6.04 TLS in Kubernetes
1οΈβ£ Why TLS is Critical in Kubernetes
A Kubernetes cluster has:
- Control plane nodes
- Worker nodes
- Internal components communicating constantly
- External users (admins, automation, CI/CD)
All communication must be:
- π Encrypted
- β Authenticated
- π‘ Protected against impersonation
Danger
Without TLS, attackers can intercept API requests, steal credentials, or manipulate cluster state.
2οΈβ£ Types of Certificates in Kubernetes
Kubernetes uses three main certificate types:
| Type | Purpose | Example Files |
|---|---|---|
| Server Certificates | Secure HTTPS endpoints | apiserver.crt, etcd-server.crt |
| Client Certificates | Authenticate clients | admin.crt, scheduler.crt |
| Root Certificate (CA) | Signs all certs | ca.crt, ca.key |
π Naming Convention
| File Type | Pattern |
|---|---|
| Certificate (Public) | .crt, .pem |
| Private Key | .key, -key.pem |
Tip
If filename contains "key", it is usually a private key.
3οΈβ£ Kubernetes TLS Architecture
πΉ API Server
The kube-apiserver:
- Exposes HTTPS endpoint
- All components connect to it
- Requires serving certificate
Example:
πΉ ETCD Server
- Stores cluster state
- Only API server connects to it
- Requires its own server certificate
πΉ Kubelet
- Runs on each node
- Exposes HTTPS endpoint
- API server connects to it
4οΈβ£ Client Certificates in Kubernetes
Clients connecting to API Server:
| Component | Certificate |
|---|---|
| Admin (kubectl) | admin.crt |
| Scheduler | scheduler.crt |
| Controller Manager | controller-manager.crt |
| Kube Proxy | kube-proxy.crt |
| API Server (to ETCD) | Client certificate |
Note
From the API serverβs perspective, scheduler and controller-manager are just clients.
5οΈβ£ Certificate Authority (CA)
Every cluster requires at least one CA.
The CA:
- Signs all server certificates
- Signs all client certificates
- Establishes trust chain
πΉ Optional: Separate ETCD CA
Production setups often use:
- One CA for cluster
- One CA specifically for ETCD
Success
Separating ETCD CA improves security isolation.
6οΈβ£ How TLS Works Inside Kubernetes
Admin Access Flow
- Admin runs
kubectl - Admin presents client certificate
- API server validates against CA
- Secure session established
API Server β ETCD Flow
- API server connects to ETCD
- API server presents client certificate
- ETCD validates using CA
- Secure encrypted connection established
7οΈβ£ Production Best Practices
β DO
Success
- Use separate CA for ETCD
- Restrict access to
ca.key - Rotate certificates periodically
- Use short certificate lifetimes
- Protect private keys (chmod 600)
- Use kubeadm or cert-manager for automation
- Enable TLS 1.2+ only
- Enable API audit logs
β DON'T
Danger
- Do NOT share
ca.key - Do NOT use self-signed certs in production
- Do NOT disable TLS verification
- Do NOT use expired certificates
- Do NOT reuse admin certificates for automation
- Do NOT store private keys in Git or container images
8οΈβ£ Mutual TLS (mTLS)
Kubernetes uses mutual TLS internally:
- Server verifies client
- Client verifies server
Used between:
- API server β Kubelet
- API server β ETCD
- Control plane components
Tip
Kubernetes internal security is built entirely on mutual TLS.
π― Final Summary
- Kubernetes secures everything using TLS
- API server is central trust anchor
- All components use mutual TLS
- CA signs both server and client certificates
- Production security depends on proper key management
Quote
In Kubernetes, trust begins at the Certificate Authority.
Protect the CA, protect the cluster.