Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 7. Configuring MicroShift authentication and security

7.1. Configuring custom certificate authorities
Copiar o link

You can allow and encrypt connections with external clients by replacing the MicroShift default API server certificate with a custom server certificate issued by a certificate authority (CA).

7.1.1. How custom certificate authorities work in MicroShift
Copiar o link

To enable external clients to verify the MicroShift API server and maintain encrypted connections, you can replace the default internal certificate with a custom server certificate issued by a trusted certificate authority (CA).

By default, clients outside of the node cannot verify the MicroShift-issued API server certificate. You must update the configuration file with the certificate location and relevant domain names to ensure secure access across your network.

  1. Copy the certificates and keys to the preferred directory in the host operating system. Ensure that the files are accessible by root only.

  2. Update the MicroShift configuration for each custom CA by specifying the certificate names and new fully qualified domain name (FQDN) in the MicroShift /etc/microshift/config.yaml configuration file.

    Each certificate configuration can contain the following values:

    • The certificate file location is a required value.

    • A single common name containing the API server DNS and IP address or IP address range.

      Tip

      In most cases, MicroShift generates a new kubeconfig for your custom CA that includes the IP address or range that you specify. The exception is when wildcards are specified for the IP address. In this case, MicroShift generates a kubeconfig with the public IP address of the server. To use wildcards, you must update the kubeconfig file with your specific details.

    • Multiple Subject Alternative Names (SANs) containing the API server DNS and IP addresses or a wildcard certificate.
    • You can provide additional DNS names for each certificate.
  3. After the MicroShift service restarts, you must copy the generated kubeconfig files to the client.
  4. Configure additional CAs on the client system. For example, you can update CA bundles in the Red Hat Enterprise Linux (RHEL) truststore.
  5. The certificates and keys are read from the specified file location on the host. Testing and validation of configuration is done from the client.
  6. External server certificates are not automatically renewed. You must manually rotate your external certificates.
Note

If any validation fails, the MicroShift service skips the custom configuration and uses the default certificate to start. The priority is to continue the service uninterrupted. MicroShift logs errors when the service starts. Common errors include expired certificates, missing files, or incorrect IP addresses.

Important

Custom server certificates have to be validated against CA data configured in the trust root of the host operating system. For information, see The system-wide truststore.

7.1.2. Configuring custom certificate authorities
Copiar o link

To configure externally generated certificates and domain names by using custom certificate authorities (CAs), add them to the MicroShift /etc/microshift/config.yaml configuration file. You must also configure the host operating system trust root.

Note

Externally generated kubeconfig files are created in the /var/lib/microshift/resources/kubeadmin/<hostname>/kubeconfig directory. If you need to use localhost in addition to externally generated configurations, retain the original kubeconfig file in its default location. The localhost kubeconfig file uses the self-signed certificate authority.

Prerequisites

  • The OpenShift CLI (oc) is installed.
  • You have root access to the node.
  • The certificate authority has issued the custom certificates.
  • A MicroShift /etc/microshift/config.yaml configuration file exists.

Procedure

  1. Copy the custom certificates you want to add to the trust root of the MicroShift host. Ensure that the certificate and private keys are only accessible to MicroShift.

  2. For each custom CA that you need, add an apiServer section called namedCertificates to the /etc/microshift/config.yaml MicroShift configuration file by using the following example: 

    apiServer:
  namedCertificates:
   - certPath: ~/certs/api_fqdn_1.crt
     keyPath:  ~/certs/api_fqdn_1.key
   - certPath: ~/certs/api_fqdn_2.crt
     keyPath:  ~/certs/api_fqdn_2.key
     names:
     - api_fqdn_1
     - *.apps.external.com

    where:

    apiServer.namedCertificates.certPath
    Add the full path to the certificate.
    apiServer.namedCertificates.keyPath
    Add the full path to the certificate key.
    apiServer.namedCertificates.names
    Optional. Add a list of explicit DNS names. Leading wildcards are allowed. If no names are listed, the implicit names are extracted from the certificates.

  3. Restart the MicroShift to apply the certificates by running the following command: 

    $ systemctl microshift restart
  4. Wait a few minutes for the system to restart and apply the custom server. New kubeconfig files are generated in the /var/lib/microshift/resources/kubeadmin/ directory.
  5. Copy the kubeconfig files to the client. If you specified wildcards for the IP address, update the kubeconfig to remove the public IP address of the server and replace that IP address with the specific wildcard range you want to use.

