubeconfig file to a access the k8s cluster. Now, generating kubeconfig file depends on how you have setup the cluster.
Hi vijay ,we added user vivek but how kubernetes know that user vivek is executing ,becauser we didnt login as user vivek,and video on securityContext please
When we create a CSR (certificate signing request), we specify the username as common name (CN) for subj flag. And certificate for used is created using the same CSR. Which (cert) eventually is used in kubeconfig. And that is how kubernetes figures out which user is trying to talk to the cluster. Let me know if this didn't make sense.
@@viveksinghggitsthanks for your reply,we are creating user vivek and doing everything, do we need to log In as user vivek to server where cluster is running to get these access?
Not really, if you see we didn't create a Linux user anywhere. So, you just have to set credentials in kubeconfig and kuebctl should take care of the rest.
Hey Dear, First video I found worth watching and got lot of information which I was looking for since a year. Great to view your videos having lot of contents and clear most of my doubts / :)
Awesome man, m currently learning K8, what u described above i asked many people who are already working into this since years but no one never replied back and the way u explained it 👏👏👏👏👏
Hi Vivek thanks for the detailed explanation. Can you clarify what is the ca-certificate that is in the kubeconfig yaml file? Is that the same ca-certificate as the one in control-plane (/etc/kubernetes/pki/ca.crt that you used to create user certificate) or different. Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?
I think the answer for "Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?" is not because we need ca.key AND ca.crt to generate certificates
Hi vivek, good content and coverage. Only request if you can make these videos small screen friendly (by increasing font size/zoom in). It would make phone based viewing experience seamless. Keep up the good work ! Kudos
Thank you for your efforts, it was very helpful, Kindly I have a question , after giving the devuser authentication to the cluster, what if i want to remove the authentication and the devuser will not be allwed to communicate with the cluster, how can i do that ? Thanks in advance.
Hi 👋, That's a good question. I am not sure if there is a command kubectl certificate deny That can be used to revoke the access, like we used kubectl certificate approve to approve the access. Yeah, so I am not sure. You will have to figure that out.
@@viveksinghggits I have searched this in kubernetes documentations, I think the only way to do that is to delete the rolebinding / roleBinding created for this user, but the user will still be able to authenticate to the cluster but without any permissions, (as seen in your video before creating the role and role binding ) I think this is the only way to revoke authorization while you are unable to revoke the authentication Best Wishes Dear.
Really very great video with in depth knowledge..well done.. keep going.. one question, you created role to allow pods only for vivek user. in case we want to provide all permission as like another user, do we need to create cluster role & cluster role binding?
