SUSE Support

Here When You Need Us

What Desginated Name (DN) fields are used by Kubernetes when generating custom certificates from a provided CA Cert or PKI tool?

This document (000020306) is provided subject to the disclaimer at the end of this document.

Environment

RKE Kubernetes cluster, where the user decides to generate custom certificates from an external, non-self-signed Root Cerficiate Authority (CA).  

Situation

Upon issuing the following command, 
rke up

a user might experience the error message below.
  
INFO[0092] [authz] Creating rke-job-deployer ServiceAccount FATA[0119] Failed to apply the ServiceAccount needed for job execution: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "kube-admin" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

 

Resolution

While working with your own PKI toolsets, and providing a custom CA (Certificate Authority),
check the Organization (O) fields for the generated certificates Common Names (CN) and their signing requests (CSR).  The examples here are directly from Kubernetes the Hard Way, and outline a manual process for certificate generation. Where ${Instance} is mentioned, this is a variable for the name of the node that represents each kubelet, with every node having its own certificate.
 
Kubernetes Component Certificates Common Name (CN)Organization (O)
CA RootkubernetesKubernetes
Adminadminsystem:masters
Kubeletsystem:node:${Instance}system:nodes
Controller Managersystem:kube-controller-managersystem:kube-controller-manager
Kube Proxysystem:kube-proxysystem:node-proxier
Schedulersystem:kube-schedluersystem:kube-scheduler
API ServerkubernetesKubernetes
Service Account Key Pairservice-accountsKubernetes

 

Cause

If the proper Organization fields are not set, Kubernetes cannot assign compatible permissions to the different underlying components.  With self-signed certificates these fields are generated automatically.  With custom certificates, it's important to verfiy these fields are correct, as they may have been set by external tooling or automation.

Sometimes a Kubernetes administrator may leave all the fields of their certificates or CSRs blank or with predefined values, it can be easy to overlook the O field for a specific CN, an the proper kubernetes permissions will not get applied.

Additional Information

Kubernetes the Hard Way, Certificate Authority - https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020306
  • Creation Date: 28-Jun-2021
  • Modified Date:29-Sep-2022
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center