Kubernetes Certificates
Kubernetes Certificates
Security
Certificates
Take a look at the description of the kube-apiserver pod in the kube-system namespace. Pay attention to the kube-apiserver command arguments. It is a long list!!
Primarily, there are many pairs of certfile and keyfile for apiserver, etcd, kubectl etc. In Minikube setup, most of these are located in /var/lib/minikube/certs/. It would be different when the cluster is setup with kubeadm which we have not discussed yet.
pradeep@learnk8s$ kubectl describe -n kube-system pods kube-apiserver-k8s
Name: kube-apiserver-k8s
Namespace: kube-system
Priority: 2000001000
Priority Class Name: system-node-critical
Node: k8s/192.168.177.29
Start Time: Tue, 15 Feb 2022 12:28:03 +0530
Labels: component=kube-apiserver
tier=control-plane
Annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.177.29:8443
kubernetes.io/config.hash: cca804e910f3a6e748c66a6963d63fdd
kubernetes.io/config.mirror: cca804e910f3a6e748c66a6963d63fdd
kubernetes.io/config.seen: 2022-02-15T06:58:02.427574419Z
kubernetes.io/config.source: file
seccomp.security.alpha.kubernetes.io/pod: runtime/default
Status: Running
IP: 192.168.177.29
IPs:
IP: 192.168.177.29
Controlled By: Node/k8s
Containers:
kube-apiserver:
Container ID: docker://0ec9bc91aa13e593b1518fac7a4f9f39c7e16a0e478c2362336b8c050f9c085c
Image: k8s.gcr.io/kube-apiserver:v1.23.1
Image ID: docker-pullable://k8s.gcr.io/kube-apiserver@sha256:f54681a71cce62cbc1b13ebb3dbf1d880f849112789811f98b6aebd2caa2f255
Port: <none>
Host Port: <none>
Command:
kube-apiserver
--advertise-address=192.168.177.29
--allow-privileged=true
--authorization-mode=Node,RBAC
--client-ca-file=/var/lib/minikube/certs/ca.crt
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
--enable-bootstrap-token-auth=true
--etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt
--etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt
--etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key
--etcd-servers=https://127.0.0.1:2379
--kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt
--kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt
--proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key
--requestheader-allowed-names=front-proxy-client
--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--secure-port=8443
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--service-account-key-file=/var/lib/minikube/certs/sa.pub
--service-account-signing-key-file=/var/lib/minikube/certs/sa.key
--service-cluster-ip-range=10.96.0.0/12
--tls-cert-file=/var/lib/minikube/certs/apiserver.crt
--tls-private-key-file=/var/lib/minikube/certs/apiserver.key
State: Running
Started: Tue, 15 Feb 2022 12:27:50 +0530
Ready: True
Restart Count: 1
Requests:
cpu: 250m
Liveness: http-get https://192.168.177.29:8443/livez delay=10s timeout=15s period=10s #success=1 #failure=8
Readiness: http-get https://192.168.177.29:8443/readyz delay=0s timeout=15s period=1s #success=1 #failure=3
Startup: http-get https://192.168.177.29:8443/livez delay=10s timeout=15s period=10s #success=1 #failure=24
Environment: <none>
Mounts:
/etc/ssl/certs from ca-certs (ro)
/usr/share/ca-certificates from usr-share-ca-certificates (ro)
/var/lib/minikube/certs from k8s-certs (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
ca-certs:
Type: HostPath (bare host directory volume)
Path: /etc/ssl/certs
HostPathType: DirectoryOrCreate
k8s-certs:
Type: HostPath (bare host directory volume)
Path: /var/lib/minikube/certs
HostPathType: DirectoryOrCreate
usr-share-ca-certificates:
Type: HostPath (bare host directory volume)
Path: /usr/share/ca-certificates
HostPathType: DirectoryOrCreate
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: :NoExecute op=Exists
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Unhealthy 178m (x5 over 30h) kubelet Liveness probe failed: Get "https://192.168.177.29:8443/livez": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Warning Unhealthy 177m (x17 over 30h) kubelet Readiness probe failed: Get "https://192.168.177.29:8443/readyz": net/http: TLS handshake timeout
Warning Unhealthy 170m (x7 over 27h) kubelet Readiness probe failed: Get "https://192.168.177.29:8443/readyz": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Warning Unhealthy 170m (x6 over 27h) kubelet Liveness probe failed: Get "https://192.168.177.29:8443/livez": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Warning Unhealthy 170m (x8 over 30h) kubelet Readiness probe failed: Get "https://192.168.177.29:8443/readyz": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
We can login to the minikube node and use the openssl x509 command to view the actual certificate. Here is an example. Pass the certificate path as -in argument and use -text to display the certificate in plain-text.
