Client Certificate¶
Attention
Please note before using client certificate authentication:
-
You can not revoke a client certificate, ones a client certificate is is compromised you can only restrict access using RBAC. Reistricting access using RBAC might not a solution. For example: you can add
system:cluster-admins
group to your client certificate. I don't know if your cluster survive if you remove all priviliges from this system group. -
After the certificate signing request is approved and deleted after a while. You don't know what client certificates are signed out there.
-
Signed client certificate is valid for 365 days by default.
Create a certificate signing request¶
Since OpenSSLK 3.0 use -noenc
instead of -nodes
Sign request¶
Create CSR object
Appropve CSR
Export Certificate