  6. From the client, use the following steps:

    1. Specify the kubeconfig to use by running the following command: 

      $ export KUBECONFIG=~/custom-kubeconfigs/kubeconfig

      Use the location of the copied kubeconfig file as the path.

    2. Check that the certificates are applied by using the following command: 

      $ oc --certificate-authority ~/certs/ca.ca get node

      Example output

      oc get node
NAME                             STATUS   ROLES                         AGE   VERSION
dhcp-1-235-195.arm.example.com   Ready    control-plane,master,worker   76m   v1.30.3

    3. Add the new CA file to the $KUBECONFIG environment variable by running the following command: 

      $ oc config set clusters.microshift.certificate-authority /tmp/certificate-authority-data-new.crt

    4. Verify that the new kubeconfig file contains the new CA by running the following command: 

      $ oc config view --flatten

      Example externally generated kubeconfig file

      apiVersion: v1
clusters:
- cluster:
    certificate-authority: /tmp/certificate-authority-data-new.crt
    server: https://api.ci-ln-k0gim2b-76ef8.aws-2.ci.openshift.org:6443
  name: ci-ln-k0gim2b-76ef8
contexts:
- context:
    cluster: ci-ln-k0gim2b-76ef8
    user:
  name:
current-context:
kind: Config
preferences: {}

      where:

      clusters.cluster.certificate-authority
      The certificate-authority-data section is not present in externally generated kubeconfig files. It is added with the oc config set command used previously.

    5. Verify the subject and issuer of your customized API server certificate authority by running the following command: 

      $ curl --cacert /tmp/caCert.pem https://${fqdn_name}:6443/healthz -v

      Example output

      Server certificate:
  subject: CN=kas-test-cert_server
  start date: Mar 12 11:39:46 2024 GMT
  expire date: Mar 12 11:39:46 2025 GMT
  subjectAltName: host "dhcp-1-235-3.arm.eng.rdu2.redhat.com" matched cert's "dhcp-1-235-3.arm.eng.rdu2.redhat.com"
  issuer: CN=kas-test-cert_ca
  SSL certificate verify ok.

      Important

      Either replace the certificate-authority-data in the generated kubeconfig file with the new rootCA or add the certificate-authority-data to the trust root of the operating system. Do not use both methods.

    6. Configure additional CAs in the trust root of the operating system. For example, in the RHEL Client truststore on the client system. See The system-wide truststore for details.

      • Updating the certificate bundle with the configuration that contains the CA is recommended.
      • If you do not want to configure your certificate bundles, you can alternately use the oc login localhost:8443 --certificate-authority=/path/to/cert.crt command, but this method is not preferred.

7.1.3. Custom certificates reserved name values
Copiar o link

Certificate problems cause MicroShift to ignore certificates dynamically and log an error. Problems can be caused by:

  • The certificate files do not exist on the disk or are not readable.
  • The certificate is not parsable.
  • The certificate overrides the internal certificates IP addresses or DNS names in a SubjectAlternativeNames (SAN) field. Do not use a reserved name when configuring SANs.
Expand
Table 7.1. Reserved Names values
AddressTypeComment

localhost

DNS

 

127.0.0.1

IP Address

 

10.42.0.0

IP Address

Node Network

10.43.0.0/16,10.44.0.0/16

IP Address

Service Network

169.254.169.2/29

IP Address

br-ex Network

kubernetes.default.svc

DNS

 

openshift.default.svc

DNS

 

svc.cluster.local

DNS

 

7.1.4. Troubleshooting custom certificates
Copiar o link

To troubleshoot the implementation of custom certificates, you can take the following steps.

