Where to find ca.crt in docker-for-desktop kubernetes?

Question

I've installed Kubernetes with docker-for-desktop. Now I want to create a user (following RBAC principle). I'm using private certificates and want to sigh them against the ca.crt of the cluster.

For minikube this ca.crt was in .minikube/ca.crtbut I can't find it in the installation with docker?

Answer 1

By default, your HyperKit VM doesn't mount volumes locally in docker-for-desktop.

Your best bet is to copy the ca.crt manually to your machine using kubectl cp.

Example:

kubectl cp kube-apiserver-docker-desktop:run/config/pki/ca.crt -n kube-system /tmp/ca.crt

Answer 2

I tried the commands metioned by jaxxstorm, but error returned.

~ kubectl -n kube-system get pod
NAME                                     READY   STATUS    RESTARTS          AGE
coredns-565d847f94-cpvvn                 1/1     Running   6 (2d18h ago)     91d
coredns-565d847f94-pg5z2                 1/1     Running   6 (2d18h ago)     91d
etcd-docker-desktop                      1/1     Running   6 (2d18h ago)     91d
kube-apiserver-docker-desktop            1/1     Running   6 (2d18h ago)     91d
kube-controller-manager-docker-desktop   1/1     Running   6 (2d18h ago)     91d
kube-proxy-gc9k6                         1/1     Running   6 (2d18h ago)     91d
kube-scheduler-docker-desktop            1/1     Running   6 (2d18h ago)     91d
storage-provisioner                      1/1     Running   10 (2d18h ago)    91d
vpnkit-controller                        1/1     Running   190 (2d18h ago)   15d
~ kubectl -n kube-system cp kube-apiserver-docker-desktop:/run/config/pki/ca.crt /tmp/ca.crt      
command terminated with exit code 126

Maybe there is no tar command in kube-apiserver image, so I tried cat and exec into container, failed.

~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- cat /run/config/pki/ca.crt
OCI runtime exec failed: exec failed: unable to start container process: exec: "cat": executable file not found in $PATH: unknown
command terminated with exit code 126
~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- sh
OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown
command terminated with exit code 126
~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- bash
OCI runtime exec failed: exec failed: unable to start container process: exec: "bash": executable file not found in $PATH: unknown
command terminated with exit code 126
~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- tar
OCI runtime exec failed: exec failed: unable to start container process: exec: "tar": executable file not found in $PATH: unknown
command terminated with exit code 126

Any way, the base image of kube-apiserver doesn't contain commands above. So I looked up pod definition of kube-apiserver, found volumes from host path, which contains ca.crt and ca.key.

k8s-certs:
  Type:          HostPath (bare host directory volume)
  Path:          /run/config/pki
  HostPathType:  DirectoryOrCreate

2 steps to get into Docker Desktop VM:

1. open a terminal, paste $ socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer, remember tty device from the output like PTY is /dev/ttys<XXX>

2. open another terminal, paste $ screen /dev/ttys<XXX>. Now you're in the VM, just cat files locate in /run/config/pki.

Files are as follows

/ # ls /run/config/pki
apiserver-etcd-client.crt     etcd
apiserver-etcd-client.key     front-proxy-ca.crt
apiserver-kubelet-client.crt  front-proxy-ca.key
apiserver-kubelet-client.key  front-proxy-client.crt
apiserver.crt                 front-proxy-client.key
apiserver.key                 sa.key
ca.crt                        sa.pub