Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- 문과남자의 과학공부
- 비공개 GKE autorized
- client vpn 인증서
- Encapsulation
- TCP/IP
- ACM
- 비공개 GKE
- 엔지니어블로그
- Session Manager
- Terraform GKE
- ACM 도메인
- aws
- Decapsulation
- 벨로그
- Terrafrom GCP
- s3 upload 400
- 독서노트
- 티스토리
- AWS client VPN 인증서
- 테라폼 private GKE
- 프라이빗 EC2 접속
- AWS private EC2
- Terraform GCP GKE
- velog
- AWS session manager
- S3
- java s3 400
- client vpn
Archives
- Today
- Total
망지로그
CKA - Certificates API 본문
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
Certificates and Certificate Signing Requests
Kubernetes certificate and trust bundle APIs enable automation of X.509 credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 certificates from a Certificate Authority (CA). There is als
kubernetes.io
CertificateSigningReques 생성
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF- usages ' client auth' 필수
- expirationSeconds864000더 길게(즉 , 10일 동안) 또는 더 짧게(즉, 36001시간 동안) 만들 수 있습니다 .
- requestCSR 파일 콘텐츠의 base64 인코딩 값입니다. 다음 명령을 사용하여 콘텐츠를 가져올 수 있습니다.
-
cat myuser.csr | base64 | tr -d "\n"
-> 처음 생성 후엔 pending상태로, approve 해줘야함
kubectl certificate approve myuser
상세 정보 확인
k describe csr csr-b5kmv
k get csr csr-b5kmv -o yamlReject that request.
kubectl certificate deny agent-smithdelete
kubectl delete csr agent-smith'Kubernetes' 카테고리의 다른 글
| CKA- RBAC ; role, rolebinding (0) | 2024.06.26 |
|---|---|
| CKA- Kubeconfig (0) | 2024.06.25 |
| CKA - View Certificate Details (0) | 2024.06.24 |
| CKA- backup and restore (0) | 2024.06.24 |
| Kubernetes pod 오토스케일링- HPA( Horizontal Pod Autoscaler) (0) | 2022.12.22 |