pradeep@learnk8s$ minikube ssh -p k8s
_ _
_ _ ( ) ( )
___ ___ (_) ___ (_)| |/') _ _ | |_ __
/' _ ` _ `\| |/' _ `\| || , < ( ) ( )| '_`\ /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )( ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
$ openssl x509 -in /var/lib/minikube/certs/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = minikubeCA
Validity
Not Before: Feb 14 06:54:36 2022 GMT
Not After : Feb 14 06:54:36 2025 GMT
Subject: O = system:masters, CN = minikube
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:e1:19:9b:17:43:df:ff:31:4e:fe:66:7c:4b:
c4:1a:63:e6:5d:a6:a2:85:1c:11:b9:5a:72:42:50:
8b:25:a4:f0:89:eb:24:bf:3b:a6:e6:79:26:b8:18:
ed:9b:7b:76:01:68:a4:b1:1b:39:d8:b8:36:14:21:
44:b5:26:57:a3:a6:d3:55:e2:8c:32:5b:55:71:1e:
47:3e:56:b6:e8:92:86:af:aa:90:d1:4a:5a:36:ac:
a7:4f:a4:6c:09:a6:16:3b:e7:76:bc:41:18:89:7e:
be:87:df:c7:a9:ee:b7:da:34:43:ae:9f:37:cd:5d:
8d:e2:71:5c:e6:4c:e4:60:46:8c:b1:ef:7d:90:4b:
51:c3:e3:7f:a7:84:fe:06:28:1a:28:18:fd:9a:00:
b0:a7:d9:c9:b1:61:c9:d7:81:2d:c1:5d:5b:d2:f3:
f6:13:e4:d8:7f:d6:5c:c0:39:56:b1:14:04:f6:b7:
ea:9b:50:d7:aa:4d:f2:20:89:8b:8b:bc:81:b0:91:
4f:9b:f2:b9:69:b5:ce:80:67:a4:9e:f3:ba:17:03:
f6:89:ee:22:0e:8d:65:61:ef:16:96:67:dc:d7:4f:
ea:aa:36:7a:0c:59:53:2d:2a:fd:01:0f:93:15:fa:
8d:42:94:da:f1:0d:c8:8e:6b:15:b3:8b:4f:de:1d:
03:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:8B:FA:31:A7:8B:76:DE:C6:F5:3D:C0:BF:25:05:1D:05:78:B9:82:40
X509v3 Subject Alternative Name:
DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:192.168.177.29, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1
Signature Algorithm: sha256WithRSAEncryption
8e:94:63:81:ad:57:80:84:2d:89:8b:3c:af:7c:13:d1:6c:49:
53:53:61:cc:cb:bc:9d:63:93:9b:4e:b2:0e:a0:e3:9d:22:e4:
4e:a9:de:75:88:05:23:46:bb:75:4c:be:ff:ba:68:e3:19:d0:
15:b2:6a:01:5d:5b:ea:d0:a2:2d:53:80:99:25:e9:4f:f0:1a:
65:47:c3:e4:8e:06:6c:db:23:55:57:64:f3:0d:5a:4a:e8:63:
b2:b6:57:00:13:85:29:fe:e0:de:06:d6:e3:ec:f3:96:1d:5c:
e7:03:8f:46:d9:bf:6b:f5:dd:1a:41:db:15:23:14:36:42:c3:
c7:34:28:2e:a3:c4:e8:99:29:6c:28:9b:40:35:aa:58:0e:4a:
b4:fd:0b:b4:11:a6:c5:f4:10:97:9b:c8:1c:ec:ea:a0:77:7c:
c2:b1:70:c6:7b:85:34:8a:36:b0:ca:35:6a:7c:1c:e9:4e:08:
9c:f9:be:de:41:ce:84:5e:51:60:52:e0:63:89:a7:18:1f:23:
3e:f2:8e:0c:d6:9d:d2:38:04:cd:cc:2c:2e:70:c8:57:99:2b:
3e:ba:08:1f:86:f4:0f:39:63:55:71:33:bc:49:ac:44:cf:e6:
4f:27:dd:78:45:88:13:a7:57:d1:a3:09:76:cb:06:00:4b:84:
df:ac:cb:0e
-----BEGIN CERTIFICATE-----
MIID3DCCAsSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIyMDIxNDA2NTQzNloXDTI1MDIxNDA2NTQzNlowLDEXMBUGA1UE
ChMOc3lzdGVtOm1hc3RlcnMxETAPBgNVBAMTCG1pbmlrdWJlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx+EZmxdD3/8xTv5mfEvEGmPmXaaihRwRuVpy
QlCLJaTwieskvzum5nkmuBjtm3t2AWigsRs52Lg2FCFEtSZXo6bTVeKMMltVcR5H
Pla26JKGr6qQ0UpaNqynT6RsCaYWO+d2vEEYiX6+h9/Hqe632jRDrp83zV2N4nFc
5kzkYEaMse99kEtRw+N/p4T+BigaKBj9mgCwp9nJsWHJ14EtwV1b0vP2E+TYf9Zc
