Securing Control Plane

All API communication between Antrea control plane components is encrypted with TLS. The TLS certificates that Antrea requires can be automatically generated. You can also provide your own certificates. This page explains the certificates that Antrea requires and how to configure and rotate them for Antrea.

Table of Contents

What certificates are required by Antrea

Currently Antrea only requires a single server certificate for the antrea-controller API server endpoint, which is for the following communication:

  • The antrea-agents talks to the antrea-controller for fetching the computed NetworkPolicies
  • The kube-aggregator (i.e. kube-apiserver) talks to the antrea-controller for proxying antctl’s requests (when run in “controller” mode)

Antrea doesn’t require client certificates for its own components as it delegates authentication and authorization to the Kubernetes API, using Kubernetes ServiceAccount tokens for client authentication.

How certificates are used by Antrea

By default, antrea-controller generates a self-signed certificate. You can override the behavior by providing your own certificates. Either way, the antrea-controller will distribute the CA certificate as a ConfigMap named antrea-ca in the Antrea deployment Namespace and inject it into the APIServices resources created by Antrea in order to allow its clients (i.e. antrea-agent, kube-apiserver) to perform authentication.

Typically, clients that wish to access the antrea-controller API can authenticate the server by validating against the CA certificate published in the antrea-ca ConfigMap.

Providing your own certificates

Since Antrea v0.7.0, you can provide your own certificates to Antrea. To do so, you must set the selfSignedCert field of antrea-controller.conf to false, so that the antrea-controller will read the certificate key pair from the antrea-controller-tls Secret. The example manifests and descriptions below assume Antrea is deployed in the kube-system Namespace. If you deploy Antrea in a different Namepace, please update the Namespace name in the manifests accordingly.

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. labels:
  5. app: antrea
  6. name: antrea-config
  7. namespace: kube-system
  8. data:
  9. antrea-controller.conf: |
  10. selfSignedCert: false

You can generate the required certificate manually, or through cert-manager. Either way, the certificate must be issued with the following key usages and DNS names:

X509 key usages:

  • digital signature
  • key encipherment
  • server auth

DNS names:

  • antrea.kube-system.svc
  • antrea.kube-system.svc.cluster.local

Note: It assumes you are using cluster.local as the cluster domain, you should replace it with the actual one of your Kubernetes cluster.

You can then create the antrea-controller-tls Secret with the certificate key pair and the CA certificate in the following form:

  1. apiVersion: v1
  2. kind: Secret
  3. # The type can also be Opaque.
  4. type: kubernetes.io/tls
  5. metadata:
  6. name: antrea-controller-tls
  7. namespace: kube-system
  8. data:
  9. ca.crt: <BASE64 ENCODED CA CERTIFICATE>
  10. tls.crt: <BASE64 ENCODED TLS CERTIFICATE>
  11. tls.key: <BASE64 ENCODED TLS KEY>

Using kubectl

You can use kubectl apply -f <PATH TO SECRET YAML> to create the above secret, or use kubectl create secret:

  1. kubectl create secret generic antrea-controller-tls -n kube-system \
  2. --from-file=ca.crt=<PATH TO CA CERTIFICATE> --from-file=tls.crt=<PATH TO TLS CERTIFICATE> --from-file=tls.key=<PATH TO TLS KEY>

Using cert-manager

If you set up cert-manager to manage your certificates, it can be used to issue and renew the certificate required by Antrea.

To get started, follow the cert-manager installation documentation to deploy cert-manager and configure Issuer or ClusterIssuer resources.

The Certificate should be created in the kube-system namespace. For example, A Certificate may look like:

  1. apiVersion: cert-manager.io/v1
  2. kind: Certificate
  3. metadata:
  4. name: antrea-controller-tls
  5. namespace: kube-system
  6. spec:
  7. secretName: antrea-controller-tls
  8. commonName: antrea
  9. dnsNames:
  10. - antrea.kube-system.svc
  11. - antrea.kube-system.svc.cluster.local
  12. usages:
  13. - digital signature
  14. - key encipherment
  15. - server auth
  16. issuerRef:
  17. # Replace the name with the real Issuer you configured.
  18. name: ca-issuer
  19. # We can reference ClusterIssuers by changing the kind here.
  20. # The default value is Issuer (i.e. a locally namespaced Issuer)
  21. kind: Issuer

Once the Certificate is created, you should see the antrea-controller-tls Secret created in the kube-system Namespace.

Note it may take up to 1 minute for Kubernetes to propagate the Secret update to the antrea-controller Pod if the Pod starts before the Secret is created.

Certificate rotation

Antrea v0.7.0 and higher supports certificate rotation. It can be achieved by simply updating the antrea-controller-tls Secret. The antrea-controller will react to the change, updating its serving certificate and re-distributing the latest CA certificate (if applicable).

If you are using cert-manager to issue the certificate, it will renew the certificate before expiry and update the Secret automatically.

If you are using certificates signed by Antrea, Antrea will rotate the certificate automatically before expiration.