1
00:00:01,090 --> 00:00:07,600
Hello and welcome to this lecture in this lecture we see how we can view certificates in an existing

2
00:00:07,600 --> 00:00:13,070
cluster. So you join a new team to help them manage their kubernetes environment.

3
00:00:13,120 --> 00:00:19,180
Your new administrator to this team is being told that there are multiple issues related to certificates

4
00:00:19,200 --> 00:00:25,840
in the environment so you're asked to perform a health check of all the certificates in the entire cluster.

5
00:00:25,840 --> 00:00:31,350
What do you do first of all it's important to know how the cluster was set up.

6
00:00:31,360 --> 00:00:35,980
There are different solutions available of deploying a kubernetes cluster and they use different

7
00:00:35,980 --> 00:00:42,760
methods to generate and manage certificates. If you were to deploy a kubernetes cluster from scratch

8
00:00:42,940 --> 00:00:48,610
you generate all the certificates by yourself as we did in the previous lecture or else if you were

9
00:00:48,610 --> 00:00:54,730
to rely on an automated provisioning tool like kubeadm, it takes care of automatically generating

10
00:00:54,730 --> 00:01:01,610
and configuring the cluster for you while you deploy all the components as native services on the nodes

11
00:01:01,700 --> 00:01:06,020
in the hard way, the kubeadm tool deploys these as PODs.

12
00:01:06,050 --> 00:01:11,600
So it's important to know where to look at to view the right information in this lecture.

13
00:01:11,600 --> 00:01:16,020
we are going to look at a cluster provisioned by kubeadm as an example.

14
00:01:16,190 --> 00:01:17,930
In order to perform a health check.

15
00:01:17,990 --> 00:01:22,140
Start by identifying all the certificates used in the system.

16
00:01:22,280 --> 00:01:27,690
I have created a sample Excel spreadsheet for you. Check out the resources link at the end of this lecture

17
00:01:27,710 --> 00:01:36,380
to access it so the idea is to create a list of certificate files used their pods the names configured

18
00:01:36,380 --> 00:01:37,100
on them.

19
00:01:37,280 --> 00:01:43,700
The astronaut names configured if any the organisation the certificate account belongs to the issue

20
00:01:43,700 --> 00:01:46,720
of the certificate and the expiration date on the certificate.

21
00:01:47,570 --> 00:01:49,110
So how do you get these.

22
00:01:49,370 --> 00:01:54,980
Start with the certificate files used. For this, in an environment setup by kube-adm

23
00:01:55,100 --> 00:02:02,330
look for the kube-apiserver definition file under /etc/kubernetes/manifests folder.

24
00:02:03,320 --> 00:02:09,920
The command used to start the api server has information about all the certificates. Identify

25
00:02:09,930 --> 00:02:14,880
the certificate file used for each purpose and note it down next.

26
00:02:14,950 --> 00:02:20,160
take each certificate and look inside it to find more details about that certificate.

27
00:02:20,160 --> 00:02:27,910
For example, we will start with the apiserver certificate file. Run the openssl x509 command

28
00:02:28,060 --> 00:02:33,420
and provide the certificate file as input to decode the certificate and view details.

29
00:02:33,730 --> 00:02:37,210
Start with a name on the certificate under the subject section.

30
00:02:37,210 --> 00:02:44,350
In this case its kube-apiserver. Then the alternative names. The kube-api server has many,

31
00:02:44,380 --> 00:02:50,590
so you must ensure all of them are there and then check the validity section of the certificate to identify

32
00:02:50,590 --> 00:02:54,760
the expiry date and then the issuer of the certificate.

33
00:02:54,760 --> 00:02:58,200
This should be the CA who issued the certificate. Kubeadm

34
00:02:58,210 --> 00:03:05,620
names the kubernetes CA as kubernetes itself. Follow the same procedure to identify information

35
00:03:05,680 --> 00:03:11,190
about all the other certificates things to look for check to make sure you have the right names the

36
00:03:11,230 --> 00:03:16,780
right alternate names make sure the certificates are part of the correct organization and most importantly

37
00:03:16,910 --> 00:03:21,760
you are issued by the right issuer and that the certificates are not expired.

38
00:03:22,240 --> 00:03:27,970
The certificate requirements are listed in detail in the Kubernetes Documentation page. Check the

39
00:03:27,970 --> 00:03:34,640
references section for the link when you run into issues you want to start looking at logs if you set

40
00:03:34,640 --> 00:03:41,190
up the cluster from scratch by yourself and the services are configured as native services in the OS

41
00:03:41,670 --> 00:03:47,670
you want to start looking at the service logs using the operating systems logging functionality in case

42
00:03:47,670 --> 00:03:53,520
you setup the cluster with kubeadm, then the various components are deployed as PODs. So you can look

43
00:03:53,520 --> 00:04:01,190
at the logs using kubectl logs command followed by the pod name. Sometimes if the core components

44
00:04:01,220 --> 00:04:08,900
such as the kubernetes api server or the etcd server are down, the kubectl commands wont function. In that case

45
00:04:09,230 --> 00:04:15,380
you have to go one level down to docker to fetch the logs.  List all the containers using the docker

46
00:04:15,460 --> 00:04:21,430
ps –a command. And then view the logs using docker logs command followed by the container ID.


47
00:04:22,680 --> 00:04:24,450
well that's it for this lecture.

48
00:04:24,450 --> 00:04:29,970
Head over to the practice test and practice viewing information about existing cluster.