Procedure

  1. From MicroShift, ensure that the certificate is served by the kube-apiserver and verify that the certificate path is appended to the --tls-sni-cert-key FLAG by running the following command: 

    $ journalctl -u microshift -b0 | grep tls-sni-cert-key

    Example output

    Jan 24 14:53:00 localhost.localdomain microshift[45313]: kube-apiserver I0124 14:53:00.649099   45313 flags.go:64] FLAG: --tls-sni-cert-key="[/home/eslutsky/dev/certs/server.crt,/home/eslutsky/dev/certs/server.key;/var/lib/microshift/certs/kube-apiserver-external-signer/kube-external-serving/server.crt,/var/lib/microshift/certs/kube-apiserver-external-signer/kube-external-serving/server.key;/var/lib/microshift/certs/kube-apiserver-localhost-signer/kube-apiserver-localhost-serving/server.crt,/var/lib/microshift/certs/kube-apiserver-localhost-signer/kube-apiserver-localhost-serving/server.key;/var/lib/microshift/certs/kube-apiserver-service-network-signer/kube-apiserver-service-network-serving/server.crt,/var/lib/microshift/certs/kube-apiserver-service-network-signer/kube-apiserver-service-network-serving/server.key

  2. From the client, ensure that the kube-apiserver is serving the correct certificate by running the following command: 

    $ openssl s_client -connect <SNI_ADDRESS>:6443 -showcerts | openssl x509 -text -noout -in - | grep -C 1 "Alternative\|CN"

7.1.5. Cleaning up and recreating the custom certificates
Copiar o link

You can stop the MicroShift service, clean up the custom certificates, and re-create the custom certificates, to ensure that your system uses the most recent certificate data.

Procedure

  1. Stop the MicroShift services and clean up the custom certificates by running the following command: 

    $ sudo microshift-cleanup-data --cert

    Example output

    Stopping MicroShift services
Removing MicroShift certificates
MicroShift service was stopped
Cleanup succeeded

  2. Restart the MicroShift services to recreate the custom certificates by running the following command: 

    $ sudo systemctl start microshift

7.2. Configuring audit logging policies
Copiar o link

You can control MicroShift audit log file rotation and retention by using configuration values.

7.2.1. About setting limits on audit log files
Copiar o link

To prevent logging data from exceeding the storage capacity of far-edge devices, you can set rotation and retention limits for MicroShift audit log files. Configuring the size, number, and age values ensures that host systems maintain the processing space required for node workloads.

The values you set to limit MicroShift audit logs enable you to enforce the size, number, and age limits of audit log backups. Field values are processed independently of one another and without prioritization.

You can set fields in combination to define a maximum storage limit for retained logs. For example:

  • Set both maxFileSize and maxFiles to create a log storage upper limit.
  • Set a maxFileAge value to automatically delete files older than the timestamp in the file name, regardless of the maxFiles value.

7.2.1.1. Default audit log values
Copiar o link

MicroShift includes the following default audit log rotation values:

Expand
Table 7.2. MicroShift default audit log values
Audit log parameterDefault settingDefinition

maxFileAge:

0

How long log files are retained before automatic deletion. The default value means that a log file is never deleted based on age. This value can be configured.

maxFiles:

10

The total number of log files retained. By default, MicroShift retains 10 log files. The oldest is deleted when an excess file is created. This value can be configured.

maxFileSize:

200

By default, when the audit.log file reaches the maxFileSize limit, the audit.log file is rotated and MicroShift begins writing to a new audit.log file. This value is in megabytes and can be configured.

profile:

Default

The Default profile setting only logs metadata for read and write requests; request bodies are not logged except for OAuth access token requests. If you do not specify this field, the Default profile is used.

The maximum default storage usage for audit log retention is 2000Mb if there are 10 or fewer files.

If you do not specify a value for a field, the default value is used. If you remove a previously set field value, the default value is restored after the next MicroShift service restart.

Important

You must configure audit log retention and rotation in Red Hat Enterprise Linux (RHEL) for logs that are generated by application pods. These logs print to the console and are saved. Ensure that your log preferences are configured for the RHEL /var/log/audit/audit.log file to maintain MicroShift node health.

7.2.2. About audit log policy profiles
Copiar o link

To monitor activity and maintain compliance, you can apply audit log profiles that define the level of detail recorded for API server requests. While more comprehensive profiles provide request bodies for troubleshooting, they also increase resource overhead on the host system.

Audit log profiles define how to log requests that come to the OpenShift API server and the Kubernetes API server.

MicroShift supports the following predefined audit policy profiles:

Expand
ProfileDescription

Default

Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. This is the default policy.

WriteRequestBodies

In addition to logging metadata for all requests, logs request bodies for every write request to the API servers (create, update, patch, delete, deletecollection). This profile has more resource overhead than the Default profile. [1]

AllRequestBodies

In addition to logging metadata for all requests, logs request bodies for every read and write request to the API servers (get, list, create, update, patch). This profile has the most resource overhead. [1]

None

No requests are logged, including OAuth access token requests and OAuth authorize token requests.

