fix code snippets and tweak a heading (#9909)
parent
c78633e97e
commit
d52544c181
|
@ -64,8 +64,8 @@ The cfssl tools used in this example can be downloaded at
|
||||||
Generate a private key and certificate signing request (or CSR) by running
|
Generate a private key and certificate signing request (or CSR) by running
|
||||||
the following command:
|
the following command:
|
||||||
|
|
||||||
```console
|
```shell
|
||||||
$ cat <<EOF | cfssl genkey - | cfssljson -bare server
|
cat <<EOF | cfssl genkey - | cfssljson -bare server
|
||||||
{
|
{
|
||||||
"hosts": [
|
"hosts": [
|
||||||
"my-svc.my-namespace.svc.cluster.local",
|
"my-svc.my-namespace.svc.cluster.local",
|
||||||
|
@ -104,8 +104,8 @@ is still to be created.
|
||||||
Generate a CSR yaml blob and send it to the apiserver by running the following
|
Generate a CSR yaml blob and send it to the apiserver by running the following
|
||||||
command:
|
command:
|
||||||
|
|
||||||
```console
|
```shell
|
||||||
$ cat <<EOF | kubectl create -f -
|
cat <<EOF | kubectl create -f -
|
||||||
apiVersion: certificates.k8s.io/v1beta1
|
apiVersion: certificates.k8s.io/v1beta1
|
||||||
kind: CertificateSigningRequest
|
kind: CertificateSigningRequest
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -132,8 +132,11 @@ same API.
|
||||||
The CSR should now be visible from the API in a Pending state. You can see
|
The CSR should now be visible from the API in a Pending state. You can see
|
||||||
it by running:
|
it by running:
|
||||||
|
|
||||||
```console
|
```shell
|
||||||
$ kubectl describe csr my-svc.my-namespace
|
kubectl describe csr my-svc.my-namespace
|
||||||
|
```
|
||||||
|
|
||||||
|
```none
|
||||||
Name: my-svc.my-namespace
|
Name: my-svc.my-namespace
|
||||||
Labels: <none>
|
Labels: <none>
|
||||||
Annotations: <none>
|
Annotations: <none>
|
||||||
|
@ -160,8 +163,11 @@ information on what this involves is covered below.
|
||||||
|
|
||||||
Once the CSR is signed and approved you should see the following:
|
Once the CSR is signed and approved you should see the following:
|
||||||
|
|
||||||
```console
|
```shell
|
||||||
$ kubectl get csr
|
kubectl get csr
|
||||||
|
```
|
||||||
|
|
||||||
|
```none
|
||||||
NAME AGE REQUESTOR CONDITION
|
NAME AGE REQUESTOR CONDITION
|
||||||
my-svc.my-namespace 10m yourname@example.com Approved,Issued
|
my-svc.my-namespace 10m yourname@example.com Approved,Issued
|
||||||
```
|
```
|
||||||
|
@ -169,8 +175,8 @@ my-svc.my-namespace 10m yourname@example.com Approved,Issued
|
||||||
You can download the issued certificate and save it to a `server.crt` file
|
You can download the issued certificate and save it to a `server.crt` file
|
||||||
by running the following:
|
by running the following:
|
||||||
|
|
||||||
```console
|
```shell
|
||||||
$ kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \
|
kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \
|
||||||
| base64 --decode > server.crt
|
| base64 --decode > server.crt
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -200,7 +206,7 @@ to verify that the CSR satisfies two requirements:
|
||||||
If and only if these two requirements are met, the approver should approve
|
If and only if these two requirements are met, the approver should approve
|
||||||
the CSR and otherwise should deny the CSR.
|
the CSR and otherwise should deny the CSR.
|
||||||
|
|
||||||
## A Word of **Warning** on the Approval Permission
|
## A Word of Warning on the Approval Permission
|
||||||
|
|
||||||
The ability to approve CSRs decides who trusts who within the cluster. This
|
The ability to approve CSRs decides who trusts who within the cluster. This
|
||||||
includes who the Kubernetes API trusts. The ability to approve CSRs should
|
includes who the Kubernetes API trusts. The ability to approve CSRs should
|
||||||
|
|
Loading…
Reference in New Issue