wDlWsRQE9rfqm1DXqk3yIImLi7yBsJFPm/K5abXOgGeknvO6FwP2ie4iDo1lYe8W
lmfc10/qqjZ6DFlTLSr9AQ+TFfqNQpTa8Q3IjmsVs4tP3h0DKwIDAQABo4IBHjCC
ARowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIv6MadLdt7G9T3AvyUFHQV4uYJA
MIG5BgNVHREEgbEwgb6CCm1pbmlrdWJlQ0GCH2NvbnRyb2wtcGxhbmUubWluaWt1
YmUuaW50ZXJuYWyCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2Nh
bIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4ISa3ViZXJuZXRlcy5kZWZhdWx0ggpr
dWJlcm5ldGVzgglsb2NhbGhvc3SHBMCosR2HBApgAAGHBH8AAAGHBAoAAAEwDQYJ
KoZIhvcNAQELBQADggEBAI6UY4GtV4CELYmLPK98E9FsSVNTYczLvJ1jk5tOsg6g
450i5E6p3nWIBSNGu3VMvv+6aOMZ0BWyagFdW+rQoi1TgJkl6U/wGmVHw+SOBmzb
I1VXZPMNWkroY7K2VwAThSn+4N4G1uPs85YdXOcDj0bZv2v13Roh2xUjFDZCw8c0
KC6jxOiZKWwom0A1qlgOSrT9C7QRpsX0EJtbyBzs6qB3fMKxcMZ7hTSKNrDKNWp8
HOlOCJz5vt5BzoReUWBS4GOJpxgfIz7yjgzWndI4BM3MLC5wyFeZKz66CB+G9A85
Y1VxM7xJrETP5k8n3XhFiBOnV9GjCXbLBgBLhN+syw4=
-----END CERTIFICATE-----
$
We can see that the Issuer: CN = minikubeCA , Subject: O = system:masters, CN = minikube and Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:192.168.177.29, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1.
Similarly, let us take a look at the description of the etcd pod in the kube-system namespace and pay attention to the etcd command arguments. Again a long list, but for now, just look for cert and key files.
pradeep@learnk8s$ kubectl describe -n kube-system pods etcd-k8s
Name: etcd-k8s
Namespace: kube-system
Priority: 2000001000
Priority Class Name: system-node-critical
Node: k8s/192.168.177.29
Start Time: Tue, 15 Feb 2022 12:28:03 +0530
Labels: component=etcd
tier=control-plane
Annotations: kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.168.177.29:2379
kubernetes.io/config.hash: 553a1d887eba16384375f475194d677c
kubernetes.io/config.mirror: 553a1d887eba16384375f475194d677c
kubernetes.io/config.seen: 2022-02-15T06:58:02.427571167Z
kubernetes.io/config.source: file
seccomp.security.alpha.kubernetes.io/pod: runtime/default
Status: Running
IP: 192.168.177.29
IPs:
IP: 192.168.177.29
Controlled By: Node/k8s
Containers:
etcd:
Container ID: docker://7ad2e9b1c5fb22610382e026ecea82c4def63655f4771b398416b6dfd7b88374
Image: k8s.gcr.io/etcd:3.5.1-0
Image ID: docker-pullable://k8s.gcr.io/etcd@sha256:64b9ea357325d5db9f8a723dcf503b5a449177b17ac87d69481e126bb724c263
Port: <none>
Host Port: <none>
Command:
etcd
--advertise-client-urls=https://192.168.177.29:2379
--cert-file=/var/lib/minikube/certs/etcd/server.crt
--client-cert-auth=true
--data-dir=/var/lib/minikube/etcd
--initial-advertise-peer-urls=https://192.168.177.29:2380
--initial-cluster=k8s=https://192.168.177.29:2380
--key-file=/var/lib/minikube/certs/etcd/server.key
--listen-client-urls=https://127.0.0.1:2379,https://192.168.177.29:2379
--listen-metrics-urls=http://127.0.0.1:2381
--listen-peer-urls=https://192.168.177.29:2380
--name=k8s
--peer-cert-file=/var/lib/minikube/certs/etcd/peer.crt
