If Kubernetes API servers are accessed over a public internet, you may want to use a certificate signed by a trusted certificate authority (CA) to further secure your Kubernetes deployment.

About this task

You can use VMware Integrated OpenStack with Kubernetes CLI to prepare a certificate signing request. After the CA generates a signed certificate, you can use the CLI to upload it to a target Kubernetes cluster.

Prerequisites

If application pods are deployed already and these pods use the Kubernetes secret tokens, back up application data and remove the pods before updating the API server certificate. The certificate update invalidates the secret tokens, so you must re-create the pods following the update.

Procedure

  1. Login as root to the VMware Integrated OpenStack with Kubernetes VM. Provide the root password set during OVA deployment.
    vkube login --insecure
  2. Generate a certificate signing request.
    vkube cluster list --insecure
    vkube cluster csr <cluster_id> 
       --country-name <value1> 
       --locality-name <value2> 
       --organization name <value3>
       --organizatio-unit-name <value4>
       --state-name <value5>
       --insecure
  3. Copy the existing Kubernetes /etc/kubernetes/openssl.conf file from the Kubernetes Master0 node and send it with the Certificate Signing Request (CSR) file to your company's CA administrator.
  4. Using the CSR file and the extfile from openssl.conf, the CA administrator generates a signed certificate. Upload the API server's certificate and corresponding CA certificate to the Kubernetes cluster.
    vkube cluster crt <cluster-id> --insecure --ca-file-name ca.pem --crt-file-name apiserver.pem
  5. Login to the Master0 node and type:
    kubectl get pod --namespace=kube-system

    When all the pods change to status running, the cluster is ready to use.