Skip to content

Instantly share code, notes, and snippets.

@noslin005

noslin005/kubelet.md

Created May 6, 2026 22:57
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save noslin005/11ddee684f340e5852758e1f36904181 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save noslin005/11ddee684f340e5852758e1f36904181 to your computer and use it in GitHub Desktop.
Download ZIP
Practice breaking kubelet certs
Raw
kubelet.md

Kubernetes kubelet certs LAB

  • Break Certs
#!/usr/bin/env bash

NODE="${1}"
NODE_FQDN="${NODE}.example.com"
CA_CRT="/etc/kubernetes/pki/ca.crt"
CA_KEY="/etc/kubernetes/pki/ca.key"
TMPDIR=$(mktemp -d)
KEY="${TMPDIR}/${NODE}.key"
CSR="${TMPDIR}/${NODE}.csr"
CRT="${TMPDIR}/${NODE}.crt"

echo "Breaking kubelet cert for $NODE ==="
# Generate key
openssl genrsa -out $KEY 2048

# Gen CSR
openssl req -new \
        -key $KEY \
        -subj "/CN=system:node:$NODE_FQDN/O=system:nodes" \
        -out $CSR

# Sign with an expired date to break the cert
openssl x509 -req \
        -in $CSR \
        -CA $CA_CRT \
        -CAkey $CA_KEY \
        -CAcreateserial \
        -out $CRT \
        -not_before 20250101000000Z \
        -not_after 20250501000000Z

echo "Generated expired cert"
openssl x509 -in $CRT -noout -dates

# Bundle cert+key into single PEM
PEM=$TMPDIR/kubelet-client-current.pem
cat $CRT $KEY >$PEM
echo "Generated kube perm $PEM"

set -x
ssh $NODE "cp /var/lib/kubelet/pki/kubelet-client-current.pem{,.orig}"
ssh $NODE unlink /var/lib/kubelet/pki/kubelet-client-current.pem
scp $PEM root@$NODE:/var/lib/kubelet/pki/kubelet-client-current.pem
ssh $NODE "chmod 600 /var/lib/kubelet/pki/kubelet-client-current.pem"
ssh $NODE "systemctl restart kubelet"
set +x
rm -rf $TMPDIR
  • Fix Certs
#!/usr/bin/env bash

set -e

NODE="${1}"
NODE_FQDN="${NODE}.example.com"
CA_CRT="/etc/kubernetes/pki/ca.crt"
CA_KEY="/etc/kubernetes/pki/ca.key"
TMPDIR=$(mktemp -d)
KEY="${TMPDIR}/${NODE}.key"
CSR="${TMPDIR}/${NODE}.csr"
CRT="${TMPDIR}/${NODE}.crt"
TIMESTAMP=$(date +%Y-%m-%d-%H-%M-%S)
DEST="/var/lib/kubelet/pki/kubelet-client-${TIMESTAMP}.pem"

echo "[*] Generating kubelet client cert for $NODE "
openssl ecparam -name prime256v1 -genkey -noout -out $KEY
# For RSA keys, use:
# openssl genrsa -out $KEY 2048

echo "[*] Generate Extensions file "
EXT=$TMPDIR/ext.conf
cat >$EXT <<EOF
[v3_client]
keyUsage         = critical, digitalSignature
extendedKeyUsage = clientAuth
basicConstraints = critical, CA:FALSE
EOF

echo "[*] Generate CSR"
openssl req -new \
        -key $KEY \
        -subj "/O=system:nodes/CN=system:node:$NODE_FQDN" \
        -out $CSR

echo "[*] Sign the CSR with CA to generate client cert ( valid for 10 years )"
openssl x509 -req \
        -in $CSR \
        -CA $CA_CRT \
        -CAkey $CA_KEY \
        -CAcreateserial \
        -out $CRT \
        -days 3650 \
        -extfile "$EXT" \
        -extensions v3_client

echo "[*] Details of generated cert "
openssl x509 -in $CRT -noout -dates -subject -issuer

echo "[*] Verify the generated cert "
openssl verify -CAfile $CA_CRT $CRT

echo "[*] Bundle the cert and key into a single PEM file "
PEM=$TMPDIR/kubelet-client-current.pem
cat $CRT $KEY >$PEM
echo "Generated kube perm $PEM"

echo "[*] Deploy the cert to $NODE "
scp $PEM root@$NODE:$DEST
ssh root@$NODE <<EOF
chmod 600 $DEST
ln -sf $DEST /var/lib/kubelet/pki/kubelet-client-current.pem
systemctl --quiet restart kubelet
systemctl --quiet is-active kubelet && echo OK || echo FAILED
EOF
rm -rf $TMPDIR

echo "[*] DONE "
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment