Source: https://unsplash.com/photos/pZld9PiPDno
When associating IAM roles with pods instead of assigning a super role to worker nodes, Kiam is a fairly popular project in Community; kiam runs as an agent on each node in the Kubernetes cluster, allowing cluster users to associate IAM roles to Pods.
To enhance security, Kiam uses certificates for servers & agents. To simplify the certificate management for Kiam, we will utilise cert-manager,
cert-manager is a native Kubernetes certificate management controller that helps issue certificates from various sources or self-signed ones.
For Kiam, we will need the following:
Self-signed CA
Server Certificate (Generated from above CA)
Agent Certificate (Generated from above CA)
Following Code shows the issuer & Certificate for the initial Self-signed CA. isCA option in the certificate spec specifies that it’s a CA certificate.
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: kiam-ca-selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kiam-ca-selfsigned
spec:
secretName: kiam-ca-selfsigned
commonName: "kiam-ca"
isCA: true
issuerRef:
name: kiam-ca-selfsigned-issuer
usages:
- "any"
The above CA certificate will be stored in Kiam-ca-self-signed secret.
Based on this CA certificate, we will create an Issuer of CA type and pass the secret name.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: kiam-ca-issuer
spec:
ca:
secretName: kiam-ca-selfsigned
Now that we have an issuer, we are ready to generate server & agent certificates,
Generating Server & Agent Certificates
For Server
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kiam-server spec: secretName: kiam-server-tls issuerRef: name: kiam-ca-issuer usages: - "any" dnsNames: - "localhost" - "kiam-server" ipAddresses: - "127.0.0.1"
For Agent
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kiam-agent
spec:
secretName: kiam-agent-tls
commonName: agent
issuerRef:
name: kiam-ca-issuer
usages:
- "any"
Renewing Certificates
The only caveat here is if the main Self-signed CA issuer gets renewed, the following server & agent certificates don’t get renewed; this issue is already reported on cert-manager repositories. You’ll have to renew them by following commands manually,
kubectl cert-manager renew kiam-server --namespace=kube-system
kubectl cert-manager renew kiam-agent --namespace=kube-system
I hope you learned something new from this blog post. Click here to learn about me and how you can support my work, Thank you.
References
Did you find this article valuable?
Support Suraj Narwade by becoming a sponsor. Any amount is appreciated!