Lucas Wang:
Hi guys~ I have a question about the Security section. I knew very little about k8s before I start this course. Everything is fine before the Security section. I can understand the concept and follow the practice lab. But things change in this section.
For example in the first lab,
it ask: Identify the ETCD Server CA Root Certificate used to serve ETCD Server?
And the Hint is: Look for CA Certificate (trusted-ca-file
) in file /etc/kubernetes/manifests/etcd.yaml
.
This makes me feel so confuse. How should I know in which folder to find the corresponding file path?
I think I may have miss some concept before I start this section.
Can anyone answer me ? Or give me some additional reading materials?
THX. : )
Niraj Samal:
Hi @Lucas Wang, sorry if I misread it , but hint already gave the full path
Path= /etc/Kubernetes/manifests/
file = etcd.yaml
what’s the doubt here?
Lucas Wang:
Hi @Niraj Samal thanks for your reply.
Yes, we can find the answer with that hints. But without that hint I don’t know where I can find the answer. Is it because CA and etcd appear in the question and etcd is a static pod so I need to go to /etc/kubernetes/manifests/etcd.yaml to find my answer?
unnivkn:
and etcd is a static pod so I need to go to /etc/kubernetes/manifests/etcd.yaml to find my answer? —> Yes @Lucas Wang you are right.
Chunlei Zhang:
I guess, the ca file path shall depend on the way how k8s cluster is deployed. If it is provisioned via kubeadm, then the static pod paths shows the path of ca file, which is loaded within /etc/Kubernetes/manifests/.
if not, such etcd acted as a service, “ca.crt” file should be found under --trusted-ca-file=/etc/etcd/ca.crt \\
according to <https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/07-bootstrapping-etcd.md|Bootstrapping the etcd Cluster>. or you can config it by yourself with service configuration.