--peer-client-cert-auth=true
--peer-key-file=/var/lib/minikube/certs/etcd/peer.key
--peer-trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt
--proxy-refresh-interval=70000
--snapshot-count=10000
--trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt
State: Running
Started: Tue, 15 Feb 2022 12:27:49 +0530
Ready: True
Restart Count: 1
Requests:
cpu: 100m
memory: 100Mi
Liveness: http-get http://127.0.0.1:2381/health delay=10s timeout=15s period=10s #success=1 #failure=8
Startup: http-get http://127.0.0.1:2381/health delay=10s timeout=15s period=10s #success=1 #failure=24
Environment: <none>
Mounts:
/var/lib/minikube/certs/etcd from etcd-certs (rw)
/var/lib/minikube/etcd from etcd-data (rw)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
etcd-certs:
Type: HostPath (bare host directory volume)
Path: /var/lib/minikube/certs/etcd
HostPathType: DirectoryOrCreate
etcd-data:
Type: HostPath (bare host directory volume)
Path: /var/lib/minikube/etcd
HostPathType: DirectoryOrCreate
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: :NoExecute op=Exists
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Unhealthy 3h18m (x12 over 28h) kubelet Liveness probe failed: Get "http://127.0.0.1:2381/health": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
ETCD can have its own Certificate Authority (CA). Let us verify if both api-server and etcd are using the same CA certificate or different.
pradeep@learnk8s$ minikube ssh -p k8s
_ _
_ _ ( ) ( )
___ ___ (_) ___ (_)| |/') _ _ | |_ __
/' _ ` _ `\| |/' _ `\| || , < ( ) ( )| '_`\ /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )( ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
$ openssl x509 -in /var/lib/minikube/certs/etcd/ca.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: Feb 15 06:54:39 2022 GMT
Not After : Feb 13 06:54:39 2032 GMT
Subject: CN = etcd-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:8c:1f:12:73:c7:89:bc:f9:8d:14:c2:5e:61:
2f:ae:d4:f0:48:89:f7:cc:bc:be:a6:19:9d:a8:4d:
85:99:59:d6:96:57:35:9e:6c:62:39:31:12:e6:ee:
32:f9:a4:aa:ce:91:8b:5f:1d:7d:99:cc:b5:fc:c7:
14:75:f0:a2:43:4f:fd:e6:e7:b3:ab:11:c2:5f:db:
a8:72:b8:80:2f:66:5f:98:21:3b:06:af:b9:09:69:
94:1a:06:33:96:2f:1c:c7:f8:b2:ca:bd:87:d9:13:
36:c5:f6:de:aa:6a:81:c2:d4:94:2b:9e:63:dc:56:
27:b4:32:31:1d:49:ab:69:0e:dc:d1:14:d3:bb:f1:
43:80:19:31:73:29:7e:7b:d4:3b:2d:cf:14:7f:3b:
3c:84:4b:21:a4:2d:a6:59:79:bb:6f:1d:dc:5c:d5:
44:fd:3f:bd:34:b4:33:38:0d:cc:76:48:e1:de:53:
02:2d:54:79:44:22:64:f5:a6:39:1e:87:24:6c:91:
3c:5f:eb:7f:1f:84:38:e0:96:19:1b:46:9d:fc:e6:
79:98:c7:2e:6e:2a:2e:63:f0:28:42:57:16:14:45:
f3:de:bf:32:8e:d9:49:e5:ab:a5:06:6e:0d:d2:9c:
8b:65:40:46:17:43:3e:d2:46:53:bf:22:89:72:d0:
6f:49
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
E3:7B:E5:78:30:93:55:DB:08:E4:EB:D0:2E:0C:30:6C:DB:17:40:40
X509v3 Subject Alternative Name:
DNS:etcd-ca
Signature Algorithm: sha256WithRSAEncryption