Warning

Do not disable audit logging by using the None profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue to troubleshoot properly.

  1. Sensitive resources, such as Secret, Route, and OAuthClient objects, are only logged at the metadata level.

By default, MicroShift uses the Default audit log profile. You can use another audit policy profile that also logs request bodies, but be aware of the increased resource usage such as CPU, memory, and I/O.

7.2.3. Configuring audit log values
Copiar o link

To manage disk space, you can customize the audit log retention settings in the MicroShift configuration file. Adjusting values such as file age and size ensures that the system retains critical event data without exhausting local storage.

Procedure

  1. Make a copy of the provided config.yaml.default file in the /etc/microshift/ directory, renaming it config.yaml. Keep the new MicroShift config.yaml you create in the /etc/microshift/ directory. The new config.yaml is read whenever the MicroShift service starts. After you create it, the config.yaml file takes precedence over built-in settings.

  2. Replace the default values in the auditLog section of the YAML with your desired valid values.

    Example default auditLog configuration

    apiServer:
# ....
  auditLog:
    maxFileAge: 7
    maxFileSize: 200
    maxFiles: 1
    profile: Default
# ....

    where:

    apiServer.auditLog.maxFileAge
    Specifies the maximum time in days that log files are kept. Files older than this limit are deleted. In this example, after a log file is more than 7 days old, it is deleted. The files are deleted regardless of whether or not the live log has reached the maximum file size specified in the maxFileSize field. File age is determined by the timestamp written in the name of the rotated log file, for example, audit-2024-05-16T17-03-59.994.log. When the value is 0, the limit is disabled.
    apiServer.auditLog.maxFileSize
    The maximum audit log file size in megabytes. In this example, the file is rotated as soon as the live log reaches the 200 MB limit. When the value is set to 0, the limit is disabled.
    apiServer.auditLog.maxFiles
    The maximum number of rotated audit log files retained. After the limit is reached, the log files are deleted in order from oldest to newest. In this example, the value 1 results in only 1 file of size maxFileSize being retained in addition to the current active log. When the value is set to 0, the limit is disabled.
    apiServer.auditLog.profile
    Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the Default profile is used.

  3. Optional: To specify a new directory for logs, you can stop MicroShift, and then move the /var/log/kube-apiserver directory to your desired location:

    1. Stop MicroShift by running the following command: 

      $ sudo systemctl stop microshift

    2. Move the /var/log/kube-apiserver directory to your desired location by running the following command: 

      $ sudo mv /var/log/kube-apiserver <~/kube-apiserver>

      Replace <~/kube-apiserver> with the path to the directory that you want to use.

    3. If you specified a new directory for logs, create a symlink to your custom directory at /var/log/kube-apiserver by running the following command: 

      $ sudo ln -s <~/kube-apiserver> /var/log/kube-apiserver

      Replace <~/kube-apiserver> with the path to the directory that you want to use. This enables the collection of logs in sos reports.

  4. If you are configuring audit log policies on a running instance, restart MicroShift by entering the following command: 

    $ sudo systemctl restart microshift

7.2.4. Troubleshooting audit log configuration
Copiar o link

You can use the following steps to troubleshoot MicroShift custom audit log settings and file locations.

Procedure

  • Check the current values that are configured by running the following command: 

    $ sudo microshift show-config --mode effective

    Example output

    auditLog:
    maxFileSize: 200
    maxFiles: 1
    maxFileAge: 7
    profile: AllRequestBodies

  • Check the audit.log file permissions by running the following command: 

    $ sudo ls -ltrh /var/log/kube-apiserver/audit.log

    Example output

    -rw-------. 1 root root 46M Mar 12 09:52 /var/log/kube-apiserver/audit.log

  • List the contents of the current log directory by running the following command: 

    $ sudo ls -ltrh /var/log/kube-apiserver/

    Example output

    total 6.0M
-rw-------. 1 root root 2.0M Mar 12 10:56 audit-2024-03-12T14-56-16.267.log
-rw-------. 1 root root 2.0M Mar 12 10:56 audit-2024-03-12T14-56-49.444.log
-rw-------. 1 root root 962K Mar 12 10:57 audit.log

Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2026 Red HatVoltar ao topo