Segmenting etcd on Kubernetes (basic)

    • Operator
    • Manifest

    When using etcd with RBAC, all components that access etcd must be configured with the proper certificates. This document describes the users and roles needed to segment etcd so that Kubernetes and Calico can only read and write within their respected subtrees/prefixes. To configure more compartmentalized configurations of the Calico components, see this addon: guide.

    This guide assumes you are following the general and using its guidance for setting up certificates and etcd cluster, users, and roles.

    You are using Kubernetes and Calico that share an etcd datastore and you wish to ensure that Calico and Kubernetes are unable to access each others’ etcd data.

    • Calico
      • Read and write access to /calico/.

    All certificate/key pairs that are referenced below are assumed to have been created for the specific component with the information above.

    The kube-apiserver is the only Kubernetes component that directly accesses etcd. The flags required to provide the kube-apiserver with certificates for accessing an etcd cluster are:

    • --etcd-cafile=<CA certificate
    • --etcd-certfile=<certificate with etcd username as CN>

    Setting these will depend on the method used to deploy Kubernetes so refer to your integrator’s documentation for help setting these flags.

    The pieces that would need updating are:

    • The ConfigMap lines with etcd_ca, etcd_cert, and etcd_key should be updated as follows

    • The Secret named calico-etcd-secrets needs to be updated with the CA and cert/key. The information stored in in a Secret needs to be base64 encoded. The files can be converted to base64 encoding by doing a command like cat <file> | base64 -w 0 on each file and then inserting the output to the appropriate field.

      • The etcd-key field needs the base64 encoded file contents from the key file.
      • The etcd-cert field needs the base64 encoded file contents from the certificate file.
      • The etcd-ca field needs the base64 encoded file contents from the Certificate Authority certificate.
    • If sharing an etcd cluster with Kubernetes, disable etcd compaction in the calico-kube-controllers deployment by setting the environment variable to 0.