1a:29:48:3a:dc:24:57:35:20:b7:21:31:ed:c5:12:88:d5:79:
7e:42:ca:21:12:92:64:49:5e:eb:2e:60:ce:16:71:5f:43:76:
09:97:3d:6c:19:15:16:b0:6d:fc:c9:84:14:e7:5b:c2:c8:d4:
24:77:bf:fd:87:3d:e4:c9:e4:39:49:ba:f6:41:bb:a0:9c:97:
ef:71:b0:46:a1:86:dc:00:6b:19:26:39:32:26:c4:0c:70:4e:
bf:1b:6b:93:55:54:d7:97:89:07:5e:e9:3b:63:a5:49:4e:6c:
21:aa:75:8b:b1:a9:94:68:bf:1c:2e:cf:84:09:b0:52:03:62:
72:54:b0:e2:c8:63:88:31:c0:1e:de:38:89:39:25:92:df:b9:
1d:56:fb:c5:3b:71:fa:4e:70:e7:ec:1b:c5:fc:39:bb:71:90:
ab:d3:36:c1:80:c5:30:6f:4d:8b:7c:8a:ee:24:15:f5:fc:5c:
63:47:51:a0:9f:eb:30:ee:4e:95:a7:10:41:10:44:37:1e:19:
0d:37:65:f5:94:66:4a:93:5e:fb:df:f3:24:28:17:4e:7e:7f:
4f:d0:97:3a:24:b2:95:27:42:6f:42:0d:32:c7:b6:a6:a2:0f:
66:df:91:e9:af:c7:66:a9:eb:01:d4:74:ae:2c:1f:72:b8:40:
5e:15:d6:bc
-----BEGIN CERTIFICATE-----
MIIC9TCCAd2gAwIBAgIBADANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdldGNk
LWNhMB4XDTIyMDIxNTA2NTQzOVoXDTMyMDIxMzA2NTQzOVowEjEQMA4GA1UEAxMH
ZXRjZC1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKMHxJzx4m8
+Y0Uwl5hL67U8EiJ98y8vqYZnahNhZlZ1pZXNZ5sYjkxEubuMvmkqs6Ri18dfZnM
tfzHFHXwokNP/ebns6sRwl/bqHK4gC9mX5ghOwabuQlplBoGM5YvHMf4ssq9h9kT
NsX23qpqgcLUlCueY9xWJ7QyMR1Jq2kO3NEU07vxQ4AZMXMpfnvUOy3PFH87PIRL
IaQtpll5u28d3FzVRP0/vTS0MzgNzHZI4d5TAi1UeUQiZPWmOR6HJGyRPF/rfx+E
OOCWGRtGnfzmeZjHLm4qLmPwKEJXFhRF896/Mo7ZSeWrpQZuDdKci2VARhdDPtJG
U78iiXLQb0kCAwEAAaNWMFQwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFON75Xgwk1XbCOTr0C4MMGzbF0BAMBIGA1UdEQQLMAmCB2V0
Y2QtY2EwDQYJKoZIhvcNAQELBQADggEBABopSDrfJFc1ILchMe3FEojVeX5CyiES
kmRJXusuYM4WcV9DdgmXPWwZFRawbfzJhBTnW8LI1CR3v/2HPeTJ5DlJuvZBu6Cc
l+9xsEahhtwAaxkmOTImxAxwTr8ba5NVVNeXiQde6TtjpUlObCGqdYuxqZRovxwu
z4QJsFIDYnJUsOLIY4gxwB7eOIk5JZLfuR1W+8U7cfpOcOfsG8X8ObtxkKvTNsGA
xTBvTYt8iu4kFfX8XGNHUaCf6zDuTpWnEEEQRDceGQ03ZfWUZkqTXvvf8yQoF05+
f0/QlzokspUnQm9CDTLHtqaiD2bfkemvx2ap6wHUdK4sH3K4QF4V1rw=
-----END CERTIFICATE-----
$
We can see it is a different Issuer: CN = etcd-ca, and Subject: CN = etcd-ca, X509v3 Subject Alternative Name: DNS:etcd-ca.
If we look at the ETCD server certificate subject details, we can see the CN as k8s and subject alternative names of k8s, localhost and the node IP address 192.168.177.29.
$ openssl x509 -in /var/lib/minikube/certs/etcd/server.crt -text | grep -e Subject -e DNS
Subject: CN = k8s
Subject Public Key Info:
X509v3 Subject Alternative Name:
DNS:k8s, DNS:localhost, IP Address:192.168.177.29, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
$
Also, we can see that this certificate is valid for one year.
openssl x509 -in /var/lib/minikube/certs/etcd/server.crt -text | grep -A 2 Validity
Validity
Not Before: Feb 15 06:54:39 2022 GMT
Not After : Feb 15 06:54:39 2023 GMT
$
Where as the minikubeCA certificate is valid for ten years.
$ openssl x509 -in /var/lib/minikube/certs/ca.crt -text | grep -A 2 Validity
Validity
Not Before: Jun 28 04:53:56 2021 GMT
Not After : Jun 27 04:53:56 2031 GMT
