-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
--------- Co-authored-by: eaudetcobello <etienne.audet-cobello@canonical.com> Co-authored-by: Nick Veitch <nick.veitch@canonical.com> Co-authored-by: Louise K. Schmidtgen <louise.schmidtgen@canonical.com>
- Loading branch information
1 parent
c81f19b
commit dc32c2a
Showing
4 changed files
with
67 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# Cluster Certificates and Configuration Directories | ||
|
||
This reference page provides an overview of certificate authorities (CAs), | ||
certificates and configuration directories in use by a {{ product }} cluster. | ||
|
||
## Certificate Authorities (CAs) | ||
|
||
This table outlines the common certificate authorities (CAs) used in a | ||
Kubernetes environment, detailing their specific purposes, usage, | ||
and locations on the disk. | ||
|
||
| **Common Name** | **Purpose** | **File Location** | **Primary Function** | | ||
|--------------------------------------------|-----------|----------------------|-------------------------------| | ||
| `kubernetes-ca` | General Kubernetes CA | `/etc/kubernetes/pki/ca.crt` | Signing all Kubernetes-related certificates | | ||
| `kubernetes-front-proxy-ca` | CA for front-end proxy | `/etc/kubernetes/pki/front-proxy-ca.crt` | Signing certificates for the front-proxy | | ||
| `client-ca` | CA for client certificates | `/etc/kubernetes/pki/client-ca.crt` | Signing certificates for the client | | ||
|
||
|
||
## Certificates | ||
|
||
This table provides an overview of the certificates currently in use, | ||
including their roles, storage paths, and the entities responsible for | ||
their issuance. | ||
|
||
|
||
| **Common Name** | **Purpose** | **File Location** | **Primary Function** | **Signed By** | | ||
|--------------------------------------------|-----------|------------------------------------------------------|------------------------------------------------------------------|-----------------------------| | ||
| `kube-apiserver` | Server | `/etc/kubernetes/pki/apiserver.crt` | Securing the API server endpoint | `kubernetes-ca` | | ||
| `apiserver-kubelet-client` | Client | `/etc/kubernetes/pki/apiserver-kubelet-client.crt` | API server communication with kubelets | `kubernetes-ca-client` | | ||
| `kube-apiserver-etcd-client` | Client | `/etc/kubernetes/pki/apiserver-etcd-client.crt` | API server communication with etcd | `kubernetes-ca-client` | | ||
| `front-proxy-client` | Client | `/etc/kubernetes/pki/front-proxy-client.crt` | API server communication with the front-proxy | `kubernetes-front-proxy-ca` | | ||
| `system:kube-controller-manager` | Client | `/etc/kubernetes/pki/controller-manager.crt` | Communication between the controller manager and the API server | `kubernetes-ca-client` | | ||
| `system:kube-scheduler` | Client | `/etc/kubernetes/pki/scheduler.crt` | Communication between the scheduler and the API server | `kubernetes-ca-client` | | ||
| `system:kube-proxy` | Client | `/etc/kubernetes/pki/proxy.crt` | Communication between kube-proxy and the API server | `kubernetes-ca-client` | | ||
| `system:node:$hostname` | Client | `/etc/kubernetes/pki/kubelet-client.crt` | Authentication of kubelets to the API server | `kubernetes-ca-client` | | ||
| `k8s-dqlite` | Client | `/var/snap/k8s/common/var/lib/k8s-dqlite/cluster.crt`| Communication between k8s-dqlite nodes and API server | `self-signed` | | ||
| `root@$hostname` | Client | `/var/snap/k8s/common/var/lib/k8s-dqlite/cluster.crt` | Communication between k8sd nodes | `self-signed` | | ||
|
||
|
||
## Configuration Files for Kubernetes Components | ||
|
||
The following tables provide an overview of the configuration files used to | ||
communicate with the cluster services. | ||
|
||
### Control-plane node | ||
|
||
Control-plane nodes use the following configuration files. | ||
|
||
| **Configuration File** | **Purpose** | **File Location** | **Primary Function** | | ||
|------------------------------------|----------------------------------------|--------------------------------------------|----------------------------------------------| | ||
| `admin.conf` | Administrator Client Config | `/etc/kubernetes/admin.conf` | Admin access to the cluster | | ||
| `controller-manager.conf` | Controller Manager Client Config | `/etc/kubernetes/controller-manager.conf` | Communication with the API server | | ||
| `scheduler.conf` | Scheduler Client Config | `/etc/kubernetes/scheduler.conf` | Communication with the API server | | ||
| `kubelet.conf` | Kubelet Client Config | `/etc/kubernetes/kubelet.conf` | Node registration and communication with API server | | ||
| `proxy.conf` | Proxy Client Config | `/etc/kubernetes/proxy.conf` | Communication with the API server | | ||
|
||
### Worker node | ||
|
||
Worker nodes use the following configuration files. | ||
|
||
| **Configuration File** | **Purpose** | **File Location** | **Primary Function** | | ||
|------------------------------------|----------------------------------------|--------------------------------------------|----------------------------------------------| | ||
| `proxy.conf` | Proxy Client Config | `/etc/kubernetes/proxy.conf` | Communication with the API server | | ||
| `kubelet.conf` | Kubelet Client Config | `/etc/kubernetes/kubelet.conf` | Node registration and communication with API server | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,6 +13,7 @@ Overview <self> | |
releases | ||
commands | ||
certificates | ||
bootstrap-config-reference | ||
proxy | ||
troubleshooting | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters