[req] distinguished_name = req_distinguished_name prompt = no x509_extensions = ca_x509_extensions [ca_x509_extensions] basicConstraints = CA:TRUE keyUsage = cRLSign, keyCertSign [req_distinguished_name] C = US ST = Washington L = Seattle CN = CA [admin] distinguished_name = admin_distinguished_name prompt = no req_extensions = default_req_extensions [admin_distinguished_name] CN = admin O = system:masters # Service Accounts # # The Kubernetes Controller Manager leverages a key pair to generate # and sign service account tokens as described in the # [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) # documentation. [service-accounts] distinguished_name = service-accounts_distinguished_name prompt = no req_extensions = default_req_extensions [service-accounts_distinguished_name] CN = service-accounts # Worker Nodes # # Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) # called Node Authorizer, that specifically authorizes API requests made # by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). # In order to be authorized by the Node Authorizer, Kubelets must use a credential # that identifies them as being in the `system:nodes` group, with a username # of `system:node:`. [controller0] distinguished_name = controller0_distinguished_name prompt = no req_extensions = controller0_req_extensions [controller0_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "controller0 Certificate" subjectAltName = DNS:controller0, IP:127.0.0.1 subjectKeyIdentifier = hash [controller0_distinguished_name] CN = system:node:controller0 O = system:nodes C = US ST = Washington L = Seattle [controller1] distinguished_name = controller1_distinguished_name prompt = no req_extensions = controller1_req_extensions [controller1_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "controller1 Certificate" subjectAltName = DNS:controller1, IP:127.0.0.1 subjectKeyIdentifier = hash [controller1_distinguished_name] CN = system:node:controller1 O = system:nodes C = US ST = Washington L = Seattle [controller2] distinguished_name = controller2_distinguished_name prompt = no req_extensions = controller2_req_extensions [controller2_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "controller2 Certificate" subjectAltName = DNS:controller2, IP:127.0.0.1 subjectKeyIdentifier = hash [controller2_distinguished_name] CN = system:node:controller2 O = system:nodes C = US ST = Washington L = Seattle [worker0] distinguished_name = worker0_distinguished_name prompt = no req_extensions = worker0_req_extensions [worker0_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "worker0 Certificate" subjectAltName = DNS:worker0, IP:127.0.0.1 subjectKeyIdentifier = hash [worker0_distinguished_name] CN = system:node:worker0 O = system:nodes C = US ST = Washington L = Seattle [worker1] distinguished_name = worker1_distinguished_name prompt = no req_extensions = worker1_req_extensions [worker1_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "worker1 Certificate" subjectAltName = DNS:worker1, IP:127.0.0.1 subjectKeyIdentifier = hash [worker1_distinguished_name] CN = system:node:worker1 O = system:nodes C = US ST = Washington L = Seattle [worker2] distinguished_name = worker2_distinguished_name prompt = no req_extensions = worker2_req_extensions [worker2_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "worker2 Certificate" subjectAltName = DNS:worker2, IP:127.0.0.1 subjectKeyIdentifier = hash [worker2_distinguished_name] CN = system:node:worker2 O = system:nodes C = US ST = Washington L = Seattle # Kube Proxy Section [kube-proxy] distinguished_name = kube-proxy_distinguished_name prompt = no req_extensions = kube-proxy_req_extensions [kube-proxy_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Kube Proxy Certificate" subjectAltName = DNS:kube-proxy, IP:127.0.0.1 subjectKeyIdentifier = hash [kube-proxy_distinguished_name] CN = system:kube-proxy O = system:node-proxier C = US ST = Washington L = Seattle # Controller Manager [kube-controller-manager] distinguished_name = kube-controller-manager_distinguished_name prompt = no req_extensions = kube-controller-manager_req_extensions [kube-controller-manager_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Kube Controller Manager Certificate" subjectAltName = DNS:kube-controller-manager, IP:127.0.0.1 subjectKeyIdentifier = hash [kube-controller-manager_distinguished_name] CN = system:kube-controller-manager O = system:kube-controller-manager C = US ST = Washington L = Seattle # Scheduler [kube-scheduler] distinguished_name = kube-scheduler_distinguished_name prompt = no req_extensions = kube-scheduler_req_extensions [kube-scheduler_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Kube Scheduler Certificate" subjectAltName = DNS:kube-scheduler, IP:127.0.0.1 subjectKeyIdentifier = hash [kube-scheduler_distinguished_name] CN = system:kube-scheduler O = system:system:kube-scheduler C = US ST = Washington L = Seattle # API Server # # The Kubernetes API server is automatically assigned the `kubernetes` # internal dns name, which will be linked to the first IP address (`10.32.0.1`) # from the address range (`10.32.0.0/24`) reserved for internal cluster # services. [kube-api-server] distinguished_name = kube-api-server_distinguished_name prompt = no req_extensions = kube-api-server_req_extensions [kube-api-server_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client, server nsComment = "Kube API Server Certificate" subjectAltName = @kube-api-server_alt_names subjectKeyIdentifier = hash [kube-api-server_alt_names] IP.0 = 127.0.0.1 IP.1 = 10.32.0.1 DNS.0 = kubernetes DNS.1 = kubernetes.default DNS.2 = kubernetes.default.svc DNS.3 = kubernetes.default.svc.cluster DNS.4 = kubernetes.svc.cluster.local DNS.5 = server.kubernetes.local DNS.6 = api-server.kubernetes.local [kube-api-server_distinguished_name] CN = kubernetes C = US ST = Washington L = Seattle [default_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Admin Client Certificate" subjectKeyIdentifier = hash