Where to find Kubernetes kind Cluster CA?

Question

I am using Windows OS, and in Minikube we can easily find the server CA cert in .minikube directory with file name as ca.crt so that we can sign the user with the CA certificate for ex like below command-

openssl x509 -req -in DevUser.csr -CA ..\.minikube\ca.crt -CAkey ..\.minikube\ca.key -CAcreateserial -out devuser.crt

but when I use kind, I could not able to find such server CA certificate so that I can sign the user with CA certificate, I have heard that Kubeadm certificate are standard certificate for Kind but, I really can't find any way for windows.

My Goal of the application is - Create a Dynamic Local Application which contains service, Deployments, 2-3 Users, etc.

So what do you think? Should I use minikube only if there is no way to sign the user with Kind CA in Kind Cluster?

Anyone can help? I am stuck in it for almost 4-5 days.

Hope you got my question, let me know.

Thanks

score 2 · Answer 1 · edited Jan 31 '22 at 22:11

2

You can get them from the kind control-plane Docker container.

Get the Docker container ID of the kind control-plane, in this example it is e73234b3e596

then type:

docker cp e73234b3e596:/etc/kubernetes/pki/ca.key .

docker cp e73234b3e596:/etc/kubernetes/pki/ca.crt .

edited Jan 31 '22 at 22:11

Elad Kalif

14,110
2
17
49

answered Jan 28 '22 at 22:03

jeff mccormick

33
5

That looks promising but again, I am using windows, and I see linux path in your answer. – Cloud Learner Feb 02 '22 at 12:47

score 0 · Answer 2 · answered May 31 '22 at 11:06

Thanks jeff! I add here the steps I used to create a new user inside a kind cluster.

# spawn shell in control plane container
docker exec -it kind-control-plane bash

mkdir cert && cd cert
# create private key
openssl genrsa -out johndoe.key 2048
# create certificate signing request (CSR)
openssl req -new -key johndoe.key -out johndoe.csr -subj "/CN=johndoe/O=cka"
# sign the CSR with the Kubernetes cluster certificate authority (CA)
openssl x509 -req -in johndoe.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out johndoe.crt -days 365
# create user in Kubernetes
kubectl config set-credentials johndoe --client-certificate=johndoe.crt --client-key=johndoe.key
# switch to the new user
kubectl config set-context johndoe-context --cluster=kind --user=johndoe
# check
kubectl config view

Where to find Kubernetes kind Cluster CA?

2 Answers2