6.07 Kubernetes Certificates API

🎯 Why Certificates API?

Manual process does not scale:

• Admin signs CSRs manually using CA key
• Shares signed certificate
• Repeats for renewal

Kubernetes Certificates API allows:

• Submit CSR objects
• Review requests
• Approve or deny
• Automatically sign certificates
• Rotate certificates

---

🔐 Where is the CA?

CA consists of:

• ca.crt
• ca.key

In kubeadm clusters:

/etc/kubernetes/pki/

Danger

Anyone with access to ca.key can generate cluster admins. Restrict permissions to 600 and limit access.

---

🧩 Certificates API Flow

1️⃣ User Generates CSR2️⃣ Encode CSR3️⃣ Create CSR Object4️⃣ Submit CSR5️⃣ Review Requests6️⃣ Approve CSR

openssl genrsa -out jane.key 2048
openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr

cat jane.csr | base64 | tr -d '\n'

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: jane-csr
spec:
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 600
  usages:
    - client auth
  request: <BASE64_ENCODED_CSR>

kubectl apply -f jane-csr.yaml

kubectl get csr

kubectl certificate approve jane-csr

---

📜 Extract Signed Certificate

kubectl get csr jane-csr -o yaml

Locate:

status:
  certificate: <BASE64_DATA>

Decode:

echo "<BASE64_DATA>" | base64 --decode > jane.crt

User now has:

• jane.key
• jane.crt

---

⚙ Who Signs the Certificate?

The kube-controller-manager performs:

• CSR Approving Controller
• CSR Signing Controller

It requires:

--cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
--cluster-signing-key-file=/etc/kubernetes/pki/ca.key

Warning

If these flags are missing or incorrect, CSRs remain Pending.

---

🔎 Important CSR Fields

Field	Purpose
signerName	Certificate type
expirationSeconds	Validity duration
usages	client auth / server auth
request	Base64 CSR data

Common signerNames:

• kubernetes.io/kube-apiserver-client
• kubernetes.io/kubelet-serving
• kubernetes.io/kube-apiserver-client-kubelet

---

🛡 Production Best Practices

✅ DO

Success

• Use Certificates API instead of manual signing
• Restrict CSR approval via RBAC
• Monitor CSR creation and approvals
• Use short-lived certificates
• Enable kubelet certificate rotation
• Audit CSR approvals regularly

---

❌ DON'T

Danger

• Do NOT auto-approve all CSRs blindly
• Do NOT expose CA private key
• Do NOT grant CSR approve to regular users
• Do NOT ignore Pending CSRs
• Do NOT use long-lived certificates unnecessarily

---

🚨 Common Production Issues

Issue	Cause
CSR stuck Pending	No approval
Approved but no cert	Controller misconfigured
TLS handshake failure	Wrong signerName
Privilege escalation	Weak CSR RBAC control

---

🔄 Certificate Rotation

Certificates expire.

Use:

kubeadm cert renew

Or enable automatic kubelet rotation.

Tip

Monitor expiry dates and alert before 30 days.

---

🎯 Summary

• Certificates API automates certificate lifecycle
• CSR objects replace manual CA signing
• Controller Manager signs certificates
• Protect CA private key
• Control approvals with RBAC
• Monitor and rotate proactively

---

Quote

Certificates API enables scalable certificate management — but requires strict approval governance.