Why did you exec into kube-apiserver-kind-control-plane container only for generating the user certificate? Is it the kind of admin container which generates certs? I am using aks cluster, Which pod I need to use for generating certs?
Hi Harish, That's a good question, so we have to basically generate two things private key and CSR. These two things can be generated using openssl command independently. Once we have those files, look at 11:13. You can create CertificateSigningRequest k8s object, using the files that we generated and then admin can approve thst request and we would get .crt. Let me know if you have any other questions.
Awesome man, m currently learning K8, what u described above i asked many people who are already working into this since years but no one never replied back and the way u explained it 👏👏👏👏👏
Hey Dear, First video I found worth watching and got lot of information which I was looking for since a year. Great to view your videos having lot of contents and clear most of my doubts / :)
Hi vivek, good content and coverage. Only request if you can make these videos small screen friendly (by increasing font size/zoom in). It would make phone based viewing experience seamless. Keep up the good work ! Kudos
Really very great video with in depth knowledge..well done.. keep going.. one question, you created role to allow pods only for vivek user. in case we want to provide all permission as like another user, do we need to create cluster role & cluster role binding?
Hi Vivek thanks for the detailed explanation. Can you clarify what is the ca-certificate that is in the kubeconfig yaml file? Is that the same ca-certificate as the one in control-plane (/etc/kubernetes/pki/ca.crt that you used to create user certificate) or different. Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?
I think the answer for "Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?" is not because we need ca.key AND ca.crt to generate certificates
Thank you for your efforts, it was very helpful, Kindly I have a question , after giving the devuser authentication to the cluster, what if i want to remove the authentication and the devuser will not be allwed to communicate with the cluster, how can i do that ? Thanks in advance.
Hi 👋, That's a good question. I am not sure if there is a command kubectl certificate deny That can be used to revoke the access, like we used kubectl certificate approve to approve the access. Yeah, so I am not sure. You will have to figure that out.
@@viveksinghggits I have searched this in kubernetes documentations, I think the only way to do that is to delete the rolebinding / roleBinding created for this user, but the user will still be able to authenticate to the cluster but without any permissions, (as seen in your video before creating the role and role binding ) I think this is the only way to revoke authorization while you are unable to revoke the authentication Best Wishes Dear.
Hi vijay ,we added user vivek but how kubernetes know that user vivek is executing ,becauser we didnt login as user vivek,and video on securityContext please
When we create a CSR (certificate signing request), we specify the username as common name (CN) for subj flag. And certificate for used is created using the same CSR. Which (cert) eventually is used in kubeconfig. And that is how kubernetes figures out which user is trying to talk to the cluster. Let me know if this didn't make sense.
@@viveksinghggitsthanks for your reply,we are creating user vivek and doing everything, do we need to log In as user vivek to server where cluster is running to get these access?
Not really, if you see we didn't create a Linux user anywhere. So, you just have to set credentials in kubeconfig and kuebctl should take care of the rest.
Hello sir I have created cluster with one master and one worker node ,master node added with public azure load balancer. But when we run curl load balancer ip:6443 from master node to access kube-api server . I get error like curl( 60 )SSL certificate problem: unable to get local issuer certificate. Also when we try from browser it not access. please tell me something about this.
Hi Nitin, If I understood correctly you are trying to access the api server endpoint using curl and browser, why are you doing that? Thats not how we access k8s clusters, right? Since api server is secured you won't be able to access the api server endpoint. You will have to generate the kubeconfig file to a access the k8s cluster. Now, generating kubeconfig file depends on how you have setup the cluster.
Why did you exec into kube-apiserver-kind-control-plane container only for generating the user certificate? Is it the kind of admin container which generates certs? I am using aks cluster, Which pod I need to use for generating certs?
Hi Harish,
That's a good question, so we have to basically generate two things private key and CSR. These two things can be generated using openssl command independently. Once we have those files, look at 11:13. You can create CertificateSigningRequest k8s object, using the files that we generated and then admin can approve thst request and we would get .crt.
Let me know if you have any other questions.
Awesome man, m currently learning K8, what u described above i asked many people who are already working into this since years but no one never replied back and the way u explained it 👏👏👏👏👏
Hey 👋,
Thank you so much 💓 for the kind words🙏. I appreciate it.
I am glad the video was helpful.
As usual, brilliant
Thank you.
Hey Dear, First video I found worth watching and got lot of information which I was looking for since a year. Great to view your videos having lot of contents and clear most of my doubts / :)
Thanks for the kind words.
thank you for explaining CSR concept
I am glad you liked it.
Awesome explanation. Thanks Vivek
Thank you Sachin 😊
Very good explanation thank you so much
Thank you, Harini.
Good content bro.. And you explained perfectly
Thank you 😊
Informative video.Thank you
Thank you 😊 Ramya.
well explained bro ... I was unable to get it ... Thanks a lot
Thanks 😊 Sameer.
I am happy it was helpful.
Nice explanation
Thank you 😊
Nice explanation sir ..... Awesome video
Thank you 😊
Nice Video. useful information for beginers
Thank you Justin. 😊
Helpful 👍
Thank you Manas 😊
Good 👍
well done keep going..
Help...ppl to learn
Thank you Arun 😊
Hi vivek, good content and coverage. Only request if you can make these videos small screen friendly (by increasing font size/zoom in). It would make phone based viewing experience seamless. Keep up the good work ! Kudos
Thanks Vijay,
I have been trying to make smaller videos, let's see.
I would also increase the font size in the next videos.
Really very great video with in depth knowledge..well done.. keep going.. one question, you created role to allow pods only for vivek user. in case we want to provide all permission as like another user, do we need to create cluster role & cluster role binding?
What do you mean by provide all permission as like another user.
@@viveksinghggits i mean to create,list, delete all namespaces, all pods, all deployments and other k8s objects?
In that case we can add the user into admin group.
Hi Vivek thanks for the detailed explanation. Can you clarify what is the ca-certificate that is in the kubeconfig yaml file? Is that the same ca-certificate as the one in control-plane (/etc/kubernetes/pki/ca.crt that you used to create user certificate) or different. Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?
I think the answer for "Can we use the ca-certificate in the kubeconfig yaml file to generate certificates?" is not because we need ca.key AND ca.crt to generate certificates
Hi Karthik,
Sorry, I don't have the answer to that question on top of my head.
IS the procedure same for readonly user
I think yes, the procedure would be same. We would just have to create the role/cluster role accordingly.
Thank you for your efforts, it was very helpful,
Kindly I have a question , after giving the devuser authentication to the cluster, what if i want to remove the authentication and the devuser will not be allwed to communicate with the cluster, how can i do that ?
Thanks in advance.
Hi 👋,
That's a good question. I am not sure if there is a command
kubectl certificate deny
That can be used to revoke the access, like we used kubectl certificate approve to approve the access.
Yeah, so I am not sure. You will have to figure that out.
@@viveksinghggits I have searched this in kubernetes documentations, I think the only way to do that is to delete the rolebinding / roleBinding created for this user, but the user will still be able to authenticate to the cluster but without any permissions, (as seen in your video before creating the role and role binding ) I think this is the only way to revoke authorization while you are unable to revoke the authentication
Best Wishes Dear.
Yeah, you are right. I will keep this in mind and get back to you if I find something.
@@viveksinghggits
Do you recommend any mock exams to prepare me before CKA
Thank you
I think the udemy course by Mumshad is pretty good.
Hi vijay ,we added user vivek but how kubernetes know that user vivek is executing ,becauser we didnt login as user vivek,and video on securityContext please
When we create a CSR (certificate signing request), we specify the username as common name (CN) for subj flag.
And certificate for used is created using the same CSR. Which (cert) eventually is used in kubeconfig.
And that is how kubernetes figures out which user is trying to talk to the cluster.
Let me know if this didn't make sense.
@@viveksinghggitsthanks for your reply,we are creating user vivek and doing everything, do we need to log In as user vivek to server where cluster is running to get these access?
Not really, if you see we didn't create a Linux user anywhere.
So, you just have to set credentials in kubeconfig and kuebctl should take care of the rest.
Hello sir I have created cluster with one master and one worker node ,master node added with public azure load balancer. But when we run curl load balancer ip:6443 from master node to access kube-api server . I get error like curl( 60 )SSL certificate problem: unable to get local issuer certificate.
Also when we try from browser it not access.
please tell me something about this.
Hi Nitin,
If I understood correctly you are trying to access the api server endpoint using curl and browser, why are you doing that?
Thats not how we access k8s clusters, right? Since api server is secured you won't be able to access the api server endpoint.
You will have to generate the kubeconfig file to a access the k8s cluster.
Now, generating kubeconfig file depends on how you have setup the cluster.
Please make some more videos
Sure. I have plans to create more videos.