Continental Innovates with Rancher and Kubernetes
Available as of v0.2.0
Certificates are an important part of Kubernetes clusters and are used for all Kubernetes cluster components. RKE has a rke cert command to help work with certificates.
rke cert
If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to generate a set of Certificate Signing Requests (CSRs) and keys.
You can use the CSRs and keys to sign the certificates by a real CA. After the certificates are signed, these custom certificates can be used by RKE to as custom certificates for the Kubernetes cluster.
By default, Kubernetes clusters require certificates and RKE will automatically generate certificates for the clusters. Rotating these certificates are important before the certificates expire as well as if a certificate is compromised.
After the certificates are rotated, the Kubernetes components are automatically restarted. Certificates can be rotated for the following services:
RKE has the ability to rotate the auto-generated certificates with some simple commands:
Whenever you’re trying to rotate certificates, the cluster.yml that was used to deploy the Kubernetes cluster is required. You can reference a different location for this file by using the --config option when running rke cert rotate.
cluster.yml
--config
rke cert rotate
To rotate the service certificates for all the Kubernetes services, run the following command, i.e. rke cert rotate. After all the service certificates are rotated, these services will automatically be restarted to start using the new certificate.
$ rke cert rotate INFO[0000] Initiating Kubernetes cluster INFO[0000] Rotating Kubernetes cluster certificates INFO[0000] [certificates] Generating Kubernetes API server certificates INFO[0000] [certificates] Generating Kube Controller certificates INFO[0000] [certificates] Generating Kube Scheduler certificates INFO[0001] [certificates] Generating Kube Proxy certificates INFO[0001] [certificates] Generating Node certificate INFO[0001] [certificates] Generating admin certificates and kubeconfig INFO[0001] [certificates] Generating Kubernetes API server proxy client certificates INFO[0001] [certificates] Generating etcd-xxxxx certificate and key INFO[0001] [certificates] Generating etcd-yyyyy certificate and key INFO[0002] [certificates] Generating etcd-zzzzz certificate and key INFO[0002] Successfully Deployed state file at [./cluster.rkestate] INFO[0002] Rebuilding Kubernetes cluster with rotated certificates ..... INFO[0050] [worker] Successfully restarted Worker Plane..
To rotate the certificate for an individual Kubernetes service, use the --service option when rotating certificates to specify the service. After the specified Kubernetes service has had its certificate rotated, it is automatically restarted to start using the new certificate.
--service
Example of rotating the certificate for only the kubelet:
kubelet
$ rke cert rotate --service kubelet INFO[0000] Initiating Kubernetes cluster INFO[0000] Rotating Kubernetes cluster certificates INFO[0000] [certificates] Generating Node certificate INFO[0000] Successfully Deployed state file at [./cluster.rkestate] INFO[0000] Rebuilding Kubernetes cluster with rotated certificates ..... INFO[0033] [worker] Successfully restarted Worker Plane..
If the CA certificate needs to be rotated, you are required to rotate all the services certificates as they need to be signed with the newly rotated CA certificate. To include rotating the CA with the service certificates, add the --rotate-ca option. After the CA and all the service certificates are rotated, these services will automatically be restarted to start using the new certificate.
--rotate-ca
Rotating the CA certificate will result in restarting other system pods, that will also use the new CA certificate. This includes:
$ rke cert rotate --rotate-ca INFO[0000] Initiating Kubernetes cluster INFO[0000] Rotating Kubernetes cluster certificates INFO[0000] [certificates] Generating CA kubernetes certificates INFO[0000] [certificates] Generating Kubernetes API server aggregation layer requestheader client CA certificates INFO[0000] [certificates] Generating Kubernetes API server certificates INFO[0000] [certificates] Generating Kube Controller certificates INFO[0000] [certificates] Generating Kube Scheduler certificates INFO[0000] [certificates] Generating Kube Proxy certificates INFO[0000] [certificates] Generating Node certificate INFO[0001] [certificates] Generating admin certificates and kubeconfig INFO[0001] [certificates] Generating Kubernetes API server proxy client certificates INFO[0001] [certificates] Generating etcd-xxxxx certificate and key INFO[0001] [certificates] Generating etcd-yyyyy certificate and key INFO[0001] [certificates] Generating etcd-zzzzz certificate and key INFO[0001] Successfully Deployed state file at [./cluster.rkestate] INFO[0001] Rebuilding Kubernetes cluster with rotated certificates