k0sctl icon indicating copy to clipboard operation
k0sctl copied to clipboard
verified publisher icon k0sproject

kube-apiserver tls certificate

Open SiimToo opened this issue 7 months ago • 4 comments

Hey, is it possible to deploy k0s using k0sctl so that all kube-apiserver instances in the cluster use the same certificate in tls-cert-file, like in RKE1, or have the CA included inside tls-cert-file, like in RKE2? If I deploy k0s using k0sctl, all kube-apiserver instances use unique certificates for TLS on port 6443.

I want to generate a kubeconfig with an OIDC JWT token and use the "certificate-authority" from the kube-apiserver on port 6443, but the kube-apiserver certificates are different from one another. I end up getting an x509 error when I try to use the kubeconfig to access the API through a round-robin load balancer.

SiimToo avatar May 15 '25 16:05 SiimToo

With files / hooks overwriting server.crt and server.key in /var/lib/k0s/pki, you could be able to pull off getting the same cert on all nodes but there are security concerns and other downsides to this. Not recommended, not supported.

Since all kube-apiserver instances in k0s use certificates signed by the same internal cluster CA (/var/lib/k0s/pki/ca.crt), which is also included in certificate-authority-data of the kubeconfig from k0sctl kubeconfig or k0sctl apply --kubeconfig-out, it should work with any of the kube-apiserver certs as long as the SANs in spec.k0s.config.spec.api.sans include the domain name or IP of the load balancer so the cert matches the address used by the client.

kke avatar May 16 '25 07:05 kke

You should rather use the cluster wide CA as the root trust instead of individual server certs

jnummelin avatar May 19 '25 11:05 jnummelin

That's exactly what I'd like to do. Could you please direct me to any documentation on how to achieve this? As I mentioned earlier, I'm aiming to generate a kubeconfig dynamically, which requires obtaining the CA certificate on the fly. Ideally, I would like not to provide users with the kubeconfig generated by the k0sctl kubeconfig output.

I was able to add the CA to pki/server.crt using a k0sctl hook, which now allows me to retrieve the CA from the 6443 API port. However, k0s overwrites pki/server.crt upon restart. Is there a more persistent solution to this issue?

SiimToo avatar Jun 02 '25 14:06 SiimToo

I was able to add the CA to pki/server.crt using a k0sctl hook, which now allows me to retrieve the CA from the 6443 API port. However, k0s overwrites pki/server.crt upon restart. Is there a more persistent solution to this issue?

The certificates are indeed regenerated by k0s, you want to provide your own CA (or use the one that k0s generates, it won't be overwritten). It's stored in <data-dir>/pki/ca.{crt,key}: https://docs.k0sproject.io/stable/custom-ca

twz123 avatar Jun 02 '25 16:06 twz123