# Build a secure kubernetes api server

## Add Security Group

    $ nova secgroup-add-rule \
           k8sbay-wlun44ixfi2o-secgroup_kubernetes-ahsiqsc4vgqj \
           tcp 6443 6443 0.0.0.0/0

## CA

    $ openssl genrsa -out ca.key 4096
    Generating RSA private key, 4096 bit long modulus
    ...............................................................................++
    ...............................................................................++
    e is 65537 (0x10001)

    $ openssl req -new -x509 -days 1000 -key ca.key -out ca.crt
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:
    State or Province Name (full name) []:
    Locality Name (eg, city) [Default City]:
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:

## Server

    $ openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr
    Generating a 2048 bit RSA private key
    ..................................+++
    ....................+++
    writing new private key to 'server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:
    State or Province Name (full name) []:
    Locality Name (eg, city) [Default City]:
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:k8s-master
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

Set Common Name to access the api server. Not IP address.

    $ openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
    Signature ok
    subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-master
    Getting CA Private Key


## Client

    $ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr
    Generating a 2048 bit RSA private key
    ......................+++
    ......+++
    writing new private key to 'client.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:
    State or Province Name (full name) []:
    Locality Name (eg, city) [Default City]:
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:k8s-minion
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    $ openssl x509 -req -days 1000 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
    Signature ok
    subject=/C=XX/L=Default City/O=Default Company Ltd/CN=k8s-minion
    Getting CA Private Key

Set the diffent serial number with server.

## Start the kube-api server

    $ /usr/bin/kube-apiserver --logtostderr=true --v=0 \
      --etcd_servers=http://127.0.0.1:4001 \
      --allow_privileged=true \
      --portal_net=10.254.0.0/16 \
      --admission_control=NamespaceAutoProvision,LimitRanger,ResourceQuota \
      --runtime_config=api/v1beta3 \
      --tls_cert_file=/home/minion/keys/server.crt \
      --tls_private_key_file=/home/minion/keys/server.key \
      --client_ca_file=/home/minion/keys/ca.crt \
      --bind_address=0.0.0.0

## Client Access

Copy client key and certificate to minion node and
login to minion and modify /etc/hosts.

    $ sudo vi /etc/hosts
    $ cat /etc/hosts
    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

    10.0.0.3    k8s-master

Check client access.

    $ curl -v https://k8s-master:6443/version\
        --key ./client.key \
        --cert ./client.crt \
        --cacert ./ca.crt

    $ kubectl version -s https://k8s-master:6443 \
        --certificate-authority=ca.crt \
        --client-certificate=client.crt \
        --client-key=client.key